If you log in to university services and use the Authenticator app as your second factor by default, you can switch to a different method when logging in as follows:
If you have set up Windows Hello for Business on the device you are logging in from, this method will be displayed first. Here you can choose between the methods you have set up (PIN, facial recognition, or fingerprint).
Please note: Windows Hello for Business is device-specific and must be set up separately on each of your ZIM-managed devices.
If you would prefer to use a security key (YubiKey) or a passkey with the Microsoft Authenticator app , select "Use a different device".
Then select one of the following options:
Confirm your desired sign-in method with “Next”.
If you want to go back and use a sign-in method with password entry, click “Cancel”.
Note: The security key and iPhone, iPad, or Android device methods are always displayed in pairs, even if only one of them is configured. The inactive method cannot be used.
If you are offered the option of logging in with a security key (e.g., YubiKey), Windows Hello for Business, or a passkey, but would prefer to log in with a password instead (password + authenticator app/SMS/call), please proceed as follows:
Note: The security key and iPhone, iPad, or Android device methods are always displayed in pairs, even if only one of them is configured. The inactive method cannot be used.
We generally distinguish between two groups of login methods:
Passwordless methods:
Methods requiring password entry:
When you log in to your work device with your ZIM ID and MFA, you automatically receive Single Sign-On (SSO) for many services. This means that after logging in once with MFA, you can use all connected services without having to log in again.
For applications that use Microsoft SSO, the login information is not stored in each individual application, but centrally via the system login on the service device.
This behavior is technically intentional and corresponds to the basic principle of SSO: One login is sufficient for accessing many services.
For personal devices: Single Sign-On (SSO) within a browser session.
After logging in to a service in the browser using multi-factor authentication (MFA), you will have access to other connected university services without having to log in again. On personal devices, the login with Microsoft Single Sign-On is saved in the browser as soon as an MFA login has been performed within a browser session.
So, if you only sign out of the application, your Microsoft session in the browser remains active. The next time you click "Log in", you'll be automatically logged back in—without having to enter your password or MFA again.
The SSO session is limited to the current browser session:
To end all existing sessions, you can use the "Sign out everywhere" function in the administration portal of your Microsoft account. This option ends all open sessions, apps, and browser logins for M365 services associated with your account.
1. To do this, access the overview of your Microsoft account: https://myaccount.microsoft.com/.
2. Go to the "Overview" tab and click "Log out everywhere" in the bottom left corner, then confirm the following message with "OK".
You can manage your MFA methods via the page https://aka.ms/mysecurityinfo. This includes adding, changing, or deleting login methods, as well as viewing your recent login activity.
You can view and manage all login and MFA methods set up for your account under the "Security Information" section on the page https://aka.ms/mysecurityinfo.
Here you have the option to:
You can find an overview of your recent login activity on the page https://aka.ms/mysecurityinfo under the "Recent Activity" section. You should be familiar with each listed login.
Unusual Sign-In Activity in Your Microsoft Account – Usually Harmless
Unusual sign-in activity in your Microsoft account is often harmless and can frequently be explained by changing networks, new devices, or mobile access. Mobile access (e.g., via smartphones) and changing networks (switching from Wi-Fi to LTE) can cause sign-in locations or devices to be displayed differently than expected.
Here's how to check for an unusual entry:
Warning signs of possible unauthorized access (These checks help you distinguish between technical anomalies and possible security incidents):