agenda about this training overview of active authentication considerations of active authentication...
TRANSCRIPT
Active Authentication
Microsoft
Agenda
• About this Training• Overview of Active Authentication • Considerations of Active
Authentication• Configure Active Authentication• Troubleshooting Active
Authentication
About this Training
• Active Authentication Release• Course Objectives
Active Authentication ReleaseRelease Information• Early preview release is currently slated for
June 11• GA is slated for middle of July• KB Articles to be available by preview release
date• Policy, Process and Procedures• Articles scheduled for availability for early preview
• Read escalation procedures carefully
• All dates are subject to change.
Course Objectives
• Define Active Authentication• Understand how Active Authentication works
with Office 365• Describe the current Office 365 limitations
to Active Authentication• Configure Active Authentication• Troubleshoot Active Authentication• Introduce KB and PPP articles
Overview of Active Authentication
• Define Active Authentication• Why Active Authentication• Active Authentication Applicability• Active Authentication Methods
What is Active AuthenticationStrong Authentication• Strong Authentication (Strong AuthN)• A higher level of security than standard authentication of user
name and password
• Requests additional proof (factors) for identity
• Factors include:• Something the user knows• Ex. – User name and password
• Something the user has• Ex. – Cell phone, RSA Token
• Something the user “is” (biometric)• Ex. – Finger print, voice, retinal
What is Active AuthenticationStep-up Authentication• Step-up Authentication
After a user logs into a location using a “low-strength” method they may be required to provide a “high-strength” method to access a high-value resource. Example:
• Authentication level 1• Customer connects to MOP and provides User Name and Password to
log in.
• Authentication level 2• After customer logs into Office 365 they connect to SharePoint Online
• Customer must provide User Name and RSA Token password to log in
NOTE: Office 365 does not provide Step-up Authentication at this time
What is Active AuthenticationContextual Authentication• Contextual Authentication
Contextual Authentication analyzes real-time events about a user's authentication request, such as the time, device, location, network and application, and adjusts the authentication method dynamically based on those events
• Office 365 uses Contextual Authentication to provide Active Authentication• Device - Phone• Over the Phone (OTP) requires the use of the customers phone(s)
• Time – used in conjunction with the phone• OTP request “times out” if not responded to in specified time
What is Active AuthenticationActive Authentication for Office 365• Office 365 Active Authentication
includes • Something the user knows – User Name and Password
• Something the user has – Phone (Office and/or Mobile)
• Contextual Authentication• Device – Phone
• Time – Phone request “times out” if not responded to in specified time
Why Provide Active AuthenticationAdditional Security Needs• Passwords are not enough• Windows Azure AD is used for multiple online services
• Growing need for stronger security measures for identities and high value resources
• Competition is driving expectation for Strong AuthN• Increase use of mobile access demands stronger
seamless security measures• Compliance of federal and other security
certifications
Why Provide Active AuthenticationWhy use phones• Phones are extremely difficult to duplicate• Phone numbers extremely difficult to
intercept• Widely adopted personal device that is
normally carried everywhere by employees/students
• Prevents additional IT costs of hardware• RSA security tokens• Smart Cards
Lesson Review
Q-1: What factors (proof) can be used for Strong AuthN?
A-1: • Something the user
knows• Something the user
has• Something the user
“is” (biometric)
Q-2: What two items are used by Office 365 for Contextual Authentication?
A-2: Phone and Time
13 | Microsoft Confidential
Lesson Review
Q-3: Define OTP? A-3: Over the Phone.
Q-4: Why does Office 365 use phones to provide Active Authentication?
A-4: Phone duplicationPhone number intercept,carried by all, and IT cost.
14 | Microsoft Confidential
Considerations of Active Authentication
• Accounts that can use Active Authentication
• Supported applications• Future supported features
Active AuthenticationSupported vs. Non-supported• Supported• Administrator and User accounts• User accounts can be configured with Active Authentication through the Azure
AD Portal
• Existing on-premises multi-factor authentication
• Not supported• Rich client application• Outlook and Lync
• MOP, Windows Intune and PowerShell Cmdlets• “Access denied” error received when using Lync-based IP phone
NOTE: Current non-supported features may be available in future releases
Active AuthenticationExisting on-premises multi-factor authentication• Existing on-premises multi-factor
authentication is supported• Able to use on-premises multi-factor authentication to
access Microsoft Cloud Services
• Cannot use Active Authentication built-in Windows Azure AD for federated admin accounts that use on-premises multi-factor authentication
Active AuthenticationPhone Options• Voice with mobile phone• A voice asks admin to press # to confirm
• Voice with office phone• A voice asks admin to press # to confirm
• SMS (default)• Text is sent to Mobile phone with instructions
• Phone application• A push notification is sent to the phone via an application
Active AuthenticationPhone Application• Title: Active Authentication Application• Formally known as PhoneFactor
• Notifies you of a pending verification request by popping an alert on your mobile device• Tap Approve or Deny
• May require to enter a passcode in application
Active AuthenticationAdmin account Best Practice• Leave one admin account with Active
Authentication disabled.• Recommended: Should always have more than one admin
account
• An Active Authentication disabled admin account is needed for:• Client Rich applications, such as PowerShell
• Back up account to modify/unlock Active Authentication enabled admin accounts
Lesson Review
Q-1: What type of account(s) can be configured for Active Authentication?
