Active Authentication Microsoft
Office 365 End User Training--Student Guide Agenda About this Training Overview of Active Authentication Considerations of Active Authentication Configure Active Authentication Troubleshooting Active Authentication Agenda This agenda slide provides a high-level overview of the main topics covered in this module.
Active Authentication Release Course Objectives About this Training Active Authentication Release Course Objectives About This Training This section slide highlights the topics that are discussed in the subsequent slides.
Active Authentication Release Release Information Early preview release is currently slated for June 11 GA is slated for middle of July KB Articles to be available by preview release date Policy, Process and Procedures Articles scheduled for availability for early preview Read escalation procedures carefully All dates are subject to change.
Course Objectives Define Active Authentication Understand how Active Authentication works with Office 365 Describe the current Office 365 limitations to Active Authentication Configure Active Authentication Troubleshoot Active Authentication Introduce KB and PPP articles
Overview of Active Authentication Define Active Authentication Why Active Authentication Active Authentication Applicability Active Authentication Methods
What is Active Authentication Strong Authentication Strong Authentication (Strong AuthN) A higher level of security than standard authentication of user name and password Requests additional proof (factors) for identity Factors include: Something the user knows Ex. – User name and password Something the user has Ex. – Cell phone, RSA Token Something the user “is” (biometric) Ex. – Finger print, voice, retinal
What is Active Authentication Step-up Authentication After a user logs into a location using a “low-strength” method they may be required to provide a “high-strength” method to access a high- value resource. Example: Authentication level 1 Customer connects to MOP and provides User Name and Password to log in. Authentication level 2 After customer logs into Office 365 they connect to SharePoint Online Customer must provide User Name and RSA Token password to log in NOTE: Office 365 does not provide Step-up Authentication at this time
What is Active Authentication Contextual Authentication Contextual Authentication analyzes real-time events about a user's authentication request, such as the time, device, location, network and application, and adjusts the authentication method dynamically based on those events Office 365 uses Contextual Authentication to provide Active Authentication Device - Phone Over the Phone (OTP) requires the use of the customers phone(s) Time – used in conjunction with the phone OTP request “times out” if not responded to in specified time
What is Active Authentication Active Authentication for Office 365 Office 365 Active Authentication includes Something the user knows – User Name and Password Something the user has – Phone (Office and/or Mobile) Contextual Authentication Device – Phone Time – Phone request “times out” if not responded to in specified time
Why Provide Active Authentication Additional Security Needs Passwords are not enough Windows Azure AD is used for multiple online services Growing need for stronger security measures for identities and high value resources Competition is driving expectation for Strong AuthN Increase use of mobile access demands stronger seamless security measures Compliance of federal and other security certifications
Why Provide Active Authentication Why use phones Phones are extremely difficult to duplicate Phone numbers extremely difficult to intercept Widely adopted personal device that is normally carried everywhere by employees/students Prevents additional IT costs of hardware RSA security tokens Smart Cards
Lesson Review Q-1: What factors (proof) can be used for Strong AuthN? Something the user knows Something the user has Something the user “is” (biometric) Q-2: What two items are used by Office 365 for Contextual Authentication? A-2: Phone and Time ANIMATED SLIDE – click mouse to view answers 13 | Microsoft Confidential
Lesson Review Q-3: Define OTP? A-3: Over the Phone. Q-4: Why does Office 365 use phones to provide Active Authentication? A-4: Phone duplication Phone number intercept, carried by all, and IT cost. ANIMATED SLIDE – click mouse to view answers 14 | Microsoft Confidential
Considerations of Active Authentication Accounts that can use Active Authentication Supported applications Future supported features
Active Authentication Supported vs. Non-supported Administrator and User accounts User accounts can be configured with Active Authentication through the Azure AD Portal Existing on-premises multi-factor authentication Not supported Rich client application Outlook and Lync MOP, Windows Intune and PowerShell Cmdlets “Access denied” error received when using Lync-based IP phone NOTE: Current non-supported features may be available in future releases
Active Authentication Existing on-premises multi-factor authentication Existing on-premises multi-factor authentication is supported Able to use on-premises multi-factor authentication to access Microsoft Cloud Services Cannot use Active Authentication built-in Windows Azure AD for federated admin accounts that use on-premises multi-factor authentication
Active Authentication Phone Options Voice with mobile phone A voice asks admin to press # to confirm Voice with office phone SMS (default) Text is sent to Mobile phone with instructions Phone application A push notification is sent to the phone via an application
