Search

Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V [MVP]

Tag

Azure MFA

Review Azure MFA or SSPR Activity / Consumption

If you want to know how users are consuming Azure MFA or Self Service Password Reset this is where you find that info:

Self Service Password Reset log:

  1. Go to http://manage.windowsazure.com
  2. Click on Directory
  3. Click on your Azure AD directory
  4. For SSPR click here:sspr-activity

For Azure MFA activity log:

  1. Go to http://manage.windowsazure.com
  2. Click on Directory
  3. Click on your Azure AD directory
  4. Click Configure
  5. Scroll Down to Multi-Factor Authentication and click: Manage Service settings
  6. Click “Go to the Portal” at the very bottom
  7. Click View Report
  8. Click Summary
  9. Select 1 month back
  10. Click Run
  11. Go to Queued Reports
  12. Click on View Report

You can also see reports sorted on users and how much they log in.

go-to-portalview-azure-mfa-reportauth-summaryqueued-raportsview-reporttotal-users

 

Azure MFA enrollment experience

If you want to enroll for Azure MFA the users need to go through these steps. When you enforce or enable MFA the user will be prompted for MFA enrollment. This is best done in a browser.

First the user need to access any of our endpoint e.g. http://portal.office.com

creds
Office 365 custom logo login

 

mfa prompt
Office 365 MFA enabled

 

input mfa method
Office 365 MFA input phone number

 

contact options
Office 365 mfa methods

 

 

sms
You will get a text message with a code to enter

 

wp_ss_20160902_0001
code on phone

 

Office 365 app password during enrollment
Use this app-password on your native iOS or Android device or old Outlook 2010 instead of your normal password.

 

 

Additional Office 365 MFA options
Press cancel if you feel done. or just navigate to the indended site. e.g. http://portal.office.com

 

Extended Office 365 MFA options
all your MFA options

 

Azure AD access panel for MFA
The user access panel

Here are all of the pictures in a Sway:
https://sway.com/2fNqmpbe5O17F5Ev

Service based Azure Multifactor Authentication

Now you can enable a certain service for Azure MFA.

In this example i enforce MFA for a security group with 3 users when they try to access Yammer only. Everything else is not enforced with MFA.

Prerequisites: Enterprise Mobility + Security (EMS) License assigned to the user.

 

Go to: http://manage.windowsazure.com

Navigate to your domain and click applications

domain

Use these settings

Note on these settings, I have 3 users in the CA Exchange Online Mobile group. Rest of my users are in the NO CA group and that group is set to Except. I do this to ensure that nothing is enforced globally to all users. The 3 users in the first group have not had Azure MFA Enabled or Enforced but is set to Disabled.

sony disabled
You do not have to enable MFA globaly for this to work

 

yammer mfa settings
I always add an Except group with the remaining users.

 

This is what the user will see now.

 

He will see the normal login but be required to enter a second factor. If he navigates to outlook og Onedrive there will be no such requirement.

yammer endpointcredentials portSetup MFAenter phone

 

Enable Azure MFA on Outlook 2016 with ADAL for Exchange Online

If you have Outlook 2016 or Outlook 2013 and want to use Azure MFA but you do not want to use Application Passwords there are one thing you need to do.

First;

ADAL for Exchange Online is Off by default turn it on here: How to turn on ADAL for Exchange Online

 

  1. Allow scripting

    • Set-ExecutionPolicy RemoteSigned
  2. Run Windows Powershell and Connect to Office 365.

    • $UserCredential = Get-Credential
    • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
    • $UserCredential -Authentication Basic -AllowRedirection
    • Import-PSSession $Session
  3. Check if ADAL is on

    • Get-OrganizationConfig | fl *Oauth*
  4. If ADAL is off, here is how to enable it

    • Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true
  5. Close Your session

    • Remove-PSSession $Session
 Now, for me I had to wait 48 hours for this to work. I also installed a fresh Version of Office 2016 Click to Run from Office 365

Second;

Enable Azure MFA for your user in http://portal.office.com

Click here to see: This is how Outlook Click to Run behaves with Azure MFA turned on

Thanks to MS Exchange Org for some great tutorials.
http://www.msexchange.org/articles-tutorials/office-365/exchange-online/exchange-online-identity-models-authentication-demystified-part7.html

 

 

Outlook 2016 behavior when you ENFORCE Azure MFA

When you click enforce Azure MFA your users will not be able to Connect to Office 365 With Clients that does not support modern auth.

When they set up Outlook they will see this screen and be stuck there:

1 - autodiscover
Without modern auth enabled on Office 365 and Outlook your users will be stuck here

 

When you have enabled MFA on your Exchange Online Tenant this is what will happen:

2 - modern auth prompt3 - mfa prompt in outlook 2016

 

Azure MFA on Windows 10 Native Mail Client

If you enable Azure MFA in Office 365 and try to sync mail using the native Windows 10 Mail client, this is what the user will see:

(Sorry for the Language. Just the buttons and boxes are all the same)

1 - add mail account
User needs to Select Office 365 for Azure MFA
2 - add user
User needs just now to enter his UPN, it can not be username
3 - autodiscover looks for your account
If it fails here then Autodiscover is broken.
4 - enter password
Observe that the mail app has pulled Down my Company details including logo and custom text
5 - Azure AD MFA calls
Right now yor phone would ring or you would get a sms/app challenge
6 - account added
Thats it
7 - policies
Your Company Security settings will now be Applied. Usually you get this Box regardless just to tell you that it might tighten security
8 - mail recieved
You recieve mail. If you do not see mail, mabye the mail is older than a month. Then you need to change the sync settings to enable all mail to sync down

 

 

Outlook 2016 behavior when you ENABLE Azure MFA

Scenario: You select “ENABLE” on Azure MFA but you do not Enforce. The user has not logged onto Office 365 before and is setting up his Outlook for the first time.

Spoiler warning: Nothing happens, YET.

Here is how Outlook 2016 behaves when you activate Azure MFA for your Account.

1 - mfa on
AZURE MFA portal
2 - fresh outlook 2016
Fresh Outlook boot

3 - add account4 - user entered5 - searching for autodiscover

6 - credential popup
Normal login
7 - enter pwd
standard password
8 - success
success
9 - read email
mail approved

 

 

 

Blog at WordPress.com.

Up ↑

%d bloggers like this: