, , , , , , , , , , , , , ,

Office 365 App Password with MFA | HowTo | 1 of 2

Part One | Part Two

If you’re using Multi-Factor Authentication for your organisation, and want to use applications which connect to your Office 365 account, you will need to create an Office 365 App Password. This is to enable the App to connect to Office 365. For example, if you’re using Outlook 2016 or earlier, Apple Mail App, Skype for Business or any other third party client with Office 365, you’ll need to create an App Password.

Thankfully, creating an Office 365 App Password is really easy to do, if a little hard to find.

Log in to the portal here: https://portal.office.com

  1. Once logged in, click on the Profile Picture on the top right:

    Office 365 App Password Portal Login Step One

    Office 365 Portal Login Step One

  2. Click on View account:

    Office 365 View Account App Password Step Two

    Office 365 View Account Step Two

  3. Click on Manage Security & Privacy:

    Manage Office 365 App Password Security Privacy Step Three

    Manage Security & Privacy Step Three

  4. Click on Additional security verification:

    Office 365 App Password Security Privacy Step Four

    Additional Security Verification Step Four

  5. Click on Update your phone numbers used for account security:

    Office 365 Update Numbers App Password Step Five

    Update Numbers Step Five

  6. Click on app passwords:

    Office 365 Select App Passwords Step Six

    Select App Passwords Step Six

  7. Click on create:

    Create Office 365 App Password Step Seven

    Create Office 365 App Password Step Seven

  8. Enter a Name in the box, something unique is recommended. I usually name the client application the App Password is associated with. In the example below I have used Apple Mail App. Click next:

    Name Office 365 App Password Step Eight

    Name Office 365 App Password Step Eight

  9. Now either copy by selecting the line, taking care not to pick up any spaces or other characters, or click on copy password to clipboard. You can now use this App Password in your client application, such as Apple Mail App, Thunderbird, iPhone, iPad. Take care as this is the only time you will see Your app password. They cannot be viewed or changed once you click close:

    Copy Office 365 App Password Step Nine

    Copy Office 365 App Password Step Nine

  10. When you Enrolled in Multi-Factor Authentication you were given an initial App Password. I recommend deleting the initial app password, in favour of creating individually named App Passwords. This allows you to ensure each device or client is separate, which is more secure and easier to manage when you want to remove authentication. Click Delete:

    Delete Office 365 App Password Step Ten

    Delete Office 365 App Password Step Ten

  11. Confirm you want to delete the App Password and click Yes:

    Confirm Delete Office 365 App Password Step Eleven

    Confirm Office 365 App Password Step Eleven

  12. The App Password has been successfully deleted. Click close:

    Change Office 365 App Password Step Twelve

    Change Office 365 App Password Step Twelve

  13. Thats it. You now have an App Password for your Apple Mail App. Repeat steps 7, 8 and 9 to create additional App Passwords.

    Review Office 365 App Password Step Thirteen

    Review App Password Step Thirteen

In Part Two, coming soon, I will demonstrate how you can add your App Password to a variety of clients and devices, including Apple Mail App, iPhone, iPad and Outlook 2016.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , ,

Azure Multi-Factor Authenticator App | HowTo | 3 of 3

Part One | Part Two | Part Three

Azure Multi-Factor Authenticator App: In Part One I covered:

  • Why use Office 365 & Exchange Online with Azure Multi-Factor Authentication?

  • Enable modern authentication in Exchange Online

  • Office 365 & Exchange Online Multi-Factor Authentication in the Admin Portal

In Part Two I covered:

  • Enrol Accounts for Office 365 Multi-Factor Authentication

Once Office 365 Multi-Factor Authentication has been enabled and the users enrolled it is sensible for your users to install the Microsoft Authenticator App. The App can be downloaded for a number of devices:


Once the Azure Multi-Factor Authenticator App has downloaded and installed on your device.

