2. 2
Slide
2
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
About me
2
Vasil Michev
vasil@michev.info
https://www.linkedin.com/in/michev/
www.michev.info/blog
MS Cloud strategist @ QUADROtech
Office Servers and Services MVP
3. 3
Slide
3
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The need for Modern authentication
• Cloud – access from anywhere
• BYOD – access on any device
• Consumerization of IT – proper UI
• Access to lots of 3rd party apps
• Interoperability with 3rd party ID providers (IDaaS)
• ‘Traditional’ demands for security with 2FAs
• Microsoft’s answer – Azure AD and Modern auth/apps
3
4. 4
Slide
4
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The journey so far - 2010 (federated ID)
4
5. 6
Slide
6
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The journey so far - 2013
6
6. 7
Slide
7
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The journey so far - Office & ADAL
7
7. 8
Slide
8
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Set of standards-based, open-source APIs
• OAuth 2.0 (authorization)
• OpenID Connect (authentication)
• OrgID => EvoSTS (transparent to end users)
• Client side uses ADAL (with MSAL now in preview)
• MSOIDCRL => ADAL (OAuth based auth stack)
• Cross-platform support
• Support for 3rd party (STSes + directories + 2FAs +…)
• Enables Conditional access, PTA, B2B, B2C, …
What is Modern Authentication
8
8. 9
Slide
9
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Unified experience across apps
• No more basic auth for Outlook!
• Unified experience across devices
• Support for user consent
• Support for 3rd party STSes
• Support for access and refresh tokens
• Support for 2FA solutions across apps
• No more app passwords!
Why Modern Authentication?
9
9. 10
Slide
10
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
How to enable Modern auth (and disable legacy)
• Exchange Online:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
• SharePoint Online: enabled by default
• Skype for Business Online:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
• Office software requirements (March 2015 and later for 2013 MSI)
• Disable legacy auth:
• For SPO: Set-SPOTenant -LegacyAuthProtocolsEnabled $false
• For all others: Use AD FS claims rules where possible
• Disable App passwords!
10
10. 11
Slide
11
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Modern Auth and on-premises infrastructure
• Exchange server: under development
• Skype for Business server: supported*, requires AD FS
https://technet.microsoft.com/en-us/library/mt710548.aspx
• SharePoint server: not supported***
• Can be a problem for organizations that rely on AD FS claims rules
• All traffic is now on the passive endpoint (/adfs/ls)
• The X-MS-Forwarded-Client-IP* and X-MS-Client-Application claims no longer added
• x-ms-client-user-agent can still be used (can be spoofed!)
• But you can force MFA as all traffic is Passive
• Conditional access in Azure AD is viable workaround, but requires Azure AD Premium
• Seamless SSO still requires smart links or similar
11
11. 12
Slide
12
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Unified experience across Office apps
• No more basic auth for Outlook!
• No more app passwords!
• Token persists across (Office) apps! (not across devices)
• Does not configure profiles automatically (but will reuse token)!
• Same experience in other ADAL-enabled apps
• Same experience across apps on different devices
• Same experience with other 2FA methods
• Known issues: SfB/EWS interop; multiple users/tenants…
Client experience
12
12. 13
Slide
13
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Windows Mac OS X Windows Phone iOS Android
Office clients Office 2013*/Office 2016 Office 2016 for Mac Supported Supported Supported
Skype for Business Supported Supported Supported* Supported* Supported*
Outlook Office 2013*/Office 2016 Outlook 2016 for Mac Supported Supported Supported
ODfB
ODfB NGSC
Office 2013*/Office 2016
Supported Supported Supported Supported Supported
Legacy clients
No support for Office
2007/2010
No support for Office
2011 for Mac
No support for
Windows Mobile 7 No support for OWA for mobile
Groups/Teams
Planner/Yammer N/A N/A Supported Supported Supported
Office 365 Admin app N/A N/A Supported Supported Supported
RMS sharing app/AIP
client Supported Supported Supported Supported Supported
Current list of ADAL enabled apps
13
13. 14
Slide
14
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Unified experience across apps (Outlook)
14
14. 15
Slide
15
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Unified experience across devices (WP)
15
16. 19
Slide
19
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• IDCRL was caching credentials instead
• EvoSTS tokens different than OrgID ones
• Token lifetimes
• Access token: 1 hour (short-lived)
• Refresh token: default 14 days, up to 90 days with use
• Lifetime configuration is consistent across services/applications
• Having a token means you bypass any 2FA!
• Changing network location does not invalidate tokens!
• What can invalidate a token?
• Conditional Access Policies
• Password change events (reset, admin reset)
• Admin control
• OIDC adds the ID token (gives info about the user)
Support for access and refresh tokens
19
17. 20
Slide
20
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Access/refresh token exchange
20
Note there is
no AD FS box!
