Solved

O365 Two-Factor Authentication

Posted on 2014-01-27
10
1,160 Views
Last Modified: 2014-11-12
We have an office 365 E3 subscription and would like to implement two-factor authentication. We have DirSynch running but no ADFS.

I notice there are settings in the Microsoft tenant portal which allows you to configure users to use 2F. Is it simply a case of configuring it for the appropriate users and the 2F infrastructure / process is managed by O365 or are there any other requirements like having ADFS?

I noticed you can have text message, phone call or app verification. App would be preferred - where's the app for that?


Thanks
0
Comment
Question by:Hypervizor
  • 5
  • 4
10 Comments
 
LVL 39

Expert Comment

by:Vasil Michev (MVP)
ID: 39811685
If you are planning to use the Azure MFA (or whatever they were naming it), you do not need to have a local AD FS server. Actually, it's best if you do not have AD FS, as the Azure MFA is not really designed to work with that (though they are currently working on improving this).

You just have to enable it in the settings for each user. Note that Office 2013 and other 'rich client' applications DO NOT work with 2FA, so you will have to use 'app passwords' instead.

http://technet.microsoft.com/en-us/library/dn270518.aspx

http://technet.microsoft.com/en-us/library/cf23280d-97e7-4aed-abbd-ed711ad9337f#apppassword

http://technet.microsoft.com/en-us/library/dn394289.aspx#federated
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39814283
0
 

Author Comment

by:Hypervizor
ID: 39844110
Thanks for the information both. I'm still a little confused though.

If I understand you and the above articles correctly - Office 365 supports 2FA and MFA authentication but has limitations which restrict its use to web apps only?

Here's the scenario. Currently mobile workers currently access their email from an on-premise Exchange server via VPN. As part of the authentication process, RSA tokens are also used. Straight forward.

When we migrate to Office 365 - is the suggested best practice to continue to work in this manner or is there something a little more slick for staff who only want to use their PC-based Outlook client to connect to Office 365 to use email? If they can connect directly to Office 365 directly are we saying that they can't use 2FA?
0
 
LVL 39

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
ID: 39844130
If you have local 2FA solution, you can forget about it. Even if you implement AD FS, it will be limited to only web apps (OWA, SharePoint Online, etc). Neither Outlook or any other Office 2013 application will respect your 2FA solution. Same for any of the mobile apps. Office 2010 applications DO respect it, with the exception of Outlook/Lync. So if you are planning to use 2010 with AD FS, you are good to go and can leverage the existing solution.

Your other option is the Microsoft provided Azure MFA (aka 'phonefactor'), which comes with severe limitations for any federated users (meaning no practical use for it if you have AD FS). You can use it without AD FS, so it might be an acceptable solution for your scenario. Again, web apps only, for anything else you will have to use an 'app password'.

It's a bit of a mess really, and for our customers it led to loooooong and not so friendly discussions with Microsoft representatives. The good news is that there has been tremendous amount of negative feedback regarding the lack of support for 2FA in Office applications, and they have promised to provide a solution. Which might take years... :)
0
 

Author Comment

by:Hypervizor
ID: 39844176
Thanks Vasilcho.

So, the best solution would be to simply remain with the users using VPN and connecting as if they were in the office?

The reason I'm asking is because I was wondering how the Outlook client was configured if it was originally connected to an on-premise Exchange server, then introducing a hybrid server to aid migration over time with a view to then completely removing the on-premise Exchange servers.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 39

Expert Comment

by:Vasil Michev (MVP)
ID: 39844193
Well the problem is you cannot actually block them from connecting from anywhere, unless you have AD FS.
0
 

Author Comment

by:Hypervizor
ID: 39844216
OK, so the fact that the Outlook client is configured to connect to Office 365, they can connect anywhere regardless?
0
 
LVL 39

Expert Comment

by:Vasil Michev (MVP)
ID: 39844238
Well you cannot really push the VPN settings on their home PCs for example, can you? :) And the same goes for anything O365 related, not just Outlook.

Restricting client access is one of the biggest benefits AD FS adds to the table.
0
 

Author Comment

by:Hypervizor
ID: 39845324
OK, so hopefully final question - with ADFS implemented, you are saying that you can enforce connection / authentication before access to Office 365 estate is permitted?
0
 
LVL 39

Expert Comment

by:Vasil Michev (MVP)
ID: 39845359
You can, in most cases. Only web apps will respect your existing 2FA solution. The rest will still talk to your AD FS server, but as long as the account is active, will be able to connect without 2FA regardless of the location.

You can further restrict this using AD FS claims rule. However only Exchange Online sends back the IP of the client, so if you want to filter external clients, you will need AD FS proxies too. And then you will have to play with the AD FS a bit if you want to ensure that you only allow clients that you want to allow. There some new options in AD FS 3.0 that can help with that, but again, no perfect solution.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now