From the MVPs: Office 365 Multi-factor Authentication with Microsoft Azure Active Directory


This is the 51st in our series of guest posts by Microsoft Most Valued Professionals (MVPs). You can click the “MVPs” tag in the right column of our blog to see all the articles.

Since the early 1990s, Microsoft has recognized technology champions around the world with the MVP Award. MVPs freely share their knowledge, real-world experience, and impartial and objective feedback to help people enhance the way they use technology. Of the millions of individuals who participate in technology communities, around 4,000 are recognized as Microsoft MVPs. You can read more original MVP-authored content on the Microsoft MVP Award Program Blog.

This post is by Office 365 MVP Nuno Árias Silva. Thanks, Nuno!

Office 365 with Microsoft Azure Active Directory is an enterprise-level identity and access management cloud solution. Office 365 with Microsoft Azure Active Directory Premium, built on top of the core offering of Azure AD, provides a robust set of capabilities to empower enterprises with more demanding needs on identity and access management. In this article will show the features of the integration of Office 365 with this premium offering with Multi-factor authentication.

Multi-factor authentication increases the security of user logins when sign in for cloud in traditional scenario with just a user and a password. With Multi-Factor Authentication, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.

The advantages of using Azure Multi-factor authentication are:

· More security, fewer hoops

· Real-time monitoring and alerts

· Deploy it on-premises or in the cloud

· Works with Office 365, Salesforce and more

· More protection for Azure administrators

· Build it into your applications

The main differences between Multi-Factor Authentication for Office 365 compared to Microsoft Azure MFA are:

 

Multi-Factor Authentication
for Office 365

Microsoft Azure Multi-Factor Authentication

Administrators can Enable/Enforce MFA to end-users

Yes

Yes

Use Mobile app (online and OTP) as second authentication factor

Yes

Yes

Use Phone call as second authentication factor

Yes

Yes

Use SMS as second authentication factor

Yes

Yes

App passwords for non-browser clients (e.g., Outlook, Lync)

Yes

Yes

Default Microsoft greetings during authentication phone calls

Yes

Yes

Remember Me (Public Preview coming in June)

Yes

Yes

IP Whitelist (currently in Public Preview)

 

Yes

Custom greetings during authentication phone calls

 

Yes

Fraud alert

 

Yes

Event Confirmation

 

Yes

Security Reports

 

Yes

Block/Unblock Users

 

Yes

One-Time Bypass

 

Yes

Customizable caller ID for authentication phone calls

 

Yes

MFA Server – MFA for on-premises applications

 

Yes

MFA SDK – MFA for custom apps

 

Yes

How to configure and enable Azure Multifactor authentication on Office 365

The first steps to configure are:

1. Sign-up for Azure subscription

a. The first step is to sign-up for an Azure subscription. If you already have an Azure subscription, skip to the next step.

2. Create a Multi-Factor Auth Provider

a. In the Azure Management Portal create a Multi-Factor Auth Provider. https://msdn.microsoft.com/en-us/library/azure/dn376346.aspx#create

3. Enable Multi-Factor Authentication on your users

a. To enable Multi-Factor Authentication on your Office 365 users see https://technet.microsoft.com/en-us/library/7a9c56cf-72f1-4797-8e86-a9a2d9569ef6#enableuser

4. Send email to end users to notify them about MFA

a. For an example email template see https://technet.microsoft.com/en-us/library/7a9c56cf-72f1-4797-8e86-a9a2d9569ef6#emailtemplate

5. Have a user sign-in and complete the registration process

a. To sign-in the first time and complete the registration process see https://msdn.microsoft.com/en-us/library/azure/dn394276.aspx

6. Configure app passwords for non-browser apps (such as …Outlook etc.).

a. To configure app passwords see https://msdn.microsoft.com/en-us/library/azure/dn270518.aspx#apppassword

For advanced settings such as fraud alert, one-time bypass, and configuring your own customized voice messages see https://technet.microsoft.com/en-us/library/dn376348.aspx

After you have configured Multi-Factor Authentication on Azure integrated to Office 365 you can sign-in to Azure Portal and select Manage.

clip_image002

Here you can see some functions that are available.

clip_image004

clip_image006

After all these steps configured your organization is ready to leverage security with advanced features of Azure Multi-Factor Authentication

Azure Multi-Factor Authentication (Azure MFA) helps reduce organizational risk and enable regulatory compliance by providing an extra layer of authentication in addition to a user’s account credentials. For that purpose, it leverages for additional authentication a convenient form factor that the users already have (and care about): their phone. During sign in, users must also authenticate using the mobile app or by responding to an automated phone call or text message before access is granted. An attacker would need to know the user’s password and have in their possession of the user’s phone to sign in. As a solution for both cloud-based and on-premises applications.

Multi-factor authentication is becoming the new standard for securing access and how businesses ensure trust in a multi-device, mobile, cloud world.

Final Note:

Microsoft is currently in the process of updating the Office 2013 client applications to support Multi-Factor Authentication through the use of the Active Directory Authentication Library (ADAL). These updates will be coming to various Office 2013 clients over the next serveral months.

This will mean that once these updates are available, app passwords will no longer be required for Office 2013 clients. However, until these updates are available, app passwords will still be required.

Currently the following Office 2013 clients no longer require the use of app passwords:

• Office 2013 for IOS

• Office 2013 for OS X

Introduction to ADAL based authentication

The ADAL based authentication stack enables the Office 2013 clients to engage in browser-based authentication (also known as passive authentication) where the user is directed to a web page from the identity provider to authenticate.

For additional information on these updates see: Office 2013 updated authentication enabling Multi-Factor Authentication and SAML identity providers here - http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers

Support Links:

Azure Multi-Factor Authentication

http://azure.microsoft.com/en-us/services/multi-factor-authentication

Securing access to cloud services - Information for Administrators

http://technet.microsoft.com/en-us/library/dn394289.aspx

Azure Active Directory Editions

http://msdn.microsoft.com/library/azure/dn532272.aspx

Comments (0)

Skip to main content