Solved

O365 Two-Factor Authentication

Posted on 2014-01-27
10
1,147 Views
Last Modified: 2014-11-12
We have an office 365 E3 subscription and would like to implement two-factor authentication. We have DirSynch running but no ADFS.

I notice there are settings in the Microsoft tenant portal which allows you to configure users to use 2F. Is it simply a case of configuring it for the appropriate users and the 2F infrastructure / process is managed by O365 or are there any other requirements like having ADFS?

I noticed you can have text message, phone call or app verification. App would be preferred - where's the app for that?


Thanks
0
Comment
Question by:Hypervizor
  • 5
  • 4
10 Comments
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
ID: 39811685
If you are planning to use the Azure MFA (or whatever they were naming it), you do not need to have a local AD FS server. Actually, it's best if you do not have AD FS, as the Azure MFA is not really designed to work with that (though they are currently working on improving this).

You just have to enable it in the settings for each user. Note that Office 2013 and other 'rich client' applications DO NOT work with 2FA, so you will have to use 'app passwords' instead.

http://technet.microsoft.com/en-us/library/dn270518.aspx

http://technet.microsoft.com/en-us/library/cf23280d-97e7-4aed-abbd-ed711ad9337f#apppassword

http://technet.microsoft.com/en-us/library/dn394289.aspx#federated
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39814283
0
 

Author Comment

by:Hypervizor
ID: 39844110
Thanks for the information both. I'm still a little confused though.

If I understand you and the above articles correctly - Office 365 supports 2FA and MFA authentication but has limitations which restrict its use to web apps only?

Here's the scenario. Currently mobile workers currently access their email from an on-premise Exchange server via VPN. As part of the authentication process, RSA tokens are also used. Straight forward.

When we migrate to Office 365 - is the suggested best practice to continue to work in this manner or is there something a little more slick for staff who only want to use their PC-based Outlook client to connect to Office 365 to use email? If they can connect directly to Office 365 directly are we saying that they can't use 2FA?
0
 
LVL 38

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
ID: 39844130
If you have local 2FA solution, you can forget about it. Even if you implement AD FS, it will be limited to only web apps (OWA, SharePoint Online, etc). Neither Outlook or any other Office 2013 application will respect your 2FA solution. Same for any of the mobile apps. Office 2010 applications DO respect it, with the exception of Outlook/Lync. So if you are planning to use 2010 with AD FS, you are good to go and can leverage the existing solution.

Your other option is the Microsoft provided Azure MFA (aka 'phonefactor'), which comes with severe limitations for any federated users (meaning no practical use for it if you have AD FS). You can use it without AD FS, so it might be an acceptable solution for your scenario. Again, web apps only, for anything else you will have to use an 'app password'.

It's a bit of a mess really, and for our customers it led to loooooong and not so friendly discussions with Microsoft representatives. The good news is that there has been tremendous amount of negative feedback regarding the lack of support for 2FA in Office applications, and they have promised to provide a solution. Which might take years... :)
0
 

Author Comment

by:Hypervizor
ID: 39844176
Thanks Vasilcho.

So, the best solution would be to simply remain with the users using VPN and connecting as if they were in the office?

The reason I'm asking is because I was wondering how the Outlook client was configured if it was originally connected to an on-premise Exchange server, then introducing a hybrid server to aid migration over time with a view to then completely removing the on-premise Exchange servers.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
ID: 39844193
Well the problem is you cannot actually block them from connecting from anywhere, unless you have AD FS.
0
 

Author Comment

by:Hypervizor
ID: 39844216
OK, so the fact that the Outlook client is configured to connect to Office 365, they can connect anywhere regardless?
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
ID: 39844238
Well you cannot really push the VPN settings on their home PCs for example, can you? :) And the same goes for anything O365 related, not just Outlook.

Restricting client access is one of the biggest benefits AD FS adds to the table.
0
 

Author Comment

by:Hypervizor
ID: 39845324
OK, so hopefully final question - with ADFS implemented, you are saying that you can enforce connection / authentication before access to Office 365 estate is permitted?
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
ID: 39845359
You can, in most cases. Only web apps will respect your existing 2FA solution. The rest will still talk to your AD FS server, but as long as the account is active, will be able to connect without 2FA regardless of the location.

You can further restrict this using AD FS claims rule. However only Exchange Online sends back the IP of the client, so if you want to filter external clients, you will need AD FS proxies too. And then you will have to play with the AD FS a bit if you want to ensure that you only allow clients that you want to allow. There some new options in AD FS 3.0 that can help with that, but again, no perfect solution.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Office 365 is currently available in five editions. Three of them are for business use: Office 365 Business Essentials, Office 365 Business, and Office 365 Business Premium. Two of them are for home/personal use: Office 365 Home and Office 365 Perso…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now