Active Authentication Phone Application Title: Active Authentication Application Formally known as PhoneFactor Notifies you of a pending verification request by popping an alert on your mobile device Tap Approve or Deny May require to enter a passcode in application
Active Authentication Admin account Best Practice Leave one admin account with Active Authentication disabled. Recommended: Should always have more than one admin account An Active Authentication disabled admin account is needed for: Client Rich applications, such as PowerShell Back up account to modify/unlock Active Authentication enabled admin accounts
Lesson Review Q-1: What type of account(s) can be configured for Active Authentication? A-1: Administrator and User accounts Q-2: List the non-supported applications. A-2: Outlook, Lync, Windows Intune, PowerShell, Lync IP Phone. ANIMATED SLIDE – click mouse to view answers 21 | Microsoft Confidential
Lesson Review Q-3: What must be selected when confirming a voice call to your phone? A-3: The # must be selected on your phone. Q-4: True or false, at least one admin account should not use Active Authentication? A-4: True. A non Active Authentication admin account can be used for password/phone management and PowerShell. ANIMATED SLIDE – click mouse to view answers 22 | Microsoft Confidential
Configuration of Active Authentication Enable Active Authentication Disable Active Authentication
Enable/Disable Active Authentication Portal Customers can only purchase and enable Active Authentication from Azure AD. There is a link from MOP to connect to Azure AD Once enablement is completed, customers can return to MOP by clicking a return arrow. Note: This training will be updated before GA with the necessary screenshots.
Activate Active Authentication Portal Access MOP Click Users or User and Groups Click Setup under “Set stronger verification requirements
Activate Active Authentication Portal Choose the correct administrator group Select account(s) Click Enable
Activate Active Authentication Portal Click Yes in the Enable multi-factor verification? pop-up widow. Click Close to accept update notification.
De-activate Active Authentication Portal Access MOP Click Users or User and Groups Click Setup under “Set stronger verification requirements
De-activate Active Authentication Portal Choose the correct administrator group Select account(s) Click Disable
Configure Active Authentication Setup Admin must log in to configure their account for the first time. Access MOP Sign-in with recently enabled Active Authentication account Click Set it up now
Activated Active Authentication Select Primary Phone Select phone type Select Country or Region NOTE: Not all countries are listed at this time Enter phone number Select Text me instead of calling to enable SMS Note: Only Mobile Phone type enables the text option.
Activated Active Authentication Select Backup Phone Select phone type Enter phone number Select Text me instead of calling to enable SMS Click Save
Activated Active Authentication Verification Verify phone Phone(s) will receive a call or text depending on the selection Click # when prompted Follow text instructions Click Close after verification is completed successfully and when prompted
Active Authentication Phone Application - Activation Tenant Admin provides one of the following: Activation Code QR Code URL Enter information into app or scan QR code Possible to activate multiple companies and accounts.
Lesson Review Q-1: What should be selected in order to send a text message to a phone number? A-1: Select Text me instead of calling to enable SMS. Q-2: True or False, all countries are listed in the Select Country or Region field. A-2: False, the countries are limited at this time. ANIMATED SLIDE – click mouse to view answers 35 | Microsoft Confidential
Troubleshoot Active Authentication Disable Active Authentication from Admin reduced to User Additional phones numbers Verification issues
CAP Coding CAP Issue codes The following Issue Codes have been add to CAP to track MFA issues. Single Sign On\Two Factor Sign On Failed Single Sign On\Setting Up Two-Factor authentication Azure AD Multifactor Authentication Azure AD Multifactor Authentication Reset
Admin Reduced to User Disable Active Authentication for User If a Active Authentication Admin account is reduced to a User account, Active Authentication remains enabled for the account. Promote the user to Administrator role Disable Active Authentication from multi-factor authentication page Demote user to back to User role KB: Removing multi-factor (Active Authentication) authentication for Administrator user account. (2834952)
Update Phone Settings Primary and Backup Phone Log into Portal Click your user name at the top-right corner of the page and then click My profile. Click Change additional security verification settings. Under primary phone, type your phone number. Click Save. Recommended: Use mobile phone as primary phone KB: How to Add or Change multi-factor (Active Authentication) authentication security verification phone settings
No Response on Phone No Call or Text Message Verify phone is cell or land line IP phones not supported Try again using backup number Request admin disable Active Authentication After Active Authentication is disabled, user can login with user name and password Active Authentication re-enabled, user must complete configuration process again KB: Administrator with multi-factor (Active Authentication) authentication enabled is not receiving text message or voice message that contains authentication code (2834956)
