Body:
This is the 51st in our series of guest posts by Microsoft Most Valued Professionals (MVPs). You can click the “MVPs” tag in the right column of our blog to see all the articles.
Since the early 1990s, Microsoft has recognized technology champions around the world with the MVP Award. MVPs freely share their knowledge, real-world experience, and impartial and objective feedback to help people enhance the way they use technology. Of the millions of individuals who participate in technology communities, around 4,000 are recognized as Microsoft MVPs. You can read more original MVP-authored content on the Microsoft MVP Award Program Blog.
This post is by Office 365 MVP Nuno Árias Silva. Thanks, Nuno!
Office 365 with Microsoft Azure Active Directory is an enterprise-level identity and access management cloud solution. Office 365 with Microsoft Azure Active Directory Premium, built on top of the core offering of Azure AD, provides a robust set of capabilities to empower enterprises with more demanding needs on identity and access management. In this article will show the features of the integration of Office 365 with this premium offering with Multi-factor authentication.
Multi-factor authentication increases the security of user logins when sign in for cloud in traditional scenario with just a user and a password. With Multi-Factor Authentication, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.
The advantages of using Azure Multi-factor authentication are:
· More security, fewer hoops
· Real-time monitoring and alerts
· Deploy it on-premises or in the cloud
· Works with Office 365, Salesforce and more
· More protection for Azure administrators
· Build it into your applications
The main differences between Multi-Factor Authentication for Office 365 compared to Microsoft Azure MFA are:
Multi-Factor Authentication |
Microsoft Azure Multi-Factor Authentication |
|
Administrators can Enable/Enforce MFA to end-users |
Yes |
Yes |
Use Mobile app (online and OTP) as second authentication factor |
Yes |
Yes |
Use Phone call as second authentication factor |
Yes |
Yes |
Use SMS as second authentication factor |
Yes |
Yes |
App passwords for non-browser clients (e.g., Outlook, Lync) |
Yes |
Yes |
Default Microsoft greetings during authentication phone calls |
Yes |
Yes |
Remember Me (Public Preview coming in June) |
Yes |
Yes |
IP Whitelist (currently in Public Preview) |
Yes |
|
Custom greetings during authentication phone calls |
Yes |
|
Fraud alert |
Yes |
|
Event Confirmation |
Yes |
|
Security Reports |
Yes |
|
Block/Unblock Users |
Yes |
|
One-Time Bypass |
Yes |
|
Customizable caller ID for authentication phone calls |
Yes |
|
MFA Server – MFA for on-premises applications |
Yes |
|
MFA SDK – MFA for custom apps |
Yes |
How to configure and enable Azure Multifactor authentication on Office 365
The first steps to configure are:
1. Sign-up for Azure subscription
a. The first step is to sign-up for an Azure subscription. If you already have an Azure subscription, skip to the next step.
2. Create a Multi-Factor Auth Provider
a. In the Azure Management Portal create a Multi-Factor Auth Provider. https://msdn.microsoft.com/en-us/library/azure/dn376346.aspx#create
3. Enable Multi-Factor Authentication on your users
a. To enable Multi-Factor Authentication on your Office 365 users see https://technet.microsoft.com/en-us/library/7a9c56cf-72f1-4797-8e86-a9a2d9569ef6#enableuser
4. Send email to end users to notify them about MFA
a. For an example email template see https://technet.microsoft.com/en-us/library/7a9c56cf-72f1-4797-8e86-a9a2d9569ef6#emailtemplate
5. Have a user sign-in and complete the registration process
a. To sign-in the first time and complete the registration process see https://msdn.microsoft.com/en-us/library/azure/dn394276.aspx
6. Configure app passwords for non-browser apps (such as …Outlook etc.).
a. To configure app passwords see https://msdn.microsoft.com/en-us/library/azure/dn270518.aspx#apppassword
For advanced settings such as fraud alert, one-time bypass, and configuring your own customized voice messages see https://technet.microsoft.com/en-us/library/dn376348.aspx
After you have configured Multi-Factor Authentication on Azure integrated to Office 365 you can sign-in to Azure Portal and select Manage.
Here you can see some functions that are available.
After all these steps configured your organization is ready to leverage security with advanced features of Azure Multi-Factor Authentication
Azure Multi-Factor Authentication (Azure MFA) helps reduce organizational risk and enable regulatory compliance by providing an extra layer of authentication in addition to a user’s account credentials. For that purpose, it leverages for additional authentication a convenient form factor that the users already have (and care about): their phone. During sign in, users must also authenticate using the mobile app or by responding to an automated phone call or text message before access is granted. An attacker would need to know the user’s password and have in their possession of the user’s phone to sign in. As a solution for both cloud-based and on-premises applications.
Multi-factor authentication is becoming the new standard for securing access and how businesses ensure trust in a multi-device, mobile, cloud world.
Final Note:
Microsoft is currently in the process of updating the Office 2013 client applications to support Multi-Factor Authentication through the use of the Active Directory Authentication Library (ADAL). These updates will be coming to various Office 2013 clients over the next serveral months.
This will mean that once these updates are available, app passwords will no longer be required for Office 2013 clients. However, until these updates are available, app passwords will still be required.
Currently the following Office 2013 clients no longer require the use of app passwords:
• Office 2013 for IOS
• Office 2013 for OS X
Introduction to ADAL based authentication
The ADAL based authentication stack enables the Office 2013 clients to engage in browser-based authentication (also known as passive authentication) where the user is directed to a web page from the identity provider to authenticate.
For additional information on these updates see: Office 2013 updated authentication enabling Multi-Factor Authentication and SAML identity providers here – http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers
Support Links:
Azure Multi-Factor Authentication
http://azure.microsoft.com/en-us/services/multi-factor-authentication
Securing access to cloud services – Information for Administrators
http://technet.microsoft.com/en-us/library/dn394289.aspx
Azure Active Directory Editions
http://msdn.microsoft.com/library/azure/dn532272.aspx
Source: http://blogs.msdn.com/b/microsoft_press/archive/2015/03/23/from-the-mvps-office-365-multi-factor-authentication-with-microsoft-azure-active-directory.aspx