• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1391
  • Last Modified:

O365 Two-Factor Authentication

We have an office 365 E3 subscription and would like to implement two-factor authentication. We have DirSynch running but no ADFS.

I notice there are settings in the Microsoft tenant portal which allows you to configure users to use 2F. Is it simply a case of configuring it for the appropriate users and the 2F infrastructure / process is managed by O365 or are there any other requirements like having ADFS?

I noticed you can have text message, phone call or app verification. App would be preferred - where's the app for that?


Thanks
0
Hypervizor
Asked:
Hypervizor
  • 5
  • 4
1 Solution
 
Vasil Michev (MVP)Commented:
If you are planning to use the Azure MFA (or whatever they were naming it), you do not need to have a local AD FS server. Actually, it's best if you do not have AD FS, as the Azure MFA is not really designed to work with that (though they are currently working on improving this).

You just have to enable it in the settings for each user. Note that Office 2013 and other 'rich client' applications DO NOT work with 2FA, so you will have to use 'app passwords' instead.

http://technet.microsoft.com/en-us/library/dn270518.aspx

http://technet.microsoft.com/en-us/library/cf23280d-97e7-4aed-abbd-ed711ad9337f#apppassword

http://technet.microsoft.com/en-us/library/dn394289.aspx#federated
0
 
Mohammed HamadaSenior IT ConsultantCommented:
0
 
HypervizorAuthor Commented:
Thanks for the information both. I'm still a little confused though.

If I understand you and the above articles correctly - Office 365 supports 2FA and MFA authentication but has limitations which restrict its use to web apps only?

Here's the scenario. Currently mobile workers currently access their email from an on-premise Exchange server via VPN. As part of the authentication process, RSA tokens are also used. Straight forward.

When we migrate to Office 365 - is the suggested best practice to continue to work in this manner or is there something a little more slick for staff who only want to use their PC-based Outlook client to connect to Office 365 to use email? If they can connect directly to Office 365 directly are we saying that they can't use 2FA?
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Vasil Michev (MVP)Commented:
If you have local 2FA solution, you can forget about it. Even if you implement AD FS, it will be limited to only web apps (OWA, SharePoint Online, etc). Neither Outlook or any other Office 2013 application will respect your 2FA solution. Same for any of the mobile apps. Office 2010 applications DO respect it, with the exception of Outlook/Lync. So if you are planning to use 2010 with AD FS, you are good to go and can leverage the existing solution.

Your other option is the Microsoft provided Azure MFA (aka 'phonefactor'), which comes with severe limitations for any federated users (meaning no practical use for it if you have AD FS). You can use it without AD FS, so it might be an acceptable solution for your scenario. Again, web apps only, for anything else you will have to use an 'app password'.

It's a bit of a mess really, and for our customers it led to loooooong and not so friendly discussions with Microsoft representatives. The good news is that there has been tremendous amount of negative feedback regarding the lack of support for 2FA in Office applications, and they have promised to provide a solution. Which might take years... :)
0
 
HypervizorAuthor Commented:
Thanks Vasilcho.

So, the best solution would be to simply remain with the users using VPN and connecting as if they were in the office?

The reason I'm asking is because I was wondering how the Outlook client was configured if it was originally connected to an on-premise Exchange server, then introducing a hybrid server to aid migration over time with a view to then completely removing the on-premise Exchange servers.
0
 
Vasil Michev (MVP)Commented:
Well the problem is you cannot actually block them from connecting from anywhere, unless you have AD FS.
0
 
HypervizorAuthor Commented:
OK, so the fact that the Outlook client is configured to connect to Office 365, they can connect anywhere regardless?
0
 
Vasil Michev (MVP)Commented:
Well you cannot really push the VPN settings on their home PCs for example, can you? :) And the same goes for anything O365 related, not just Outlook.

Restricting client access is one of the biggest benefits AD FS adds to the table.
0
 
HypervizorAuthor Commented:
OK, so hopefully final question - with ADFS implemented, you are saying that you can enforce connection / authentication before access to Office 365 estate is permitted?
0
 
Vasil Michev (MVP)Commented:
You can, in most cases. Only web apps will respect your existing 2FA solution. The rest will still talk to your AD FS server, but as long as the account is active, will be able to connect without 2FA regardless of the location.

You can further restrict this using AD FS claims rule. However only Exchange Online sends back the IP of the client, so if you want to filter external clients, you will need AD FS proxies too. And then you will have to play with the AD FS a bit if you want to ensure that you only allow clients that you want to allow. There some new options in AD FS 3.0 that can help with that, but again, no perfect solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now