Self-service software is knowledge and process management software which contains a range of applications that simplify the way information, process rules and logic are collected, framed within an organised taxonomy,

, , , , , , , , , , , , , ,

Office 365 App Password with MFA | HowTo | 1 of 2

Part One | Part Two

If you’re using Multi-Factor Authentication for your organisation, and want to use applications which connect to your Office 365 account, you will need to create an Office 365 App Password. This is to enable the App to connect to Office 365. For example, if you’re using Outlook 2016 or earlier, Apple Mail App, Skype for Business or any other third party client with Office 365, you’ll need to create an App Password.

If you purchase new, or renew existing, Office 365 licences:

SAVE AT LEAST 5%

This includes Exchange Online, SharePoint Online, Skype for Business, OneDrive for Business and the entire suite of Office 365 pricing.

 

Thankfully, creating an Office 365 App Password is really easy to do, if a little hard to find.

Log in to the portal here: https://portal.office.com

  1. Once logged in, click on the Profile Picture on the top right:

    Office 365 App Password Portal Login Step One

    Office 365 Portal Login Step One

  2. Click on View account:

    Office 365 View Account App Password Step Two

    Office 365 View Account Step Two

  3. Click on Manage Security & Privacy:

    Manage Office 365 App Password Security Privacy Step Three

    Manage Security & Privacy Step Three

  4. Click on Additional security verification:

    Office 365 App Password Security Privacy Step Four

    Additional Security Verification Step Four

  5. Click on Update your phone numbers used for account security:

    Office 365 Update Numbers App Password Step Five

    Update Numbers Step Five

  6. Click on app passwords:

    Office 365 Select App Passwords Step Six

    Select App Passwords Step Six

  7. Click on create:

    Create Office 365 App Password Step Seven

    Create Office 365 App Password Step Seven

  8. Enter a Name in the box, something unique is recommended. I usually name the client application the App Password is associated with. In the example below I have used Apple Mail App. Click next:

    Name Office 365 App Password Step Eight

    Name Office 365 App Password Step Eight

  9. Now either copy by selecting the line, taking care not to pick up any spaces or other characters, or click on copy password to clipboard. You can now use this App Password in your client application, such as Apple Mail App, Thunderbird, iPhone, iPad. Take care as this is the only time you will see Your app password. They cannot be viewed or changed once you click close:

    Copy Office 365 App Password Step Nine

    Copy Office 365 App Password Step Nine

  10. When you Enrolled in Multi-Factor Authentication you were given an initial App Password. I recommend deleting the initial app password, in favour of creating individually named App Passwords. This allows you to ensure each device or client is separate, which is more secure and easier to manage when you want to remove authentication. Click Delete:

    Delete Office 365 App Password Step Ten

    Delete Office 365 App Password Step Ten

  11. Confirm you want to delete the App Password and click Yes:

    Confirm Delete Office 365 App Password Step Eleven

    Confirm Office 365 App Password Step Eleven

  12. The App Password has been successfully deleted. Click close:

    Change Office 365 App Password Step Twelve

    Change Office 365 App Password Step Twelve

  13. That’s it. You now have an App Password for your Apple Mail App. Repeat steps 7, 8 and 9 to create additional App Passwords.

    Review Office 365 App Password Step Thirteen

    Review App Password Step Thirteen

In Part Two, coming soon, I will demonstrate how you can add your App Password to a variety of clients and devices, including Apple Mail App, iPhone, iPad and Outlook 2016.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , ,

Cyber Security: Office 365 as 802.1X RADIUS Password Authentication

Cyber security is critical. Secure your wireless network via 802.1X RADIUS using Office 365 with Azure AD for password authentication delegation with directory sync. Implement 802.1x RADIUS on almost any access point in minutes and for free.

If you purchase new, or renew existing, Office 365 licences:

SAVE AT LEAST 5%

This includes Exchange Online, SharePoint Online, Skype for Business, OneDrive for Business and the entire suite of Office 365 pricing.

Cyber Security Office 365 and 802.1X RADIUS

Security is paramount for any business, especially given the rise in cyber attacks, data thefts and major network breaches. I won’t list the major names, as that’s been done, but you can read the Cyber Security Breaches Survey 2016.  Much of that research was aimed at larger organisations, even though it’s far easier for enterprise-level companies to secure their resources. But what about the rest of us, Startups, Micro-Businesses and Small to Medium sized organisations?
We ourselves use Foxpass for network access control and cyber security, and have deployed this service for our customers. Foxpass has a mission to foster better identity management in the workplace, whilst being easy to deploy and cost effective to acquire. It’s a service organisations of any size will be able to use to get the exact same level of infrastructure security that large enterprises enjoy.

