This document summarizes a presentation about modern authentication for Office 365 administrators. It discusses the need for modern authentication due to trends like cloud access from any device and consumerization of IT. It then covers the evolution of Microsoft's modern authentication solution using Azure Active Directory and OAuth/OpenID Connect. Specific topics covered include enabling modern authentication for Office 365 services, supporting on-premises infrastructure, the client experience, how access and refresh tokens work, leveraging Azure Multi-Factor Authentication, and troubleshooting modern authentication issues.
O365 saturday: How to (remote) control office 365 with windows azure-slideshareatwork
Se how you can use Windows Azure to do a lot of provisioning and Automation stuff around Office 365. We Show here for what purposes you can use Automation, and provide examples around Graph API, WAAD, SharePoint REST, CSOM, Exchange managed API.
How we can use Azure AD and Microsoft Office Graph API for building applications. The Graph API allow us to use same code base for querying the data and AAD v2 end point allow us to connect to consumer and enterprise systems.
SPC Adriatics 2016 - Introduction to AngularJS with the Microsoft GraphSébastien Levert
Every developer hears about AngularJS and all the magic it does for you applications. In order to kickstart you AngularJS journey, this session is an introduction to the AngularJS concepts applied to any Office 365 development. Different workloads will be targeted (Mail, Calendar, Files) and the Microsoft Graph will be our main datasource.
As a developer, you will learn the basic concepts of AngularJS and will be able to use those in an Office 365 context. You will be able to build rich applications (Single Page Application) that will speed up your development process while using your Office 365 tenant data.
The 3 key takeaways of this session are :
- You will understand the basics of the AngularJS framework
- You will learn how to communicate withthe Office 365 through AngularJS
- You will be able to apply those new skills in your next project
Office Online Server brings the advantage of rich content viewing and editing to Outlook on the web clients for on-premises environments. This session shows how simple it is to deploy OOS in combination with Exchange Server 2016.
Fast Track Your Office 365 Deployments with OneLoginOneLogin
Join Chip Epps and Michael Yee from OneLogin, the leader in enterprise identity and access management, for an overview and live demo showcasing the successful deployment of Office 365 integrated with Active Directory, including:
- Preparing your AD infrastructure for federation and single sign-on
- Leveraging OneLogin OneClick to simplify your deployment between AD and Office365
- Provisioning your users automatically from AD to Office 365, with entitlements correctly mapped to license types
- Enabling the mobile workforce with Desktop SSO while ensuring IT security and compliance
SharePoint Saturday Cape Town - Introduction to AngularJS with the Microsoft ...Sébastien Levert
Every developer hears about AngularJS and all the magic it does for you applications. In order to kickstart you AngularJS journey, this session is an introduction to the AngularJS concepts applied to any Office 365 development. Different workloads will be targeted (Mail, Calendar, Files) and the Office 365 API will be our main datasource. We will also cover SharePoint Online specific data access (Office 365 API, REST, CSOM and Search) to meet your current development needs.
The 3 key takeaways of this session are :
- You will understand the basics of the AngularJS framework
- You will learn how to communicate withthe Office 365 through AngularJS
- You will be able to apply those new skills in your next project
What can you do with Azure Mobile Services? In a big solution, made up of several services, you can control your remote infrastructure looking at you events collected in a DB and you can send commands.
SharePoint Fest Chicago - Introduction to AngularJS with the Microsoft GraphSébastien Levert
Every developer hears about AngularJS and all the magic it does for you applications. In order to kickstart you AngularJS journey, this session is an introduction to the AngularJS concepts applied to any Office 365 development. Different workloads will be targeted (Mail, Calendar, Files) and the Office 365 API will be our main datasource. We will also cover SharePoint Online specific data access (Office 365 API, REST, CSOM and Search) to meet your current development needs.
The 3 key takeaways of this session are :
You will understand the basics of the AngularJS framework
You will learn how to communicate withthe Office 365 through AngularJS
You will be able to apply those new skills in your next project
Similar to O365Engage17 - Modern authentication for the office 365 administrator (20)
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. 2
Slide
2
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
About me
2
Vasil Michev
vasil@michev.info
https://www.linkedin.com/in/michev/
www.michev.info/blog
MS Cloud strategist @ QUADROtech
Office Servers and Services MVP
3. 3
Slide
3
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The need for Modern authentication
• Cloud – access from anywhere
• BYOD – access on any device
• Consumerization of IT – proper UI
• Access to lots of 3rd party apps
• Interoperability with 3rd party ID providers (IDaaS)
• ‘Traditional’ demands for security with 2FAs
• Microsoft’s answer – Azure AD and Modern auth/apps
3
4. 4
Slide
4
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The journey so far - 2010 (federated ID)
4
5. 6
Slide
6
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The journey so far - 2013
6
6. 7
Slide
7
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
The journey so far - Office & ADAL
7
7. 8
Slide
8
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Set of standards-based, open-source APIs
• OAuth 2.0 (authorization)
• OpenID Connect (authentication)
• OrgID => EvoSTS (transparent to end users)
• Client side uses ADAL (with MSAL now in preview)
• MSOIDCRL => ADAL (OAuth based auth stack)
• Cross-platform support
• Support for 3rd party (STSes + directories + 2FAs +…)
• Enables Conditional access, PTA, B2B, B2C, …
What is Modern Authentication
8
8. 9
Slide
9
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Unified experience across apps
• No more basic auth for Outlook!