A-1: Administrator and User accounts
Q-2: List the non-supported applications.
A-2: Outlook, Lync, Windows Intune, PowerShell, Lync IP Phone.
21 | Microsoft Confidential
Lesson Review
Q-3: What must be selected when confirming a voice call to your phone?
A-3: The # must be selected on your phone.
Q-4: True or false, at least one admin account should not use Active Authentication?
A-4: True. A non Active Authentication admin account can be used for password/phone management and PowerShell.
22 | Microsoft Confidential
Configuration of Active Authentication
• Enable Active Authentication• Disable Active Authentication
Enable/Disable Active AuthenticationPortal• Customers can only purchase and enable
Active Authentication from Azure AD.• There is a link from MOP to connect to
Azure AD• Once enablement is completed, customers
can return to MOP by clicking a return arrow.• Note: This training will be updated before GA with the
necessary screenshots.
Activate Active AuthenticationPortal1. Access MOP 2. Click Users
or User and Groups
3. Click Setup under “Set stronger verification requirements
Activate Active AuthenticationPortal4. Choose the
correct administrator group
5. Select account(s)
6. Click Enable
Activate Active AuthenticationPortal7. Click Yes in
the Enable multi-factor verification? pop-up widow.
8. Click Close to accept update notification.
De-activate Active AuthenticationPortal
1. Access MOP 2. Click Users
or User and Groups
3. Click Setup under “Set stronger verification requirements
De-activate Active AuthenticationPortal
4. Choose the correct administrator group
5. Select account(s)
6. Click Disable
Configure Active AuthenticationSetupAdmin must log in to configure their account for the first time.1. Access MOP2. Sign-in with
recently enabled Active Authentication account
3. Click Set it up now
Activated Active AuthenticationSelect Primary Phone3. Select phone
type4. Select Country
or RegionNOTE: Not all countries are listed at this time
5. Enter phone number
• Select Text me instead of calling to enable SMS
Note: Only Mobile Phone type enables the text option.
Activated Active AuthenticationSelect Backup Phone6. Select phone
type7. Enter phone
number• Select Text me
instead of calling to enable SMS
8. Click Save
Activated Active AuthenticationVerification• Verify phone• Phone(s) will receive a
call or text depending on the selection• Click # when prompted• Follow text instructions
• Click Close after verification is completed successfully and when prompted
Active AuthenticationPhone Application - Activation• Tenant Admin provides one of the
following:• Activation Code
• QR Code
• URL
• Enter information into app or scan QR code• Possible to activate multiple companies
and accounts.
Lesson Review
Q-1: What should be selected in order to send a text message to a phone number?
A-1: Select Text me instead of calling to enable SMS.
Q-2: True or False, all countries are listed in the Select Country or Region field.
A-2: False, the countries are limited at this time.
35 | Microsoft Confidential
Troubleshoot Active Authentication
• Disable Active Authentication from Admin reduced to User
• Additional phones numbers• Verification issues
CAP CodingCAP Issue codesThe following Issue Codes have been add to CAP to track MFA issues.• Single Sign On\Two Factor Sign On Failed• Single Sign On\Setting Up Two-Factor
authentication• Azure AD Multifactor Authentication• Azure AD Multifactor Authentication Reset
Admin Reduced to UserDisable Active Authentication for UserIf a Active Authentication Admin account is reduced to a User account, Active Authentication remains enabled for the account.• Promote the user to Administrator role• Disable Active Authentication from multi-factor
authentication page• Demote user to back to User role• KB:
Removing multi-factor (Active Authentication) authentication for Administrator user account. (2834952)
Update Phone SettingsPrimary and Backup Phone1. Log into Portal
2. Click your user name at the top-right corner of the page and then click My profile.
3. Click Change additional security verification settings.
4. Under primary phone, type your phone number.
5. Click Save.
Recommended: Use mobile phone as primary phone• KB:
How to Add or Change multi-factor (Active Authentication) authentication security verification phone settings
No Response on PhoneNo Call or Text Message• Verify phone is cell or land line• IP phones not supported
• Try again using backup number• Request admin disable Active Authentication• After Active Authentication is disabled, user can login with user
name and password
• Active Authentication re-enabled, user must complete configuration process again
• KB: Administrator with multi-factor (Active Authentication) authentication enabled is not receiving text message or voice message that contains authentication code (2834956)
Password/Phone ResetPassword or Phone ResetSE should follow the standard password reset policy and only reset account if there is one admin.• Support must wait 72 hours to perform a
password or phone reset if a phone reset has previously been requested.