Log in to the portal here: https://portal.office.com

  1. Once logged in, click on the Profile Picture on the top right:

    Azure Multi-Factor Authentication Portal Step One

    Azure Multi-Factor Authentication Portal Step One

  2. Click on View account:

    Azure Multi-Factor Authentication Step Two

    Azure Multi-Factor Authentication Step Two

  3. Click on Security & Privacy:

    Azure Multi-Factor Authentication My Account Step Three

    Azure Multi-Factor Authentication My Account Step Three

  4. Click on Additional security verification:

    Azure Multi-Factor Authentication Security Privacy Step Four

    Azure Multi-Factor Authentication Security Privacy Step Four

  5. Click on Update your phone numbers used for account security:

    Azure Multi-Factor Authentication Additional Security Verification Step Five

    Azure Multi-Factor Authentication Additional Security Verification Step Five

  6. Select the Authenticator app tick box:

    Azure Multi-Factor Authentication Security Verification Options Step Six

    Azure Multi-Factor Authenticator App Security Verification Options Step Six

  7. While you are here you can add in the Alternate authentication phone. Click Configure:

    Azure Multi-Factor Authentication Security Verification Details Step Seven

    Azure Multi-Factor Authenticator App Security Verification Details Step Seven

  8. You should see the Configure mobile app message box:

    Azure Multi-Factor Authentication Retrieving App Step Eight

    Azure Multi-Factor Authenticator App Retrieving App Step Eight

  9. The Configure mobile app QR code will now display:

    Azure Multi-Factor Authentication Configure App Step Nine

    Azure Multi-Factor Authenticator App Configure App Step Nine

  10. Open your Authenticator App on your device. The example below is from an iPhone. Select the plus + sign in the top right:

    Azure Authenticator App for iPhone Step Ten

    Azure Authenticator App for iPhone Step Ten

  11. Select Work or school account:

    Azure Authenticator App for iPhone Account Step Eleven

    Azure Authenticator App for iPhone Account Step Eleven

  12. Point the camera of your device at your screen to detect the QR code. If you receive a notification to allow the App access to your camera, select Allow. Otherwise select the Or enter code manually:

    Azure Authenticator App for iPhone QR Code Step Twelve

    Azure Authenticator App for iPhone QR Code Step Twelve

  13. You should now have a new account:

    Azure Authenticator App for iPhone Complete Step Thirteen

    Azure Authenticator App for iPhone Complete Step Thirteen

  14. The activation status will now be checked:

    Azure Multi-Factor Authentication Checking Status Step Fourteen

    Azure Multi-Factor Authentication Checking Status Step Fourteen

  15. Click Save:

    Azure Multi-Factor Authentication App Configured Step Fifteen

    Azure Multi-Factor Authentication App Configured Step Fifteen

  16. Click Verify preferred option:

    Azure Multi-Factor Authentication Configure App Step Sixteen

    Azure Multi-Factor Authentication Configure App Step Sixteen

  17. You should now see the Verifying app notice:

    Azure Multi-Factor Authentication Verifying App Step Seventeen

    Azure Multi-Factor Authentication Verifying App Step Seventeen

  18. Open the Authenticator App on your device. Enter the code in the verification code box. The code will change every thirty seconds. Click Verify:

    Azure Multi-Factor Authentication Verification Code Step Eighteen

    Azure Multi-Factor Authentication Verification Code Step Eighteen

  19. If you receive a Verification failed error it’s most probably because you were too slow:). Click Retry and repeat steps 16, 17 and 18:

    Azure Multi-Factor Authentication Verification Failed Nineteen

    Azure Multi-Factor Authentication Verification Failed Nineteen

  20. Once successful you will see an Updates successful notice. Click Close:

    Azure Multi-Factor Authentication Setup Success Step Twenty

    Azure Multi-Factor Authentication Setup Success Step Twenty

  21. That’s it. You will now be returned to the Portal home page. I recommend using the Notify me through the app option by going through steps 1 to 5 to return to:

    Azure Multi-Factor Authentication Select Option Step Twenty One

    Azure Multi-Factor Authentication Select Option Step Twenty One

In order to test, log out of the portal then log back in. You will be prompted for your verification code or your device will notify you that verification is required depending upon which option you chose.

One final task is to create and assign App Passwords, which I will cover in two future posts: Office 365 App Password | HowTo | 1 of 2

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , ,

Office 365 Multi-Factor Authentication | HowTo | 2 of 3

Part One | Part Two | Part Three

Office 365 Multi-Factor Authentication: In Part One of Three I covered:

  • Why use Office 365 & Exchange Online with Azure Multi-Factor Authentication?

  • Enable modern authentication in Exchange Online

  • Office 365 & Exchange Online Multi-Factor Authentication in the Admin Portal

The next phase of the process is to enrol the user for Office 365 Multi-Factor Authentication.

