Active Authentication

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Module: 201 Create and Manage Your Agent Account.
Installation & User Guide
Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.
CareCentrix Direct Training.
Module 4: System Maintenance Intuit Financial Services University Internet Banking Certification Training.
101 P C O L S Recommended Role: New and Existing Cardholders How to Redeem a Cardholder Token in AIM I N T E R A C T I V E T U T O R I A L.
Your NEW Social Services Verification Tool
Guide to using the myNATE website
Multi-Factor Authentication Added protection for a more secure you Presenter: Jeff Penn.
Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.
How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support Summer 2006.
11-01: Get Started with SCP Supply Chain Platform Training Presentation Updated April 2009.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
System for Administration, Training, and Educational Resources for NASA SATERN Overview for Learners May 2006.
Delight QuickBooks Online Banking Internal Support Training QuickBooks Windows 2009/2010 Online Banking.
HOW-TO guide This tutorial has sound.
Troubleshooting Windows Vista Security Chapter 4.
1. To start the process, Warehouse Stationery (WSL) will invite you to use The Warehouse Group Supplier Electronic Portal and will send you the link to.
Support Training Module. Support Manual 1.“On The Lot” – How it all works… 2.Craigslist Settings 3.Post to Craigslist 4.Backpage Settings 5.Post to Backpage.
0 eCPIC Admin Training: Automating User Account Management These training materials are owned by the Federal Government. They can be used or modified only.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Module 2: Consumer Experience Intuit Financial Services University Internet Banking Certification Training.
Web Center Training ©2003 Optimum Technology, Inc.
Adxstudio Portals Training
Testing External Survey Automatic Credit Granting Shepherd University Department of Psychology.
Global Field Operations From Vision to Value Cisco Confidential1© 2011 Cisco and/or its affiliates. All rights reserved. Access to PMC Partner Training.
How to Access and Redeem Cisco Certification Exam Discount Vouchers Step-by-Step Guide August 2013.
Welcome Please log into PearsonAccess next training center. – – If your login credentials do.
Single Sign-on with stoneware Presented by:. Access Stoneware Visit the district home page. In the main menu, hover over LCS Employees and choose Stoneware.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Munis Version 9.1 & 8.3 Sneak Peek System Administration.
Lindsey Velez, Director of Instructional Technology Single Sign-On One Click.
Step 1 Lead Notifications Dear Partner, New leads have been assigned to your organization based on customer preference and are available for you.
1 Logging into the new PCard (PaymentNet) System: PAYMENTNET * Introduction * May use IE 8.0 or greater or Firefox * Do not.
Microsoft Customer 2 Partner Connector Quick Reference Guide
EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries
Reply to Registration Invitation ( )
Implementing and Managing Azure Multi-factor Authentication
Creating a new Central Data Exchange (CDX) Account (to access NetDMR)
How Can NRCS Clients Use the Conservation Client Gateway
How to Redeem a Cardholder Token in AIM
How to Redeem a Cardholder Token in AIM
Azure AD for the client management guy (or gal!)
Two-factor authentication
Multifactor Authentication
VAD-OR Onboarding Readiness Deck for pre-onboard Partners prior to June 19, 2017 portal launch. Value Added Distributor – Opportunity Reseller.
Creating a new Central Data Exchange (CDX) Account (to access NetDMR)
Active Orders Supplier Administrator Training Getting Started Activities This training presentation describes the Getting Started activities that will.
Cloud Connect Seamlessly
First-time Login to Business Banking:
Office 365 Identity Management
Multifactor Authentication & First Time Login
Expense Report Training
How to Create and Start a Test Session
To the ETS – Encumbrance Online Training Course
Five mistakes to avoid when deploying Enterprise Mobility + Security
atEvent + HubSpot Integtration Instructions
Expense Report Training
Office 365 Development.
To the ETS – Encumbrance Online Training Course
Multi-Factor Authentication
Administrator’s Manual
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Student user guide for getting started with Microsoft
Module 1.3 Introduction to the HFR Administration Module
Presentation transcript:

Active Authentication Microsoft

Office 365 End User Training--Student Guide Agenda About this Training Overview of Active Authentication Considerations of Active Authentication Configure Active Authentication Troubleshooting Active Authentication Agenda   This agenda slide provides a high-level overview of the main topics covered in this module.