Why is wireless a cyber security issue?

In many of the companies I talk to, employees, contractors and one time visitors share the same login credentials when it comes to accessing the Internet via wireless. So far so good, however, virtually every startup or small business uses that same wireless access point to connect to internal systems. Be that a file server or individual user computers. In all honesty, I’m by no means an authority on 802.1X Radius, but my opinion is the benefits of using 802.1X RADIUS security with Office 365 and Azure AD for authentication far outweigh the disadvantages.

How hard can it be to hack a WiFi network?

https://null-byte.wonderhowto.com/how-to/hack-wi-fi-get-anyones-wi-fi-password-without-cracking-using-wifiphisher-0165154/


Why should we use 802.1x RADIUS for security?

  1. When a user authenticates to an SSID using 802.1X RADIUS that session is encrypted between the user and the access point.This means that another user connected to the same SSID cannot sniff the traffic and acquire information as they have a unique encryption key for their connection. With a Pre-Shared Key (PSK) network, every device is connected with “shared encryption”, meaning they can all see each other’s traffic.
  2. If you need to remove or disable a specific user or device, 802.1x RADIUS makes this far simpler as you disconnect a single user or device.This means you will not need to change the key for everyone, or all devices, closing the security risk of that user or device joining the network again.
  3. You can assign specific network permissions and policies such as VLAN, firewall, QoS, tunneling, schedules, access control lists.This means everything within a user profile can be dynamically assigned to users based on their identity or groups where users are members. With a Pre-Shared Key, you get a single profile that is shared. Using 802.1X RADIUS, different permissions based on the attribute returned from the RADIUS server are assigned.
  4. With 802.1X RADIUS each user gets a new unique key every time the user authenticates. This key continuously changes while the user is authenticated to the wireless network.This means If it takes a cracker one hour to crack the key, but the key is regenerating every thirty minutes, by the time the cracker has the key it is useless.

Why use Office 365 and Azure Multi-Factor Authentication?

The geo-distributed, high availability design of Azure AD means that you can rely on it for your most critical business needs. With the prevalence of smart phones, tablets, laptops, and PCs, people have far too many different options on how they are going to connect, and stay connected, at any time. Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always correctly authenticated.
People can access their accounts and applications from anywhere, which means that they can get more work done and serve customers better.

  1. Two-step verification, which requires more than one method of authentication.This means a critical second layer of security is added when a user signs-in. It works by requiring two or more of the following:Something you know, a password for example
    Something you have, typically a trusted device that is not easily duplicated, like a phone
    Something you are, such as biometrics
  2. It’s easy to use with a range of verification methods including text message, phone call, mobile app or email to alternate account.This means, due to the extra protection that comes with Azure Multi-Factor Authentication, users are able to manage their own devices and authenticate in the way they prefer based upon where they are.
  3. Azure Multi-Factor Authentication is simple to set up and use. Once enabled, in many instances it can be set up with just a few simple clicks by the user.This means the burden of implementation is reduced and users are keen to adopt.
  4. Verification with Azure Multi-Factor Authentication is scalable, using the power of the cloud whilst also optionally integrating with your on-premises Active Directory (AD) and custom applications.This means that protection is can be extended to your high-volume, mission-critical services.
  5. Azure Multi-Factor Authentication provides strong authentication using the highest possible industry standards.This means you are not just secure, but also compliant. You can monitor application usage and protect your business from advanced threats with security reporting and monitoring.
  6. With a guaranteed 99.9% Service Level Agreement (SLA) for availability, Azure Multi-Factor Authentication is reliable.This means you will always be able to authenticate. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.

In a future post I’ll add some instructions of how to enable 802.1X RADIUS in a wireless network using Foxpass. In order to offer our clients complete peace of mind regarding cyber security, we’re a Silver Productivity Partner with Microsoft. We partner with select providers, such as Foxpass, targeting our customers specific cyber security needs.


With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , ,

User Password Expiry settings in Office 365 | HowTo

In Office 365 and Exchange Online the simplest and easiest place to change the expiry term for passwords is in the Admin Centre. The expiry term is set at 90 days by default, with a default 14 day notice prior to the expiry. You can also disable password expiry, however as always, this is not recommended.