• Unified experience across devices
• Support for user consent
• Support for 3rd party STSes
• Support for access and refresh tokens
• Support for 2FA solutions across apps
• No more app passwords!
Why Modern Authentication?
9
9. 10
Slide
10
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
How to enable Modern auth (and disable legacy)
• Exchange Online:
Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
• SharePoint Online: enabled by default
• Skype for Business Online:
Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed
• Office software requirements (March 2015 and later for 2013 MSI)
• Disable legacy auth:
• For SPO: Set-SPOTenant -LegacyAuthProtocolsEnabled $false
• For all others: Use AD FS claims rules where possible
• Disable App passwords!
10
10. 11
Slide
11
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Modern Auth and on-premises infrastructure
• Exchange server: under development
• Skype for Business server: supported*, requires AD FS
https://technet.microsoft.com/en-us/library/mt710548.aspx
• SharePoint server: not supported***
• Can be a problem for organizations that rely on AD FS claims rules
• All traffic is now on the passive endpoint (/adfs/ls)
• The X-MS-Forwarded-Client-IP* and X-MS-Client-Application claims no longer added
• x-ms-client-user-agent can still be used (can be spoofed!)
• But you can force MFA as all traffic is Passive
• Conditional access in Azure AD is viable workaround, but requires Azure AD Premium
• Seamless SSO still requires smart links or similar
11
11. 12
Slide
12
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Unified experience across Office apps
• No more basic auth for Outlook!
• No more app passwords!
• Token persists across (Office) apps! (not across devices)
• Does not configure profiles automatically (but will reuse token)!
• Same experience in other ADAL-enabled apps
• Same experience across apps on different devices
• Same experience with other 2FA methods
• Known issues: SfB/EWS interop; multiple users/tenants…
Client experience
12
12. 13
Slide
13
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Windows Mac OS X Windows Phone iOS Android
Office clients Office 2013*/Office 2016 Office 2016 for Mac Supported Supported Supported
Skype for Business Supported Supported Supported* Supported* Supported*
Outlook Office 2013*/Office 2016 Outlook 2016 for Mac Supported Supported Supported
ODfB
ODfB NGSC
Office 2013*/Office 2016
Supported Supported Supported Supported Supported
Legacy clients
No support for Office
2007/2010
No support for Office
2011 for Mac
No support for
Windows Mobile 7 No support for OWA for mobile
Groups/Teams
Planner/Yammer N/A N/A Supported Supported Supported
Office 365 Admin app N/A N/A Supported Supported Supported
RMS sharing app/AIP
client Supported Supported Supported Supported Supported
Current list of ADAL enabled apps
13
13. 14
Slide
14
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Unified experience across apps (Outlook)
14
14. 15
Slide
15
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Unified experience across devices (WP)
15
16. 19
Slide
19
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• IDCRL was caching credentials instead
• EvoSTS tokens different than OrgID ones
• Token lifetimes
• Access token: 1 hour (short-lived)
• Refresh token: default 14 days, up to 90 days with use
• Lifetime configuration is consistent across services/applications
• Having a token means you bypass any 2FA!
• Changing network location does not invalidate tokens!
• What can invalidate a token?
• Conditional Access Policies
• Password change events (reset, admin reset)
• Admin control
• OIDC adds the ID token (gives info about the user)
Support for access and refresh tokens
19
17. 20
Slide
20
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Access/refresh token exchange
20
Note there is
no AD FS box!