Active Authentication Release Course Objectives About this Training Active Authentication Release Course Objectives About This Training   This section slide highlights the topics that are discussed in the subsequent slides.

Active Authentication Release Release Information Early preview release is currently slated for June 11 GA is slated for middle of July KB Articles to be available by preview release date Policy, Process and Procedures Articles scheduled for availability for early preview Read escalation procedures carefully All dates are subject to change.

Course Objectives Define Active Authentication Understand how Active Authentication works with Office 365 Describe the current Office 365 limitations to Active Authentication Configure Active Authentication Troubleshoot Active Authentication Introduce KB and PPP articles

Overview of Active Authentication Define Active Authentication Why Active Authentication Active Authentication Applicability Active Authentication Methods

What is Active Authentication Strong Authentication Strong Authentication (Strong AuthN) A higher level of security than standard authentication of user name and password Requests additional proof (factors) for identity Factors include: Something the user knows Ex. – User name and password Something the user has Ex. – Cell phone, RSA Token Something the user “is” (biometric) Ex. – Finger print, voice, retinal

What is Active Authentication Step-up Authentication After a user logs into a location using a “low-strength” method they may be required to provide a “high-strength” method to access a high- value resource. Example: Authentication level 1 Customer connects to MOP and provides User Name and Password to log in. Authentication level 2 After customer logs into Office 365 they connect to SharePoint Online Customer must provide User Name and RSA Token password to log in NOTE: Office 365 does not provide Step-up Authentication at this time

What is Active Authentication Contextual Authentication Contextual Authentication analyzes real-time events about a user's authentication request, such as the time, device, location, network and application, and adjusts the authentication method dynamically based on those events Office 365 uses Contextual Authentication to provide Active Authentication Device - Phone Over the Phone (OTP) requires the use of the customers phone(s) Time – used in conjunction with the phone OTP request “times out” if not responded to in specified time

What is Active Authentication Active Authentication for Office 365 Office 365 Active Authentication includes Something the user knows – User Name and Password Something the user has – Phone (Office and/or Mobile) Contextual Authentication Device – Phone Time – Phone request “times out” if not responded to in specified time

Why Provide Active Authentication Additional Security Needs Passwords are not enough Windows Azure AD is used for multiple online services Growing need for stronger security measures for identities and high value resources Competition is driving expectation for Strong AuthN Increase use of mobile access demands stronger seamless security measures Compliance of federal and other security certifications

Why Provide Active Authentication Why use phones Phones are extremely difficult to duplicate Phone numbers extremely difficult to intercept Widely adopted personal device that is normally carried everywhere by employees/students Prevents additional IT costs of hardware RSA security tokens Smart Cards

Lesson Review Q-1: What factors (proof) can be used for Strong AuthN? Something the user knows Something the user has Something the user “is” (biometric) Q-2: What two items are used by Office 365 for Contextual Authentication? A-2: Phone and Time ANIMATED SLIDE – click mouse to view answers 13 | Microsoft Confidential

Lesson Review Q-3: Define OTP? A-3: Over the Phone. Q-4: Why does Office 365 use phones to provide Active Authentication? A-4: Phone duplication Phone number intercept, carried by all, and IT cost. ANIMATED SLIDE – click mouse to view answers 14 | Microsoft Confidential

Considerations of Active Authentication Accounts that can use Active Authentication Supported applications Future supported features

Active Authentication Supported vs. Non-supported Administrator and User accounts User accounts can be configured with Active Authentication through the Azure AD Portal Existing on-premises multi-factor authentication Not supported Rich client application Outlook and Lync MOP, Windows Intune and PowerShell Cmdlets “Access denied” error received when using Lync-based IP phone NOTE: Current non-supported features may be available in future releases

Active Authentication Existing on-premises multi-factor authentication Existing on-premises multi-factor authentication is supported Able to use on-premises multi-factor authentication to access Microsoft Cloud Services Cannot use Active Authentication built-in Windows Azure AD for federated admin accounts that use on-premises multi-factor authentication

Active Authentication Phone Options Voice with mobile phone A voice asks admin to press # to confirm Voice with office phone SMS (default) Text is sent to Mobile phone with instructions Phone application A push notification is sent to the phone via an application

Active Authentication Phone Application Title: Active Authentication Application Formally known as PhoneFactor Notifies you of a pending verification request by popping an alert on your mobile device Tap Approve or Deny May require to enter a passcode in application