  1. Select Settings on the left:
    Office 365 Password Expiry Admin Centre
  2. Select Security and privacy. Click Edit password policy on this page:
    Office 365 Password Expiry Settings
  3. Make your changes to expiry time and notification time, or disable expiry entirely. Click Save:
    Office 365 Password Expiry Security & Privacy

And that’s it, all done. There are other ways to change these settings, including via the Azure control panel or using PowerShell with either Office 365 Exchange Online or Azure.

The PowerShell method to set Office 365 and Exchange Online password policy expiry settings is:

Set-MsolPasswordPolicy -DomainName serviceteamit.co.uk -NotificationDays 14 -ValidityPeriod 90

The PowerShell method to display password expiry policy in Office 365 and Exchange Online:

Get-MsolPasswordPolicy –DomainName  serviceteamit.co.uk

Where:

-DomainName: is the domain you wish to manage

-NotificationDays: are the number of days notification prior to expiry

-ValidityPeriod: are the number of days passwords can be valid for

Additional PowerShell methods to set individual user password options can be found in this post.

If you have any questions or need a little more in-depth help please get in touch.

, , , , , , , , , , , , , , , ,

Office 365 SSO Security Guidance: Single sign-on and remote access

Office 365 SSO: The secure configuration of this cloud-hosted service aligns with government’s guidance on implementing the Cloud Security Principles. You can find out more regarding implementation of Federation in order to Restrict Access to Office 365.

1. What is Office 365 SSO (Single Sign-On)?

A Microsoft Online user usually signs in using the username and password associated with their Microsoft account. This process can be simplified with O365 by using Office 365 SSO, which allows a user to log in to O365 using their existing enterprise username and password. Office 365 SSO login may happen automatically, although this depends on how the enterprise and its devices are configured.

Office 365 SSO Single Sign-On

2. Microsoft Office 365 and SSO

O365 can be integrated with an existing on-premise Active Directory (AD) either by:

  • synchronising user credentials to the cloud or
  • implementing SSO using identity federation

Both options require account synchronisation between AD and the cloud, effectively copying user account and group data into Windows Azure Active Directory (Azure AD). Directory synchronisation is an ongoing relationship between the on-premise and cloud directories, implemented using the Directory Sync tool or with Azure AD Connect. Filters can be applied so only specified accounts in named organisational units or with certain user object attributes are synced.

O365 supports the implementation of SSO using identity federation which can be enforced once directory synchronisation is correctly established. In this configuration, the user authenticates to the enterprise instead of signing in to the O365 web app. This means there is no requirement to store enterprise passwords in the cloud, while also supporting multi-factor authentication such as a device identity or smartcard.

3. Synchronisation recommendations

CESG recommends implementing full identity federation rather than synchronising passwords into the cloud. Where possible, authentication should be made directly against the enterprise domain, connecting to it over a VPN when working remotely. This ensures there is no requirement to expose an authentication service directly to the Internet; a direct connection carries additional risk to the enterprise domain.

Enterprises implementing a cloud-first deployment may have already chosen to synchronise enterprise accounts and passwords into the cloud. In this case, an enterprise can take advantage of Azure AD services such as self-service password resets, Windows Azure Multi-Factor Authentication and integration options available with third party web apps adopting Microsoft Identity Manager.

Once user accounts have been synchronised to O365, an administrator will need to assign licenses to those users. While this is not automatically done using Directory Sync or Azure AD Connect, it can be scripted with PowerShell.

4. Office 365 SSO compatibility

Automatic SSO is supported in all O365 services accessed through the O365 portal, as well as Microsoft Office desktop apps installed on domain-joined devices. Office 365 SSO is also available on the Mobile Office platform for devices that support Workplace Join. Users of devices that are either unsupported or not enrolled in the enterprise will be able to log in to O365 using their enterprise username and password, unless O365 is configured to only allow connections from known and trusted devices.

5. SSO implementation requirements

An SSO implementation for O365 currently requires AD with a compatible Security Token Service (STS), also known as an Identity Provider (IdP). Microsoft currently supports Active Directory Federation Service (ADFS), Shibboleth IdP and other tested third party IdPs as an STS. It may be necessary to alter AD and ADFS configurations to meet the requirements defined by user identities and domain naming.