• Follow KB article “How and when to reset multifactor authentication” (2846806) to submit a SWT request to reset the phone
Locked outOnly One Admin AccountSE should follow the standard password reset policy and only reset account if there is one admin.• If additional admins, redirect customer
to another admin• If only one admin, escalate using SWT
Multiple Prompts During ConfigurationSetup Does Not CompleteCustomer is prompted multiple times during phone configuration• Wait a few seconds then click browser
refresh button
Error 0x800434D4LPowerShell cmdlet errorAdministrator with multi-factor authentication (Active Authentication) enabled is getting 0x800434D4L when trying to run Windows Azure Active Directory Module for Windows PowerShell cmdlets.• Active Authentication does not support rich client
applications at this time• Use non Active Authentication enabled account to
run PowerShell cmdlets• KB:
Administrator with multi-factor authentication (Active Authentication) enabled receives error 0x800434D4L when running Windows Azure Active Directory Module for Windows PowerShell cmdlets (2834958)
Federated Admins unable to use Active Authenticationwith federated admin accountsFederated admin accounts are not able to use Active Authentication at this time. • Active Authentication may be enabled for a federated
admin account• Admin account is not re-directed to proof page to Add
multi-factor (Active Authentication) authentication security verification phone settings
• KB: Removing Federated Administrator with multi-factor authentication (Active Authentication) enabled, never redirected to the proof page resulting in Active Authentication not being enforced for Federated administrator accounts. (2834962)
Account verification system is having troubleUnable to provide Active Authentication verificationAdministrator is receiving error message when trying to login with Active Authentication enable.
“Sorry, our account verification system is having trouble. This could be temporary, but if you see it again, you might want to contact your admin. User2WaySMSAuthFailedWrongCodeEntered 0”• Verify correct code is entered• Try backup or primary phone number.• Disable, re-enable Active Authentication on affected account• KB:
Administrator with Active Authentication enabled receives message "User2WaySMSAuthFailedWrongCodeEntered 0". (2834963)
“We did not receive a response”Active Authentication page times outAdministrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive a response. Please try again.”• Customer did not receive Active Authentication
request on phone• User authentication failed due to duplicate request• Verify phone numbers provided are correct• KB:
Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” (2834965)
“We did not receive the expected response”Incorrect Active Authentication credentials providedAdministrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again."• User SMS authentication failed due to wrong SMS Code
being entered.• User Voice authentication failed due to phone being hung
up prior to entering # • Verify that correct SMS authentication code is being entered• Try a different preconfigured phone number• KB:
Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again." (2834968)
“Unable to reach your phone”Choose another optionError: “We were unable to reach your phone. Please choose another verification option”• User SMS voice authentication failed due to invalid phone
extension• User Voice authentication failed due to invalid phone
number format• Verify the correct phone number and extension is entered
correctly• Try a different preconfigured phone number• KB:
Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” (2834965)
“Unable to reach your phone”Try againError: “We were unable to reach your phone. Please try again.”• User Voice authentication failed due to provider could
not send the call• User Voice authentication failed due to provider could
not send the SMS message• Verify phone is working and service is available• Try a different preconfigured phone number• KB:
Administrator with multi-factor authentication (Active Authentication) enabled receives message “We were unable to reach your phone. Please try again.” (2834970)
Module Summary• Office 365 supports Active
Authentication• Only admin accounts can use Active
Authentication• Customer can use a mobile or office
phone• Voice or text can be sent to the phones• Non-supported items• Rich client applications• Lync-based IP Phone
51 | Microsoft Confidential
51 | Microsoft Confidential
Assessment Questions• Access the GCSLearn site and take the
assessment• https://gcslearn.partners.extranet.microsoft.com/OnlineService
s/BPOSS/Pages/continuing_edu.aspx
• Work alone• Open book • You may use the courseware to assists in answering questions
• Time to complete: 10 questions – 10 minutes
52 | Microsoft Confidential
Survey• Congratulations on completing the
Active Authentication training. please complete the 10-minute O365 Active Authentication Instruction Survey Form. The survey is anonymous so please be as honest as possible. You feedback is very valuable as we strive to make the material better for every delivery.
53 | Microsoft Confidential
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.