Active Authentication Admin account Best Practice Leave one admin account with Active Authentication disabled. Recommended: Should always have more than one admin account An Active Authentication disabled admin account is needed for: Client Rich applications, such as PowerShell Back up account to modify/unlock Active Authentication enabled admin accounts

Lesson Review Q-1: What type of account(s) can be configured for Active Authentication? A-1: Administrator and User accounts Q-2: List the non-supported applications. A-2: Outlook, Lync, Windows Intune, PowerShell, Lync IP Phone. ANIMATED SLIDE – click mouse to view answers 21 | Microsoft Confidential

Lesson Review Q-3: What must be selected when confirming a voice call to your phone? A-3: The # must be selected on your phone. Q-4: True or false, at least one admin account should not use Active Authentication? A-4: True. A non Active Authentication admin account can be used for password/phone management and PowerShell. ANIMATED SLIDE – click mouse to view answers 22 | Microsoft Confidential

Configuration of Active Authentication Enable Active Authentication Disable Active Authentication

Enable/Disable Active Authentication Portal Customers can only purchase and enable Active Authentication from Azure AD. There is a link from MOP to connect to Azure AD Once enablement is completed, customers can return to MOP by clicking a return arrow. Note: This training will be updated before GA with the necessary screenshots.

Activate Active Authentication Portal Access MOP Click Users or User and Groups Click Setup under “Set stronger verification requirements

Activate Active Authentication Portal Choose the correct administrator group Select account(s) Click Enable

Activate Active Authentication Portal Click Yes in the Enable multi-factor verification? pop-up widow. Click Close to accept update notification.

De-activate Active Authentication Portal Access MOP Click Users or User and Groups Click Setup under “Set stronger verification requirements

De-activate Active Authentication Portal Choose the correct administrator group Select account(s) Click Disable

Configure Active Authentication Setup Admin must log in to configure their account for the first time. Access MOP Sign-in with recently enabled Active Authentication account Click Set it up now

Activated Active Authentication Select Primary Phone Select phone type Select Country or Region NOTE: Not all countries are listed at this time Enter phone number Select Text me instead of calling to enable SMS Note: Only Mobile Phone type enables the text option.

Activated Active Authentication Select Backup Phone Select phone type Enter phone number Select Text me instead of calling to enable SMS Click Save

Activated Active Authentication Verification Verify phone Phone(s) will receive a call or text depending on the selection Click # when prompted Follow text instructions Click Close after verification is completed successfully and when prompted

Active Authentication Phone Application - Activation Tenant Admin provides one of the following: Activation Code QR Code URL Enter information into app or scan QR code Possible to activate multiple companies and accounts.

Lesson Review Q-1: What should be selected in order to send a text message to a phone number? A-1: Select Text me instead of calling to enable SMS. Q-2: True or False, all countries are listed in the Select Country or Region field. A-2: False, the countries are limited at this time. ANIMATED SLIDE – click mouse to view answers 35 | Microsoft Confidential

Troubleshoot Active Authentication Disable Active Authentication from Admin reduced to User Additional phones numbers Verification issues

CAP Coding CAP Issue codes The following Issue Codes have been add to CAP to track MFA issues. Single Sign On\Two Factor Sign On Failed Single Sign On\Setting Up Two-Factor authentication Azure AD Multifactor Authentication Azure AD Multifactor Authentication Reset

Admin Reduced to User Disable Active Authentication for User If a Active Authentication Admin account is reduced to a User account, Active Authentication remains enabled for the account. Promote the user to Administrator role Disable Active Authentication from multi-factor authentication page Demote user to back to User role KB: Removing multi-factor (Active Authentication) authentication for Administrator user account. (2834952)

Update Phone Settings Primary and Backup Phone Log into Portal Click your user name at the top-right corner of the page and then click My profile. Click Change additional security verification settings. Under primary phone, type your phone number. Click Save. Recommended: Use mobile phone as primary phone KB: How to Add or Change multi-factor (Active Authentication) authentication security verification phone settings

No Response on Phone No Call or Text Message Verify phone is cell or land line IP phones not supported Try again using backup number Request admin disable Active Authentication After Active Authentication is disabled, user can login with user name and password Active Authentication re-enabled, user must complete configuration process again KB: Administrator with multi-factor (Active Authentication) authentication enabled is not receiving text message or voice message that contains authentication code (2834956)