Password/Phone Reset Password or Phone Reset SE should follow the standard password reset policy and only reset account if there is one admin. Support must wait 72 hours to perform a password or phone reset if a phone reset has previously been requested. Follow KB article “How and when to reset multifactor authentication” (2846806) to submit a SWT request to reset the phone
Locked out Only One Admin Account SE should follow the standard password reset policy and only reset account if there is one admin. If additional admins, redirect customer to another admin If only one admin, escalate using SWT
Multiple Prompts During Configuration Setup Does Not Complete Customer is prompted multiple times during phone configuration Wait a few seconds then click browser refresh button
Error 0x800434D4L PowerShell cmdlet error Administrator with multi-factor authentication (Active Authentication) enabled is getting 0x800434D4L when trying to run Windows Azure Active Directory Module for Windows PowerShell cmdlets. Active Authentication does not support rich client applications at this time Use non Active Authentication enabled account to run PowerShell cmdlets KB: Administrator with multi-factor authentication (Active Authentication) enabled receives error 0x800434D4L when running Windows Azure Active Directory Module for Windows PowerShell cmdlets (2834958)
Federated Admins unable to use Active Authentication with federated admin accounts Federated admin accounts are not able to use Active Authentication at this time. Active Authentication may be enabled for a federated admin account Admin account is not re-directed to proof page to Add multi-factor (Active Authentication) authentication security verification phone settings KB: Removing Federated Administrator with multi-factor authentication (Active Authentication) enabled, never redirected to the proof page resulting in Active Authentication not being enforced for Federated administrator accounts. (2834962)
Account verification system is having trouble Unable to provide Active Authentication verification Administrator is receiving error message when trying to login with Active Authentication enable. “Sorry, our account verification system is having trouble. This could be temporary, but if you see it again, you might want to contact your admin. User2WaySMSAuthFailedWrongCodeEntered 0” Verify correct code is entered Try backup or primary phone number. Disable, re-enable Active Authentication on affected account KB: Administrator with Active Authentication enabled receives message "User2WaySMSAuthFailedWrongCodeEntered 0". (2834963)
“We did not receive a response” Active Authentication page times out Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive a response. Please try again.” Customer did not receive Active Authentication request on phone User authentication failed due to duplicate request Verify phone numbers provided are correct KB: Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” (2834965)
“We did not receive the expected response” Incorrect Active Authentication credentials provided Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again." User SMS authentication failed due to wrong SMS Code being entered. User Voice authentication failed due to phone being hung up prior to entering # Verify that correct SMS authentication code is being entered Try a different preconfigured phone number KB: Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again." (2834968)
“Unable to reach your phone” Choose another option Error: “We were unable to reach your phone. Please choose another verification option” User SMS voice authentication failed due to invalid phone extension User Voice authentication failed due to invalid phone number format Verify the correct phone number and extension is entered correctly Try a different preconfigured phone number KB: Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” (2834965)
“Unable to reach your phone” Try again Error: “We were unable to reach your phone. Please try again.” User Voice authentication failed due to provider could not send the call User Voice authentication failed due to provider could not send the SMS message Verify phone is working and service is available Try a different preconfigured phone number KB: Administrator with multi-factor authentication (Active Authentication) enabled receives message “We were unable to reach your phone. Please try again.” (2834970)
Module Summary Office 365 supports Active Authentication Only admin accounts can use Active Authentication Customer can use a mobile or office phone Voice or text can be sent to the phones Non-supported items Rich client applications Lync-based IP Phone Module Review 51 | Microsoft Confidential 51 | Microsoft Confidential
Assessment Questions Access the GCSLearn site and take the assessment https://gcslearn.partners.extranet.microsoft.com/OnlineServices/BPOSS/Pages/continuing_edu.aspx Work alone Open book You may use the courseware to assists in answering questions Time to complete: 10 questions – 10 minutes 52 | Microsoft Confidential
Survey Congratulations on completing the Active Authentication training. please complete the 10-minute O365 Active Authentication Instruction Survey Form. The survey is anonymous so please be as honest as possible. You feedback is very valuable as we strive to make the material better for every delivery. Survey Congratulations on completing the Directory Synchronization training. Please complete the 10-minute O365 Active Authentication Instruction Survey Form. The survey is anonymous so please be as honest as possible. You feedback is very valuable as we strive to make the material better for every delivery. 53 | Microsoft Confidential
4/19/2017 11:27 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.