Enrol Accounts for Office 365 Multi-Factor Authentication

Once the attribute has been enabled for their account via an administrator, the user now needs to register for . The user should sign in as normal:

  1. Log in to the portal here: https://portal.office.com using using their username and password. Click Sign in:
    Office 365 Multi-Factor Authentication Login Step One

    Login Step One

  2. The user will now see the below asking them to further verify their account. Click Set it up now:
    Office 365 Multi-Factor Authentication Set-Up Step Two

    Exchange Online MFA Set-Up Step Two

  3. The user will now see two drop-down option boxes. The first for the method and the second for location:
    Office 365 Multi-Factor Authentication Verify Step Three

    Office 365 MFA Verify Step Three

  4. I recommend using the Authentication phone option as we will assume the user has no contact details added in their profile. This allows them to select the country and set the number the text or call verification is sent to. Click Select you country or region, select the appropriate one for you. Enter your number to be contacted, the example is 123456789. Select the Send me a code by text message or Call me., the example is text message. Click Contact me:
    Office 365 Multi-Factor Authentication Verify Step Four

    Azure MFA Verify Step Four

  5. You will now be taken to Step 2, confirming that a text message has been sent to the telephone number with the country code you completed in 4 above.
    Office 365 Multi-Factor Authentication Send Text Step Five

    Exchange Online MFA Send Text Step Five

  6. You will receive a text message on your phone within 60 seconds. If you do not receive the verification code text, please check the number displayed in 5 above:
    Office 365 Multi-Factor Authentication Verify Code Step Six

    Office 365 MFA Verify Code Step Six

  7. Use the code from 6 and enter it in to the box, the example below is 373318. Click Verify:
    Office 365 Multi-Factor Authentication Add Code Step Seven

    Azure MFA Add Code Step Seven

  8. You have now verified your identity and will be given an App Password which can be used to access your email using an application, such as the Apple Mail App. I will cover App Passwords in more detail in Part Three. Click Done:
    Office 365 Multi-Factor Authentication Initial App Password Step Eight

    Exchange Online MFA Initial App Password Step Eight

  9. If this was a new user with a temporary password they will need to update their password and Sign in. Enter the Current passwordNew password and Confirm (new) Password:
    Office 365 Multi-Factor Authentication Password Update Step Nine

    Azure MFA Password Update Step Nine

  10. Click Update password and sign in:
    Office 365 Multi-Factor Authentication Password Update Step Ten

    Office 365 MFA Password Update Step Ten

  11. If you have self-service password recovery enabled will now need to enter additional information in order to recover access to your account. Click Next:
    Office 365 Multi-Factor Authentication Password Authorisation Step Eleven

    Azure MFA Password Authorisation Step Eleven

  12. Select the Authentication email Set it up now:
    Office 365 Multi-Factor Authentication Password Authorisation Step Twelve

    Exchange Online MFA Password Authorisation Step Twelve

  13. Enter an email address that you have access to, such as your personal email address. You cannot add any email domains which are associated with your Exchange Online Tenant as this needs to be unique to the user. Click email me:
    Office 365 Multi-Factor Authentication Password Additional Verification Step Thirteen

    Azure MFA Password Additional Verification Step Thirteen

  14. You will now receive a verification code via email to the address you entered in 13:
    Office 365 Multi-Factor Authentication Email Confirmation Step Fourteen

    Office 365 MFA Email Confirmation Step Fourteen

  15. Enter the code you received in 14 in the box, in the example the code is 836919. Click verify:
    Office 365 Multi-Factor Authentication Code Confirmation Step Fifteen

    Azure MFA Code Confirmation Step Fifteen

  16. We now need to set the Authentication phone. Select Verify:
    Office 365 Multi-Factor Authentication Phone Verify Step Sixteen

    Exchange Online MFA Phone Verify Step Sixteen

  17. In this step you will verify the number you used in 4. Click text me:
    Office 365 Multi-Factor Authentication Text Verify Step Seventeen

    Azure MFA Text Verify Step Seventeen

  18. You will receive a text message on your phone within 60 seconds:
    Office 365 Multi-Factor Authentication Text Verify Step Eighteen

    Office 365 MFA Text Verify Step Eighteen

  19. Use the code from 18 and enter it in to the box, in the example the code is 242564. Click Verify:
    Office 365 Multi-Factor Authentication Text Verify Step Nineteen

    Azure MFA Text Verify Step Nineteen

  20. You have now created two forms of verification and your account recovery details. Click finish:
    Office 365 Multi-Factor Authentication Verify Complete Step Twenty