18. 21
Slide
21
Session Title (Keep title BOLD) | Presenter Name (normal) | Time and Date of Session (normal) [CHANGE THIS IN THE MASTER]
Follow us:
#O365ENGAGE17
Token revocation and lifetime control
At GA
Preset token lifetimes
• Access token: 1 hour
• Refresh token: 90 days
Access tokens cannot be revoked
Refresh tokens revoked via:
• Password reset for cloud users
• Conditional access
• s
At present
Configurable token lifetimes
• Access token: 10 mins to 1 day
• Refresh token: 10 mins to 90 days*
Access tokens cannot be revoked
Refresh tokens revoked via:
• PowerShell (Revoke-AzureADUserAllRefreshToken)
• Conditional access
• For synced users: pwdLastSet attribute
• For federated users:
Password changes
Account disabled or deleted
Downgrade of device state (Compliant =>
Managed => Registered)
21
19. 22
Slide
22
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
PowerShell modules with ADAL support
• Azure AD (and Preview)
• WAAD (MSOnline)
• Exchange Online
• Skype for Business Online
• SharePoint Online
• SharePoint PnP
• AADRM (Azure Information Protection)
22
20. 23
Slide
23
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
PowerShell modules with ADAL support
23
MFA status Pass credentials Pass token
Bypass MFA on trusted
location
Azure AD Supported Supported Supported Supported
Exchange Online (legacy) Not supported N/A N/A Not supported
Exchange Online (MFA module) Supported Not supported Not supported* Supported
Security and Compliance Center Not supported N/A N/A Not supported
SharePoint Online Supported Supported*** Not supported Not supported
SharePoint Online PnP Supported Supported*** Not supported Supported
Skype for Business Online Supported Supported*** Not supported* Supported
AIP/AADRM Supported Supported Supported Supported
Azure Supported Supported Supported Supported
* workarounds exist
21. 24
Slide
24
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
ExO PowerShell and MFA Demo
• It’s still a Remote PS session
• Same configuration and Language mode
• Different Connection URI!
• But same old Basic auth
• Or is it?
24
Still a remote PowerShell session
Still NoLanguage Mode
This is new?
This is not
And this is an access token!
22. 25
Slide
25
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
SfBO PowerShell Demo
• UserName parameter is mandatory
• Does not automatically import the session
• Different method – “oauth” as username
• Token not cached (no entry in the PS TokenCache)
• Token validity 8h
• Cannot renew token
• Passing credentials object bypasses MFA
• but doesn’t solve any of the above…
25
23. 26
Slide
26
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Automate MFA PowerShell connectivity
• Configure Trusted IPs for bypass
• Combine it with passing creds for modules like Azure AD
• Get the token programmatically and pass it
• Not all modules support this
• Exposed ADAL methods do not return refresh tokens
• PowerShell sessions do not share the same token (cache)
• Even if you get refresh token, no methods to get new access one
• Auto-load the ExO Module
• Different implementation for different modules
• Session still breaks as often, and some sessions don’t even renew…
26
24. 27
Slide
27
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
What about EWS?
• EWS always uses legacy authentication
• For federated users, it goes on the active endpoint
• If the user has 2FA, request fails
• If the user is enforced for Azure MFA, app password flow kicks in!
• Request never reaches the on-prem AD FS
• Authenticate to ExO EWS via Oauth
• Register Azure AD application
• Grant OAuth permissions
• Acquire token and connect
• Respects Impersonation permissions in ExO
27
25. 28
Slide
28
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Troubleshoot Modern Authentication issues
• Always use the latest updates
• Lots of Modern auth issues for Office resolved since GA!
• MSO.dll, ADAL.dll (responsible for blank windows!)
• AD FS updates too! (or 3rd party STS)
• For Outlook, make sure MAPI/HTTP is enabled
• Clear cached tokens/cookies
• Enable Forms auth and "/adfs/services/trust/13/windowstransport" endpoint
• Update AD FS claims rules!
• Check for prompt=login behavior
• Tools: OffCAT/SaRA, Icesdptool, AD FS configuration, ExRCA
• Enable logging on the client, check for MSO events
• More tips in this session
28
26. 29
Slide
29
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Tokens and cookies
• Office apps
• Access token stored in registry
HKEY_CURRENT_USERSoftwareMicrosoftOfficeXXCommonIdentityIdentities<GUID>_ADAL
• Refresh token stored in Credential Store
MicrosoftOffice16_Data:ADAL:<GUID>
• Clear browser cache/cookies
• Skype for Business: credential store, %localappdata%MicrosoftOffice16.0Lync
• OneDrive for Business: credential store
• PowerShell
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionWSMANClientConnectionCookies
• Teams: credential store
29
27. 30
Slide
30
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Office 2013 did not support proper 2FA
• No more app passwords
• Proper 2FA support in Outlook
• Token persists across (Office) apps
• ADAL is agnostic to the 2FA method used!