Password/Phone Reset Password or Phone Reset SE should follow the standard password reset policy and only reset account if there is one admin. Support must wait 72 hours to perform a password or phone reset if a phone reset has previously been requested. Follow KB article “How and when to reset multifactor authentication” (2846806) to submit a SWT request to reset the phone

Locked out Only One Admin Account SE should follow the standard password reset policy and only reset account if there is one admin. If additional admins, redirect customer to another admin If only one admin, escalate using SWT

Multiple Prompts During Configuration Setup Does Not Complete Customer is prompted multiple times during phone configuration Wait a few seconds then click browser refresh button

Error 0x800434D4L PowerShell cmdlet error Administrator with multi-factor authentication (Active Authentication) enabled is getting 0x800434D4L when trying to run Windows Azure Active Directory Module for Windows PowerShell cmdlets. Active Authentication does not support rich client applications at this time Use non Active Authentication enabled account to run PowerShell cmdlets KB: Administrator with multi-factor authentication (Active Authentication) enabled receives error 0x800434D4L when running Windows Azure Active Directory Module for Windows PowerShell cmdlets (2834958)

Federated Admins unable to use Active Authentication with federated admin accounts Federated admin accounts are not able to use Active Authentication at this time. Active Authentication may be enabled for a federated admin account Admin account is not re-directed to proof page to Add multi-factor (Active Authentication) authentication security verification phone settings KB: Removing Federated Administrator with multi-factor authentication (Active Authentication) enabled, never redirected to the proof page resulting in Active Authentication not being enforced for Federated administrator accounts. (2834962)

Account verification system is having trouble Unable to provide Active Authentication verification Administrator is receiving error message when trying to login with Active Authentication enable. “Sorry, our account verification system is having trouble. This could be temporary, but if you see it again, you might want to contact your admin. User2WaySMSAuthFailedWrongCodeEntered 0” Verify correct code is entered Try backup or primary phone number. Disable, re-enable Active Authentication on affected account KB: Administrator with Active Authentication enabled receives message "User2WaySMSAuthFailedWrongCodeEntered 0". (2834963)

“We did not receive a response” Active Authentication page times out Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive a response. Please try again.” Customer did not receive Active Authentication request on phone User authentication failed due to duplicate request Verify phone numbers provided are correct KB: Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” (2834965)

“We did not receive the expected response” Incorrect Active Authentication credentials provided Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again." User SMS authentication failed due to wrong SMS Code being entered. User Voice authentication failed due to phone being hung up prior to entering # Verify that correct SMS authentication code is being entered Try a different preconfigured phone number KB: Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again." (2834968)

“Unable to reach your phone” Choose another option Error: “We were unable to reach your phone. Please choose another verification option” User SMS voice authentication failed due to invalid phone extension User Voice authentication failed due to invalid phone number format Verify the correct phone number and extension is entered correctly Try a different preconfigured phone number KB: Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” (2834965)

“Unable to reach your phone” Try again Error: “We were unable to reach your phone. Please try again.” User Voice authentication failed due to provider could not send the call User Voice authentication failed due to provider could not send the SMS message Verify phone is working and service is available Try a different preconfigured phone number KB: Administrator with multi-factor authentication (Active Authentication) enabled receives message “We were unable to reach your phone. Please try again.” (2834970)

Module Summary Office 365 supports Active Authentication Only admin accounts can use Active Authentication Customer can use a mobile or office phone Voice or text can be sent to the phones Non-supported items Rich client applications Lync-based IP Phone Module Review 51 | Microsoft Confidential 51 | Microsoft Confidential

Assessment Questions Access the GCSLearn site and take the assessment https://gcslearn.partners.extranet.microsoft.com/OnlineServices/BPOSS/Pages/continuing_edu.aspx Work alone Open book You may use the courseware to assists in answering questions Time to complete: 10 questions – 10 minutes 52 | Microsoft Confidential

Survey Congratulations on completing the Active Authentication training. please complete the 10-minute O365 Active Authentication Instruction Survey Form. The survey is anonymous so please be as honest as possible. You feedback is very valuable as we strive to make the material better for every delivery. Survey Congratulations on completing the Directory Synchronization training. Please complete the 10-minute O365 Active Authentication Instruction Survey Form. The survey is anonymous so please be as honest as possible. You feedback is very valuable as we strive to make the material better for every delivery. 53 | Microsoft Confidential

4/19/2017 11:27 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.