From a user perspective, SSO works by pointing them at an IdP which they authenticate against using a username and password. The browser then passes a security token toO365, allowing the user to log on to the service.

  • For users on a domain-joined or workplace-joined device, this login will be seamless once the device is unlocked.
  • For users on other device types, including those not connected to the enterprise network, they will authenticate against an enterprise authentication proxy using their username and password.

6. Web access

Public cloud services such as O365 are designed to be accessed from any device with an Internet connection. Some enterprises prefer to only allow their information to be accessed from authorised devices, whether these are enterprise managed or personal devices that meet a required security specification.

If you wish to restrict access to enterprise data to a subset of devices, one solution is to implement procedural controls for End User Devices (EUDs) which allow users to only log into O365 from certain devices. This can be achieved either through Mobile Device Management, Intune or through Group Policy with ADFS. Additional policy and security control can be achieved through private VLANs, removing the complexity of managing outbound requests via the Internet from trusted locations, such as fixed office sites or data centre locations.

7. Restricting access to known devices

There is no specific feature in O365 designed to restrict access to the service by network location or device, through mechanisms such as IP range restrictions or forcing user certificate-based authentication. If ADFS is used as an IdP, it may be configured to require that devices come from known IP addresses. However, it is possible to configure SSO so that only devices that are connected to the enterprise network can authenticate, using any IdP:

Office 365 SSO ADFS

With SSO configured as shown above, EUDs can only log in to O365 when they can see the IdP. This ensures that only devices that are connected directly to the enterprise network and those approved to connect using a VPN will be able to log in to O365. Once a user has logged in, the VPN can be dropped since the EUD will maintain the session with a web browser cookie, held until the user logs out. There should be an exception created in the VPN aggregator for managing latency-sensitive applications, such as Lync and Skype, in order to sustain a high level of usability.

SSO can also be configured to work with online IdPs. All approved EUDs should be provisioned with a non-exportable client certificate that identifies the user as a member of the enterprise. This certificate should be hardware-backed on supported devices. TheIdP is required to only accept authentication from devices that have this certificate. The logon could also identify the unique user using the certificate, streamlining the logon.

Permissions can be applied to some data held in O365 so that it is only accessible by certain managed devices, or groups of specified devices. This is enabled primarily for devices enrolled in AD or Azure AD, through the Workplace Join or Domain Join mechanisms.

8. Shared devices

O365 sets non-persistent session cookies once a user has successfully logged in, whether or not SSO is being used. If the SSO implementation provides persistent session management, CESG recommend that users should be advised to manually log out of both O365 and their IdP. This will ensure that the cookie is deleted and in doing so separate user sessions on shared devices. It cannot be assumed that O365 will delete the SSO cookie set by the IdP.

9. References

In addition to the web pages referenced in the list of URLs below, Microsoft provides documentation to support SSO deployments including a troubleshooting guide:

See also CESG’s deployment security considerations for Microsoft Office 365: Administrator Good Practice in addition to documentation on End User Devices Security and Configuration Guidance.

If you have any questions or need a little more in-depth help please get in touch.

Source: https://www.ncsc.gov.uk/guidance/microsoft-office-365-security-guidance-single-sign-and-remote-access

, , , , ,

Passwords, encryption and good practice

Passwords should be complex and changed regularly. Encryption should be implemented for any business critical information and especially for any information which is mobile or transported in any fashion. Why then do we still get asked the question “why do we need to change our passwords so often” and “do we have to have such difficult passwords”?

Admittedly a good policy is not to just enforce password changes and complexity, as that only satisfies the need for security without taking in to account the needs of the users, therefore, account lockout policies should not be applied haphazardly. While you increase the probability of preventing unauthorised access to your organisations information, you can also unintentionally lock out authorised users. This can be quite costly for your organization, in loss of productivity and inability to carry out functions which could be brand or perception affecting.

In the age of simplicity and self-service we’re big fans of the ability to synchronise user information, securely of course, using the Azure AD Service. Coupled with an on-site Appliance, which enables self-service password management, information is secure, organisations can easily adopt cloud services, providing employees and partners with an easy single-sign on experience. Most importantly users and administrators are frustration free as users are able to manage their own passwords without intervention. As long as they can remember their security questions!

All of which makes us happy. Our customers are secure from network attack and self-managing. Azure AD Basic is free and we use Nervepoint Technologies, a UK company, for our Self-Service Appliance, which in the non-Enterprise version, is free for unlimited users.