You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Home > IT in a Classroom > M365 / Office365 > FAQ for local IT-SUPPORTERS
FAQ for local IT-SUPPORTERS
print icon
Bernhard Rieber
Feb 26, 2026
views icon 26

MFA / Conditional Access: Quick Support Guide for local IT Supporters @ SIS

 

Summary of the issue:

  1. At SIS itself: SIS-managed Intune Device + BYOD are generally trusted → no MFA.
  2. Outside SIS: SIS-managed Intune Device no MFA, private/unmanaged MFA required.
  3. This affects OneDrive/Outlook/Teams on private home devices/smartphones, among other things.
  4. Recommended standard method with smartphone outside SIS: Microsoft Authenticator app.
  5. Setup: myprofile.microsoft.com → Security info → Add sign-in method → Scan QR…. (see installation instructions)
  6. MFA query frequency may vary (e.g., daily - to - every 7 days on the smartphone).
  7. No smartphone? Alternative: Proton Authenticator on a private PC. (see installation instructions)
  8. If MFA unexpectedly occurs at SIS itself: risky user activation possible / or the device is not connected to the school's internet → ticket.
  9. Important: Every case → create ticket (HappyFox “Submit Ticket”) including device/location/error message/screenshot.
  10. Please check locally: Have all teachers and parents been informed as requested by SIS GROUP IT? (Share rollout information + guides/FAQ).

 

 

-->  At all SIS schools, everything remains as before – as long as a device is connected to the school internet/Wi-Fi, no MFA confirmation via app/authenticator is required.

 

_____________________________

Detailed information for the SIS IT support team:

 

SIS MFA / Conditional Access – Support Quick Guide (for local IT supporters)

 

General rule:

At SIS itself: SIS-managed devices and BYOD are generally trustedno MFA required. The only exception is for users declared as “risky” by Microsoft → MFA is then temporarily enforced by Group IT.

  • At home / outside SIS:
    • SIS-managed deviceno MFA (as before)
    • Private/unmanaged deviceMFA required
  • Standard method recommended by SIS GROUP IT: Microsoft Authenticator app.


1) Support decision tree (please always check first)

Questions for the user (brief):

  1. Where?at SIS itself or at home/on the road
  2. Device? → SIS-managed or private/unmanaged
  3. App/service? → Outlook/Teams/OneDrive/browser
  4. Error message? → MFA prompt? Which MFA method Proton app / Authenticator

 

Reminder: Errors should only occur outside the school premises anyway


        2) Standard fix: Set up Microsoft Authenticator (smartphone)

Speech notes for support (steps A–G):

  • A) Pre-registration: myprofile.microsoft.com → Security infoAdd sign-in method
  • B) Install app: Microsoft Authenticator (iOS/Android)
  • C) Select Work/School AccountScan QR
  • F) Test: Number Matching (confirm number on mobile phone screen)

Note to users: How often MFA is requested depends on the device (e.g., every 12 hours / daily / every 7 days on a smartphone).

 

->  https://swissinternationalschool.happyfox.net/kb/article/111-how-to-install-the-authenticator/


              3) If a smartphone is not possible (alternatives)

Option: Proton Authenticator on private Windows/macOS (without smartphone)

  • To log in on a private/unmanaged device, an authenticator app can be used directly on the laptop instead of a smartphone.
  • Quick setup: Pre-registration → Install Proton Authenticator → “Set up different authenticator app” → “Can't scan QR code” → Enter Secret Key + Issuer in Proton → Confirm code in browser.

->  https://swissinternationalschool.happyfox.net/kb/article/113-sis-%E2%80%93-mfa-conditional-access-faqs/

->  https://swissinternationalschool.happyfox.net/kb/article/116-how-to-install-an-alternative-authenticator-app-on-your-personal-computer/


4) Frequent cases (answers for support)

  • “At home, it asks for MFA”Expected on private/unmanaged device → Set up authenticator / install Proton. (see installation instructions or links above)
  • “At SIS itself, my private device suddenly asks for MFA” → only possible if the user has been classified as risky or the device is not connected to the school's internet
  • → Create ticket, collect details.
  • “Can I activate MFA myself on SIS-managed devices?”No, centrally managed (conditional access).
  • Regardless of this, only in rare exceptional cases: is the account compromised? → Password reset + MFA is activated immediately (security measure).


5) Ticket requirement (please be consistent!)

Please support standard: Every MFA/conditional access case requires a ticket (HappyFox “Submit Ticket”).

à https://swissinternationalschool.happyfox.net/new

Please do not create parallel emails for the same case X!

Minimum information in the ticket:

  • User/SIS email, location (CH/DE/BR), at SIS itself vs. outside
  • Device: SIS-managed vs. private/unmanaged, operating system, browser/app
  • Time + screenshot/error message if possible
  • MFA method (MS Authenticator / Proton) already set up?


6) Communication check (mandatory for local IT support staff)

Please actively check whether all teachers and parents have been informed in accordance with SIS GROUP IT guidelines:

  • What changes outside SIS (private device = MFA)
  • Standard setup (Microsoft Authenticator)
  • Alternatives without a smartphone (Proton)
  • “Please be prepared and set up Authenticator in advance.”
Feedback
0 out of 0 found this helpful

close button
scroll to top icon