    Exchange Online MFA Verify Complete Step Twenty

Enrol Authenticator App for Azure Multi-Factor Authentication

To enrol your user account for Office 365 Multi-Factor Authentication App and create App Passwords, continue to Part Three.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , ,

Exchange Online Multi-Factor Authentication | HowTo | 1 of 3

Part One | Part Two | Part Three

Exchange Online Multi-Factor Authentication: We’ve covered the notion of two-factor authentication (2FA) and Exchange Online multi-factor authentication (MFA) before, especially how you MUST enable it for sensitive accounts. I include all IT users, especially those with administrative access, plus any senior management user within the organisation, such as the MD/CEO as their email is sensitive enough to justify Exchange Online Multi-Factor Authentication.

Two-factor authentication (2FA) or multi-factor authentication (MFA) has been available in Office 365 for many years, but you must manually enable it for your users. Microsoft’s Authenticator App for Android, iOS, and Windows Phone means it is simpler than ever to execute MFA by using push notifications for verifying, instead of users typing in six digit codes.

Why use Office 365 & Exchange Online with Azure Multi-Factor Authentication?

The geo-distributed, high availability design of Azure AD means that you can rely on it for your most critical business needs. With the prevalence of smart phones, tablets, laptops, and PCs, people have far too many options on how they are going to connect, and stay connected, at any time. Office 365 Multi-Factor Authentication and Exchange Online Multi-Factor Authentication through Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always correctly authenticated.

People can securely access their accounts and applications from anywhere, which means that they can get more work done and serve customers better.

  • Two-step verification, which requires more than one method of authentication.This means a critical second layer of security is added when a user signs-in. It works by requiring two or more of the following:
    Something you know, a password for example
    Something you have, typically a trusted device that is not easily duplicated, like a phone
    Something you are, such as biometrics
  • It’s easy to use with a range of verification methods including text message, phone call, mobile app or email to alternate account.
    This means, due to the extra protection that comes with Azure Multi-Factor Authentication, users are able to manage their own devices and authenticate in the way they prefer based upon where they are.
  • Azure Multi-Factor Authentication is simple to set up and use. Once enabled, in many instances it can be set up with just a few simple clicks by the user.
    This means the burden of implementation is reduced and users are keen to adopt.
  • Verification with Azure Multi-Factor Authentication is scalable, using the power of the cloud whilst also optionally integrating with your on-premises Active Directory (AD) and custom applications.
    This means that protection is can be extended to your high-volume, mission-critical services.
  • Azure Multi-Factor Authentication provides strong authentication using the highest possible industry standards.
    This means you are not just secure, but also compliant. You can monitor application usage and protect your business from advanced threats with security reporting and monitoring.
  • With a guaranteed 99.9% Service Level Agreement (SLA) for availability, Azure Multi-Factor Authentication is reliable.
    This means you will always be able to authenticate. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.

I use Azure MFA with Microsoft ’s OneDrive for Business, SharePoint Online, Office 2016 desktop Apps (I’m not confessing the use of Outlook 2016), mobile Office apps and Skype for Business all on Mac, Windows 8, Windows 10 and iOS and found no issues. However, there are services that need an App Password or are incompatible, so make sure you review all the software and services in use in your organisation. I’ll cover the use of App Passwords in Part 3 of 3.

It is important to note that previously administrative accounts were unable to use PowerShell with Azure multi-factor authentication enforced for the account. Microsoft recommended creating a special account for each admin user to access PowerShell for Office 365 and Exchange Online and that these accounts should be disabled when not in use. Which is clearly ridiculous, so earlier this year they fixed it with the Exchange Online Remote PowerShell Module! You will need to ensure that Modern Authentication is enabled in your Exchange Online tenant before you can use the module.

You must enable Modern Authentication to support Outlook 2016 and Outlook 2013 clients.

Enable modern authentication in Exchange Online

Modern authentication in Office 365 enables authentication features like multi-factor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. Modern authentication is based on the Active Directory Authentication Library (ADAL) and OAuth 2.0. By default, modern authentication is NOT enabled in Exchange Online, however, you can enable it:

  1. Connect to Exchange Online PowerShell:
    To enable Windows PowerShell to run signed scripts, run the following command in an elevated Windows PowerShell window (a Windows PowerShell window you open by selecting Run as administrator):

    Set-ExecutionPolicy RemoteSigned 

    You need to configure this setting only once on your computer, not every time you connect.