• Cares only about token
• Azure MFA for managed IDs
• Azure MFA server for federated IDs
• Or any other supported 2FA on-prem
• List of solutions
Support for 2FA solutions
30
2FA provider Offering
Gemalto Gemalto Identity & Security Services
inWebo Technologies inWebo Enterprise Authentication service
Login People Login People MFA API connector for AD FS 2012 R2
Microsoft Corp. Microsoft Azure MFA and Azure MFA server
RSA RSA SecurID Authentication Agent for AD FS
SafeNet, Inc. SafeNet Authentication Service (SAS) Agent for AD FS
Swisscom Mobile ID Authentication Service and Signature Services
Symantec Symantec Validation and ID Protection Service (VIP)
Multiple companies Certificate based auth
28. 31
Slide
31
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Free with Office 365
• Easy to configure and manage
• Easy to integrate with SaaS apps in Azure
• Can be integrated with on-prem LOB apps through Azure AD
app proxy
• NPS extension for Azure MFA
• Reporting, One-time bypass, Suspend, custom
caller ID and greeting, trusted IPs, Fraud alert
• Before ADAL, relied heavily on app passwords
Leverage Azure Multi-Factor Authentication with Azure AD
Azure MFA
31
29. 34
Slide
34
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Admin control (fill in/prevent changing phones, limit
number of devices, fallback via backup phone or questions)
• More methods: 2-way SMS, Oath token
• Force/block a method
• Integration with AD FS
• Granular control via Claims rules/Auth policies
• Integration with on-prem apps, VPN, RDS/RDG, IIS
• (Optional) Web SDK, Mobile SDK, User portal
• MFA for users not in the cloud (+LDAP integration)
Azure MFA server whitepaper
Azure MFA server
34
30. 35
Slide
35
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Azure MFA server
35
31. 36
Slide
36
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
AD FS + Azure MFA server
36
32. 37
Slide
37
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
AD FS + Azure MFA server
• Control where MFA challenge is performed
• Do MFA in the cloud:
Set-MsolDomainFederationSettings -DomainName -SupportsMFA $false
• Do MFA on-premises:
Set-MsolDomainFederationSettings -DomainName -SupportsMFA $true
• Make sure AD FS issues or passes claim
http://schemas.microsoft.com/claims/authnmethodsreferences
• Otherwise a login loop will be caused
AAD will add wauth=http%3a%2f%2fschemas.microsoft.com%2fclaims%2fmultipleauthn
• Bypass MFA DEMO
• Force double-MFA DEMO
• MFA for external users
• For B2B (can also require double-MFA)
• For B2C
37
33. 38
Slide
38
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Azure MFA as additional auth provider in AD FS
• Can be used as primary and/or secondary auth
• Does not require on-prem Azure MFA server install
• Steps to configure are here
• Sign-in with verification code from mobile app (Azure authenticator)
• Passwordless login!
• Call or SMS not supported
• User needs to have registered with Azure MFA first
• No inline provisioning supported currently
• Does not bypass 2FA when used as primary
AD FS with Azure MFA as Primary auth
38
34. 39
Slide
39
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Certificate based auth for Azure AD
• Azure AD doesn’t natively support CBA
• Federation enables CBA as primary or secondary factor
• ADAL enables “non-browser” applications to support it
• EAS-based bypass now supported
• Token revocation is an issue
• Configure Azure AD trusted certificate authority
• Make sure issuer and serialnumber claims are included in the token
• Make sure CRL is accessible externally
• Prompt=login behavior and service-side bypass
• Remember CBA can be used as 2FA!
• Bypasses 2FA requirements
39
35. 40
Slide
40
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
AD FS in Windows Server 2016
• Still some advantages over PTA
• Seamless SSO support across protocols (‘prompt’, ‘login_hint’ & ‘domain_hint’)
• Conditional access, now with simplified syntax (Claims rules => Access control
policies)
• New/improved options for Passwordless login
• Azure MFA as primary
• CBA as primary
• Device auth as primary
• Windows Hello as primary (Hybrid only)
• Configurable token lifetime based on device or KMSI
• Better handling of token revocation
• Support for OAuth 2.0 (including OBO flow), OIDC 2.0, generic LDAP v3
• Improved per-RPT theming/customization
40
36. 41
Slide
41
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Features dependent on MA
• Conditional access
• Demos if enough time left
• Tenant restrictions
• Demo if enough time left
• PTA/SSO
• MAPI/HTTP
• Better 2FA support
• Better end-user experience
• Better control over session lifetimes and revocation
41
37. 42
Slide
42
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
• Modern auth session at Ignite:
https://channel9.msdn.com/Events/Ignite/2015/BRK3136
• MA session slides: https://doc.co/zoZumr
• AD FS/Azure AD/Azure MFA Whitepapers:
https://www.microsoft.com/en-us/download/details.aspx?id=36391
• Troubleshooting MFA session
Summary
42
38. 43
Slide
43
Modern authentication for the Office 365 administrator | Vasil Michev | 22 June 2017 14:45 – 16:00
Follow us:
#O365ENGAGE17
Questions? | Thank You!
• Vasil Michev
• vasil@michev.info
We’d like to know what
you think!
Please fill out the evaluation
form you received at the
registration desk for this
session
Session recordings
and materials:
Materials will be available on
Office365Engage.com soon
43