How authentication, security, and SSO work on different device types
At CTU, ensuring secure access to user accounts and university services is a priority. Microsoft provides multi-factor authentication (MFA), which increases security by using multiple identity verification methods such as a mobile app, fingerprint, or PIN. The system also includes support for Single Sign-On (SSO) technology, allowing users to sign in once and then access all supported applications and services without having to re-enter credentials.
Your sign-in experience will depend mostly on:
-
How your device is registered and managed by the organization
-
Which operating system you use
MS Windows |
|||
| Joined to Intune | Registered with organization | Not registered with organization | |
| Available authentication methods | MS Authenticator, USB Fido2 key, Hello, TOTP | MS Authenticator, USB Fido2 key, Hello, TOTP | MS Authenticator, USB Fido2 key, TOTP |
| All M365 suite apps | MFA is passed across the MS ecosystem; Hello sign-in to Windows acts as the source | MFA is passed (Hello sign-in is NOT passed) | MFA is passed only within Office apps (Word, Excel…) |
| MS Office apps (Word, Excel, OneNote) | *** | *** | MFA is passed |
| MS apps (Teams, Outlook, OneDrive) | *** | *** | Separate authentication for each app |
| Edge | MFA is passed (requires Hello to be active); browser restart required after reauthentication | MFA is passed (account sync required) | Separate authentication |
| Firefox, Chrome, others | Separate authentication per browser (SSO plugin can be used for Chrome and Firefox) | Separate authentication per browser (SSO plugin can be used for Chrome and Firefox) | Separate authentication per browser |
| Thunderbird | Separate authentication for each mailbox* | Separate authentication for each mailbox* | Separate authentication for each mailbox* |
* for this reason we recommend using the MS Outlook app
MacOS |
||
| Joined to Intune | Not registered with organization | |
| Available authentication methods | MS Authenticator, USB Fido2 key, TOTP, TouchID | MS Authenticator, USB Fido2 key, TOTP |
| All M365 suite apps | MFA is passed | MFA is passed |
| Edge | MFA is passed, user must be signed in | Separate authentication per browser |
| Firefox, Chrome, others | Separate authentication per browser (SSO plugin can be used for Chrome and Firefox) | Separate authentication per browser |
| Native Mail app | MFA is passed | Separate authentication |
Linux |
|
| Not registered with organization | |
| Available authentication methods | MS Authenticator, USB Fido2 key, TOTP |
| All M365 suite apps | Browser only, separate authentication (Edge recommended) |
| Edge | Separate authentication |
| Firefox, Chrome, others | Separate authentication per browser |
| Thunderbird | Separate authentication for each mailbox |