18. 21
Slide
21
Session Title (Keep title BOLD) | Presenter Name (normal) | Time and Date of Session (normal) [CHANGE THIS IN THE MASTER]
Follow us:
#O365ENGAGE17
Token revocation and lifetime control
At GA
Preset token lifetimes
• Access token: 1 hour
• Refresh token: 90 days
Access tokens cannot be revoked
Refresh tokens revoked via:
• Password reset for cloud users
• Conditional access
• s
At present
Configurable token lifetimes
• Access token: 10 mins to 1 day
• Refresh token: 10 mins to 90 days*
Access tokens cannot be revoked
Refresh tokens revoked via:
• PowerShell (Revoke-AzureADUserAllRefreshToken)
• Conditional access
• For synced users: pwdLastSet attribute
• For federated users:
Password changes
Account disabled or deleted
Downgrade of device state (Compliant =>
Managed => Registered)
21
19. 22
Slide
22
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
PowerShell modules with ADAL support
• Azure AD (and Preview)
• WAAD (MSOnline)
• Exchange Online
• Skype for Business Online
• SharePoint Online
• SharePoint PnP
• AADRM (Azure Information Protection)
22
20. 23
Slide
23
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
PowerShell modules with ADAL support
23
MFA status Pass credentials Pass token
Bypass MFA on trusted
location
Azure AD Supported Supported Supported Supported
Exchange Online (legacy) Not supported N/A N/A Not supported
Exchange Online (MFA module) Supported Not supported Not supported* Supported
Security and Compliance Center Not supported N/A N/A Not supported
SharePoint Online Supported Supported*** Not supported Not supported
SharePoint Online PnP Supported Supported*** Not supported Supported
Skype for Business Online Supported Supported*** Not supported* Supported
AIP/AADRM Supported Supported Supported Supported
Azure Supported Supported Supported Supported
* workarounds exist
21. 24
Slide
24
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
ExO PowerShell and MFA Demo
• It’s still a Remote PS session
• Same configuration and Language mode
• Different Connection URI!
• But same old Basic auth
• Or is it?
24
Still a remote PowerShell session
Still NoLanguage Mode
This is new?
This is not
And this is an access token!
22. 25
Slide
25
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
SfBO PowerShell Demo
• UserName parameter is mandatory
• Does not automatically import the session
• Different method – “oauth” as username
• Token not cached (no entry in the PS TokenCache)
• Token validity 8h
• Cannot renew token
• Passing credentials object bypasses MFA
• but doesn’t solve any of the above…
25
23. 26
Slide
26
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Automate MFA PowerShell connectivity
• Configure Trusted IPs for bypass
• Combine it with passing creds for modules like Azure AD
• Get the token programmatically and pass it
• Not all modules support this
• Exposed ADAL methods do not return refresh tokens
• PowerShell sessions do not share the same token (cache)
• Even if you get refresh token, no methods to get new access one
• Auto-load the ExO Module
• Different implementation for different modules
• Session still breaks as often, and some sessions don’t even renew…
26
24. 27
Slide
27
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
What about EWS?
• EWS always uses legacy authentication
• For federated users, it goes on the active endpoint
• If the user has 2FA, request fails
• If the user is enforced for Azure MFA, app password flow kicks in!
• Request never reaches the on-prem AD FS
• Authenticate to ExO EWS via Oauth
• Register Azure AD application
• Grant OAuth permissions
• Acquire token and connect
• Respects Impersonation permissions in ExO
27
25. 28
Slide
28
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Troubleshoot Modern Authentication issues
• Always use the latest updates
• Lots of Modern auth issues for Office resolved since GA!
• MSO.dll, ADAL.dll (responsible for blank windows!)
• AD FS updates too! (or 3rd party STS)
• For Outlook, make sure MAPI/HTTP is enabled
• Clear cached tokens/cookies
• Enable Forms auth and "/adfs/services/trust/13/windowstransport" endpoint
• Update AD FS claims rules!
• Check for prompt=login behavior
• Tools: OffCAT/SaRA, Icesdptool, AD FS configuration, ExRCA
• Enable logging on the client, check for MSO events
• More tips in this session
28
26. 29
Slide
29
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Tokens and cookies
• Office apps
• Access token stored in registry
HKEY_CURRENT_USERSoftwareMicrosoftOfficeXXCommonIdentityIdentities<GUID>_ADAL
• Refresh token stored in Credential Store
MicrosoftOffice16_Data:ADAL:<GUID>
• Clear browser cache/cookies
• Skype for Business: credential store, %localappdata%MicrosoftOffice16.0Lync
• OneDrive for Business: credential store
• PowerShell
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionWSMANClientConnectionCookies
• Teams: credential store
29
27. 30
Slide
30
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Office 2013 did not support proper 2FA
• No more app passwords
• Proper 2FA support in Outlook
• Token persists across (Office) apps
• ADAL is agnostic to the 2FA method used!