  2. Run the following command:
    $UserCredential = Get-Credential 

    In the Windows PowerShell Credential Request dialog box, type your Office 365 user name and password, and then click OK.

  3. Run the following command.
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 

  4. Run the following command:
    Import-PSSession $Session
  5. Run the following command in Exchange Online PowerShell:
    Set-OrganizationConfig -OAuth2ClientProfileEnabled $true
  6. To verify that the change was successful, run the following command in Exchange Online PowerShell:
    Get-OrganizationConfig | Format-Table -Auto Name,OAuth*

When you enable modern authentication in Exchange Online, Microsoft recommend that you also enable it in Skype for Business Online. For instructions, see SkypeModernAuth. Modern authentication is enabled by default in SharePoint Online.

Office 365 & Exchange Online Multi-Factor Authentication in the Admin Portal

Log in to the Office 365 admin portal here: https://portal.office.com using an administrator account.

1. From the menu on the left of the portal, expand Users and click Active users:

Office 365 Multi-Factor Authentication Admin Portal Step One

Office 365 MFA Admin Portal Step One

2. In the list of users, click the user you want to enable MFA. Only licensed users can use Office 365 Multi-Factor Authentication. On the user’s pane, click Manage multi-factor authentication under More settings:

Exchange Online Multi-Factor Authentication Select User Step Two

Exchange Online MFA Select User Step Two

3. From the multi-factor authentication display, select the user account to enable, and then click Enable under quick steps on the right:

Office 365 Multi-Factor Authentication User Step Three

Office 365 MFA User Step Three

4. In the About enabling multi-factor auth dialog box, click enable multi-factor authentication:

About Enabling Multi-Factor Authentication Step Four

About Enabling Azure MFA Step Four

5. You should see a dialogue with Enabling multi-factor Authentication:

Azure Enabling Multi-Factor Authentication Step Five

Enabling Azure MFA Step Five

6. Click close when you see Updates successful:

Azure Updates Successful Multi-Factor Authentication Step Six

Updates Successful for Azure MFA Step Six

The Multi-Factor Authentication Status column for the user will change to Enabled. Sign out from the admin portal and close the browser window.

Enrol Accounts for Office 365 & Exchange Online Multi-Factor Authentication

To enrol your user account for Office 365 Online Multi-Factor Authentication, continue to Part Two.

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivitycommunicationcontinuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

, , , , , , , , , , , , , , , ,

Office 365 SSO Security Guidance: Single sign-on and remote access

Office 365 SSO: The secure configuration of this cloud-hosted service aligns with government’s guidance on implementing the Cloud Security Principles. You can find out more regarding implementation of Federation in order to Restrict Access to Office 365.

1. What is Office 365 SSO (Single Sign-On)?

A Microsoft Online user usually signs in using the username and password associated with their Microsoft account. This process can be simplified with O365 by using Office 365 SSO, which allows a user to log in to O365 using their existing enterprise username and password. Office 365 SSO login may happen automatically, although this depends on how the enterprise and its devices are configured.

Office 365 SSO Single Sign-On

2. Microsoft Office 365 and SSO

O365 can be integrated with an existing on-premise Active Directory (AD) either by:

  • synchronising user credentials to the cloud or
  • implementing SSO using identity federation

Both options require account synchronisation between AD and the cloud, effectively copying user account and group data into Windows Azure Active Directory (Azure AD). Directory synchronisation is an ongoing relationship between the on-premise and cloud directories, implemented using the Directory Sync tool or with Azure AD Connect. Filters can be applied so only specified accounts in named organisational units or with certain user object attributes are synced.

O365 supports the implementation of SSO using identity federation which can be enforced once directory synchronisation is correctly established. In this configuration, the user authenticates to the enterprise instead of signing in to the O365 web app. This means there is no requirement to store enterprise passwords in the cloud, while also supporting multi-factor authentication such as a device identity or smartcard.

3. Synchronisation recommendations

CESG recommends implementing full identity federation rather than synchronising passwords into the cloud. Where possible, authentication should be made directly against the enterprise domain, connecting to it over a VPN when working remotely. This ensures there is no requirement to expose an authentication service directly to the Internet; a direct connection carries additional risk to the enterprise domain.

