ra2 studio - Fotolia


Configure Azure MFA to access Office 365 from anywhere

If end users want access to Office 365 and Exchange from anywhere, Azure Multi-Factor Authentication service is the answer.

Consumers and businesses are more aware than ever of the dangers of unauthorized access to data stored in cloud services and on-premises IT systems. With on-premises systems, an easy way to ensure no one outside the organization can access data is to not publish it to the Internet. However, cloud-based services such as Office 365 are accessible from the Internet, and some of the key benefits include allowing access from anywhere. Those factors make it more difficult to guarantee security.

If you want to give end users access to systems from anywhere, Azure Multi-Factor Authentication (MFA) services are worth looking into. Multifactor authentication means that, in addition to your normal password, you must provide another credential to which only you have access. This was traditionally a dedicated token, but now it's often a code received via text message or an app installed on a mobile device.

Azure MFA is included for free in Office 365; admins can protect other services with the addition of Azure AD Premium, including on-premises systems.

This tip looks at how to enable Office 365 multifactor authentication, and walks through the setup and access process. It also explores the Azure MFA server for on-premises applications and shows how, when used with Web Application Proxy, it can require external users to use multifactor authentication for sign-in.

Enable Office 365 multifactor authentication

To enable multifactor authentication, log in to the Office 365 portal and navigate to Users > Active Users. Then select Set up within Set Multi-Factor Authentication requirements (Figure 1).

Office 365 portal and MFA
Log in to the Office 365 portal to enable MFA and set up requirements.

You'll be redirected to the Office 365-branded Azure Active Directory MFA page. Select the users who need MFA and then choose Enable (Figure 2).

Enable MFA for users
After redirecting to the Azure AD MFA page, select the users who need MFA enabled.

That's all an admin needs to do, but those users will need to log in to an Office 365 service with a Web browser or visit the MFA setup page.

User setup and configuration

During the next login for cloud IDs and Active Directory Federation Services (ADFS) IDs, users will see the message: "Your admin has required that you set up this account for additional security verification." Users will be prompted to choose Set it up now and continue with MFA setup.

Users will then be presented with three options for the second way to prove who they are at each login -- a mobile phone text message or a call to an office phone or a mobile app. For this example, choose Mobile App from the list.

After choosing the mobile app method, download the Azure MFA application for Android, Windows Phone or iPhone; the app is named PhoneFactor in each platform's app store. After launching the app, users will be prompted to Scan Barcode and link the app to the QR code shown on the MFA setup page (Figure 3).

PhoneFactor setup page
The app, PhoneFactor, will prompt users to scan a barcode to link to the setup page.

After configuring the app, users need to generate something called app passwords. Because the desktop versions of Outlook and Lync don't support MFA, we generate a secure code that can only be entered into the app. Users will choose Generate App Password and note the secure code ready to enter when prompted by the desktop client.

experience

At sign-in from now on, users will need their second factor for authentication; in our case, this is the mobile phone. Login begins by signing in with a username and password. Then, users will be informed they need to perform another step. For SMS or phone call verification, they'll need to enter a code. If they chose to use the app, they will be informed that a push notification has been sent to the device (Figure 4).

Azure MFA app push notification
Users will be informed of a push notification if they choose the app as their second factor.

An alert will then show on the device, and once users select it, it will launch the Azure MFA app. Users will then see three prompts: confirm that it's a valid request, cancel, or report the operation as fraudulent to Microsoft (Figure 5).

Azure MFA app alert
You'll see an alert that leads to three prompts in the Azure MFA app.

Setting up Office 365 is easy and it works with almost any phone users have access to. The only caveat is the app passwords; however, Microsoft may make desktop Office apps fully compatible with this service.

Extend functionality to on-premises apps

If you purchase the add-on Azure AD Premium service, you can immediately extend the usage of the cloud-based Azure MFA to other services that use Azure login credentials, such as Azure Remote App.

As an admin, you can also install the Azure Multi-Factor Authentication server, an on-premises application that links to Azure in the cloud and extends the functionality to on-premises applications, including ones that use ADFS, IIS and Radius servers. Although the full installation process is too deep for this article, we'll quickly demonstrate how simple it is to protect Web-based applications.

After installing the MFA server, you can protect a number of applications. For this example, we'll protect ADFS and use the MFA server's built-in package to install the ADFS adapter (Figure 6).

Open the ADFS Management Console to see WindowsAzureMultiFactorAuthentication listed in the global settings within Authentication Policies.

If we enable it globally and have Office 365 using ADFS, it will cause issues. But we can enable it for Exchange Outlook Web App published through Web Application Proxy by selecting the Exchange relying trust within Authentication Policies > Per Relying Party Trust (Figure 7).

Select Exchange relying trust
You can globally enable Azure MFA through the ADFS Management Console.

Select who needs to use MFA, such as External users. This will prompt only users accessing OWA externally though Web Application Proxy.

This requires no configuration within Exchange and could be extended to any application published externally using Web Application Proxy's pre-authentication features. Another example is to pre-authenticate access to radius-compliant services like VPN or Remote Desktop Gateway.

About the author: 
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and [email protected]

Dig Deeper on Office 365 and Microsoft SaaS setup and management