• Cares only about token
• Azure MFA for managed IDs
• Azure MFA server for federated IDs
• Or any other supported 2FA on-prem
• List of solutions
Support for 2FA solutions
30
2FA provider Offering
Gemalto Gemalto Identity & Security Services
inWebo Technologies inWebo Enterprise Authentication service
Login People Login People MFA API connector for AD FS 2012 R2
Microsoft Corp. Microsoft Azure MFA and Azure MFA server
RSA RSA SecurID Authentication Agent for AD FS
SafeNet, Inc. SafeNet Authentication Service (SAS) Agent for AD FS
Swisscom Mobile ID Authentication Service and Signature Services
Symantec Symantec Validation and ID Protection Service (VIP)
Multiple companies Certificate based auth
28. 31
Slide
31
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Free with Office 365
• Easy to configure and manage
• Easy to integrate with SaaS apps in Azure
• Can be integrated with on-prem LOB apps through Azure AD
app proxy
• NPS extension for Azure MFA
• Reporting, One-time bypass, Suspend, custom
caller ID and greeting, trusted IPs, Fraud alert
• Before ADAL, relied heavily on app passwords
Leverage Azure Multi-Factor Authentication with Azure AD
Azure MFA
31
29. 34
Slide
34
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Admin control (fill in/prevent changing phones, limit
number of devices, fallback via backup phone or questions)
• More methods: 2-way SMS, Oath token
• Force/block a method
• Integration with AD FS
• Granular control via Claims rules/Auth policies
• Integration with on-prem apps, VPN, RDS/RDG, IIS
• (Optional) Web SDK, Mobile SDK, User portal
• MFA for users not in the cloud (+LDAP integration)
Azure MFA server whitepaper
Azure MFA server
34
30. 35
Slide
35
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Azure MFA server
35
31. 36
Slide
36
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
AD FS + Azure MFA server
36
32. 37
Slide
37
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
AD FS + Azure MFA server
• Control where MFA challenge is performed
• Do MFA in the cloud:
Set-MsolDomainFederationSettings -DomainName -SupportsMFA $false
• Do MFA on-premises:
Set-MsolDomainFederationSettings -DomainName -SupportsMFA $true
• Make sure AD FS issues or passes claim
http://schemas.microsoft.com/claims/authnmethodsreferences
• Otherwise a login loop will be caused
AAD will add wauth=http%3a%2f%2fschemas.microsoft.com%2fclaims%2fmultipleauthn
• Bypass MFA DEMO
• Force double-MFA DEMO
• MFA for external users
• For B2B (can also require double-MFA)
• For B2C
37
33. 38
Slide
38
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Azure MFA as additional auth provider in AD FS
• Can be used as primary and/or secondary auth
• Does not require on-prem Azure MFA server install
• Steps to configure are here
• Sign-in with verification code from mobile app (Azure authenticator)
• Passwordless login!
• Call or SMS not supported
• User needs to have registered with Azure MFA first
• No inline provisioning supported currently
• Does not bypass 2FA when used as primary
AD FS with Azure MFA as Primary auth
38
34. 39
Slide
39
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Certificate based auth for Azure AD
• Azure AD doesn’t natively support CBA
• Federation enables CBA as primary or secondary factor
• ADAL enables “non-browser” applications to support it
• EAS-based bypass now supported
• Token revocation is an issue
• Configure Azure AD trusted certificate authority
• Make sure issuer and serialnumber claims are included in the token
• Make sure CRL is accessible externally
• Prompt=login behavior and service-side bypass
• Remember CBA can be used as 2FA!
• Bypasses 2FA requirements
39
35. 40
Slide
40
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
AD FS in Windows Server 2016
• Still some advantages over PTA
• Seamless SSO support across protocols (‘prompt’, ‘login_hint’ & ‘domain_hint’)
• Conditional access, now with simplified syntax (Claims rules => Access control
policies)
• New/improved options for Passwordless login
• Azure MFA as primary
• CBA as primary
• Device auth as primary
• Windows Hello as primary (Hybrid only)
• Configurable token lifetime based on device or KMSI
• Better handling of token revocation
• Support for OAuth 2.0 (including OBO flow), OIDC 2.0, generic LDAP v3
• Improved per-RPT theming/customization
40
36. 41
Slide
41
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Features dependent on MA
• Conditional access
• Demos if enough time left
• Tenant restrictions
• Demo if enough time left
• PTA/SSO
• MAPI/HTTP
• Better 2FA support
• Better end-user experience
• Better control over session lifetimes and revocation
41
37. 42
Slide
42
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Modern auth session at Ignite:
https://channel9.msdn.com/Events/Ignite/2015/BRK3136
• MA session slides: https://doc.co/zoZumr
• AD FS/Azure AD/Azure MFA Whitepapers:
https://www.microsoft.com/en-us/download/details.aspx?id=36391
• Troubleshooting MFA session
Summary
42
38. 43
Slide
43
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Questions? | Thank You!
• Vasil Michev
• vasil@michev.info
We’d like to know what
you think!
Please fill out the evaluation
form you received at the
registration desk for this
session
Session recordings
and materials:
Materials will be available on
Office365Engage.com soon
43