Enterprises implementing a cloud-first deployment may have already chosen to synchronise enterprise accounts and passwords into the cloud. In this case, an enterprise can take advantage of Azure AD services such as self-service password resets, Windows Azure Multi-Factor Authentication and integration options available with third party web apps adopting Microsoft Identity Manager.

Once user accounts have been synchronised to O365, an administrator will need to assign licenses to those users. While this is not automatically done using Directory Sync or Azure AD Connect, it can be scripted with PowerShell.

4. Office 365 SSO compatibility

Automatic SSO is supported in all O365 services accessed through the O365 portal, as well as Microsoft Office desktop apps installed on domain-joined devices. Office 365 SSO is also available on the Mobile Office platform for devices that support Workplace Join. Users of devices that are either unsupported or not enrolled in the enterprise will be able to log in to O365 using their enterprise username and password, unless O365 is configured to only allow connections from known and trusted devices.

5. SSO implementation requirements

An SSO implementation for O365 currently requires AD with a compatible Security Token Service (STS), also known as an Identity Provider (IdP). Microsoft currently supports Active Directory Federation Service (ADFS), Shibboleth IdP and other tested third party IdPs as an STS. It may be necessary to alter AD and ADFS configurations to meet the requirements defined by user identities and domain naming.

From a user perspective, SSO works by pointing them at an IdP which they authenticate against using a username and password. The browser then passes a security token toO365, allowing the user to log on to the service.

  • For users on a domain-joined or workplace-joined device, this login will be seamless once the device is unlocked.
  • For users on other device types, including those not connected to the enterprise network, they will authenticate against an enterprise authentication proxy using their username and password.

6. Web access

Public cloud services such as O365 are designed to be accessed from any device with an Internet connection. Some enterprises prefer to only allow their information to be accessed from authorised devices, whether these are enterprise managed or personal devices that meet a required security specification.

If you wish to restrict access to enterprise data to a subset of devices, one solution is to implement procedural controls for End User Devices (EUDs) which allow users to only log into O365 from certain devices. This can be achieved either through Mobile Device Management, Intune or through Group Policy with ADFS. Additional policy and security control can be achieved through private VLANs, removing the complexity of managing outbound requests via the Internet from trusted locations, such as fixed office sites or data centre locations.

7. Restricting access to known devices

There is no specific feature in O365 designed to restrict access to the service by network location or device, through mechanisms such as IP range restrictions or forcing user certificate-based authentication. If ADFS is used as an IdP, it may be configured to require that devices come from known IP addresses. However, it is possible to configure SSO so that only devices that are connected to the enterprise network can authenticate, using any IdP:

Office 365 SSO ADFS

With SSO configured as shown above, EUDs can only log in to O365 when they can see the IdP. This ensures that only devices that are connected directly to the enterprise network and those approved to connect using a VPN will be able to log in to O365. Once a user has logged in, the VPN can be dropped since the EUD will maintain the session with a web browser cookie, held until the user logs out. There should be an exception created in the VPN aggregator for managing latency-sensitive applications, such as Lync and Skype, in order to sustain a high level of usability.

SSO can also be configured to work with online IdPs. All approved EUDs should be provisioned with a non-exportable client certificate that identifies the user as a member of the enterprise. This certificate should be hardware-backed on supported devices. TheIdP is required to only accept authentication from devices that have this certificate. The logon could also identify the unique user using the certificate, streamlining the logon.

Permissions can be applied to some data held in O365 so that it is only accessible by certain managed devices, or groups of specified devices. This is enabled primarily for devices enrolled in AD or Azure AD, through the Workplace Join or Domain Join mechanisms.

8. Shared devices

O365 sets non-persistent session cookies once a user has successfully logged in, whether or not SSO is being used. If the SSO implementation provides persistent session management, CESG recommend that users should be advised to manually log out of both O365 and their IdP. This will ensure that the cookie is deleted and in doing so separate user sessions on shared devices. It cannot be assumed that O365 will delete the SSO cookie set by the IdP.

9. References

In addition to the web pages referenced in the list of URLs below, Microsoft provides documentation to support SSO deployments including a troubleshooting guide:

See also CESG’s deployment security considerations for Microsoft Office 365: Administrator Good Practice in addition to documentation on End User Devices Security and Configuration Guidance.

If you have any questions or need a little more in-depth help please get in touch.

Source: https://www.ncsc.gov.uk/guidance/microsoft-office-365-security-guidance-single-sign-and-remote-access