IT account and password

• To access most University services, use your username (e.g. ab12345) and your password.
• Some University services including Microsoft, require your username email address: username@surrey.ac.uk (e.g. ab12345@surrey.ac.uk and your password to gain access.
• Your username email address (e.g. ab12345@surrey.ac.uk) is your University email address where you can send and receive emails. Please check your inbox regularly to keep up to date with important information from the University.

Email formats

• Undergraduate and postgraduate taught student email addresses follow the username@surrey.ac.uk format (e.g. ab12345@surrey.ac.uk).
• Postgraduate research students will need to use their username@surrey.ac.uk to login rather than their initial.surname@surrey.ac.uk email address.

Access your IT account

To access your email account for the first time, please:

1. To login to Surrey365 visit: surrey365.surrey.ac.uk 
2. Enter your IT account username and password. Your username must be followed by the suffix '@surrey.ac.uk', for example ta001@surrey.ac.uk. 

You can find out more about the service in email help.

Please now set up your MFA (IT account security) by following the instructions below.

If you have not done so already, you must first access your University email account before you can set up Microsoft Multi-Factor Authentication (MFA).

This essential step ensures that only you can log into your account. The best approval method to use is to download the Microsoft Multi-Factor Authentication (MFA) app onto your mobile phone.

MFA is a security method that requires at least two methods of authentication - your password and another authentication method. The most secure and preferred method is to use the Microsoft Authentication App from your mobile phone.

This additional authentication will only take place every 14 days (if you are not using a university managed windows device) or if unusual activity is suspected on your account.

To read more about when and why you would receive a notification to authenticate please view the risk based MFA guide (PDF).

Instructions to set up MFA

• MFA quick start guide (PDF)
• MFA frequently asked questions
• Multifactor Authentication | Setup Guide Video.

Once you have set up MFA on your account you will continue to enter your university username and password at the usual login screen; however, following that, you will be prompted to approve your login. To do this you will be shown a 2-digit number on your login screen which you will need to type into the Authenticator app (recommended) on your mobile phone. Please do not use text messages as your primary authentication method. This method is less secure than the MS Authentication App. Please only use text messages as an authentication method if you change your mobile phone. Never give the text message authentication code to anyone else.

Download the Microsoft Authenticator App

You can download the Microsoft Authenticator App on your device using the following links:

• Android
• iOS.

For details of the apps permissions please go to why does the app request so many permissions?

If you travel internationally, change your phone number or change your mobile phone you will need to change your MFA setup

To change your MFA setup visit the Microsoft site. Then choose from one or more of the following options:

• Preferred method – use a smartphone with the Microsoft Authenticator App
  • You need access to WiFi or a mobile phone signal
  • To avoid receiving text messages whilst roaming, please use the Authenticator App whilst connected to WiFi.

Help setting up MFA

If you experience any problems setting up MFA please contact the IT Service Desk on +44 (0)1483 689898 / 9898, email IT, or live chat. Please supply the following information so we can identify who you are:

• Last 4 digits of your current phone used for MFA
• Supply your student number
• Copy of your student ID (by sending a photograph or scan of your card), or if this is not available, please supply a copy of your passport for ID purposes.

We will never ask you for your password under any circumstances

This essential step will allow you to reset your password should you forget it, or if you want to/need to change your password. For self-service password reset to work correctly, please set up the following authentication methods:

• Security questions (for resetting your password)
• A personal email address (for resetting your password).

Please follow the instructions on the set up guide (PDF).

Or watch this instructional video. 

If you experience any problems with any of these steps please contact the IT Service Desk on +44 (0)1483 689898 / 9898, email IT Services or live chat for further advice.

It is important that you use a strong and unique password to secure your University account.

The University recommends using the "three random words" method - where you combine three random words to create a password that is long enough and strong enough to withstand attack.

There are things to avoid when creating your password such as:

• Using memorable dates such as your birthdate
• Swapping letters for numbers (for example, swapping an "o" for a zero)
• Using the names of your pets, your children or popular culture references

Password strength and complexity is dynamically evaluated for University of Surrey accounts at the time you choose your password; if a password meets sufficient length, complexity, age and history requirements it will be permitted

It is important that your password is easy for you to remember. Other things to note:

• You must never write your password down
• Your password must be unique (not a password you have used anywhere else)
• You must not share your password with anyone, even within the University

Whilst the University does not currently offer a password manager, you are free to use one if you choose. 

Password managers are software designed to store passwords safely and securely. There are many options on the market that offer this service. Some of the more popular options include:

• LastPass, KeePass, Keeper, Password Safe, Dashlane 
• Most modern browsers also include a basic password manager feature

Using a password manager means you can have many longer and more complex passwords, without having to repeat them or worry about forgetting them. 

If you think your password has been compromised. Immediately change it and report the incident to the IT service desk by calling 01483 689898 / ext 9898

You can change your password from anywhere using the change password page (external Microsoft site).

If you have forgotten your password, you can reset it by visiting: passwordreset.microsoftonline.com.

If you have not set up self-service password reset (PDF) for your account, you will need to contact the IT Service Desk to reset your password on 01483 689898/ ext. 9898.  

When contacting the IT Service Desk you will need to provide your username, date of birth and university number (seven-digit number found on your campus ID card).

Change or update your self-service password reset information.

No one except you will be able to access the information you enter in the self-service password reset.

Further details can be seen in the privacy statement below.

Privacy Statement

Information that you are asked to provide as part of the password reset process will only be held for the purpose of resetting your password and is processed by the University on the basis of our legitimate interest in enhancing the security of our network. None of the information you provide will be accessible to IT Services staff and is not shared with or made available to Microsoft staff. The University has a GDPR-compliant processing agreement in place with Microsoft. This information will be stored as long as you remain a member of staff and in line with the IT Services retention schedules. It is your responsibility to maintain this information so that you can reset your password. For further information about how your data is used, please refer to the Staff Privacy Notice on the University website.

@surrey.ac.uk accounts are used by authorised users to access systems and services provided by the University or by a vendor with a contractual relationship with the institution, in accordance with the Acceptable Use Policy. These accounts are used by University members but remain University property throughout their existence.

In some cases, University accounts are used in a personal fashion for sign-up for services without organisational consent or relationships being established; in other words, in a personal-to-organisational relationship.

The personal-to-organisational type of usage is strongly discouraged as it differs from the purpose of institutional accounts.Creation of external personal accounts in cloud services tied to an @surrey.ac.uk account (for example, a signup for a Facebook account named after the user's @surrey.ac.uk account) frequently lead to password reuse and regularly appear in password breaches.

Furthermore, in a world where data agreements between third parties are more common, if the service in question is using OAuth our users may inadvertently consent to third parties being able to read their account profile without our knowledge, thus creating a relationship with a vendor to read our address book or access other services or data belonging to the University. Finally, since University accounts cease to exist once a student or staff member leaves the University, this would invalidate password reset functions for most personal cloud services, since the user would no longer be able to receive the password reset link or other single-use credential.

Therefore, for this variety of security, privacy, and usability reasons, we would recommend that for sign-up to external services a user’s personal email address should be used wherever possible.