WMUG wmug Presented by Maurice Daly Terence Beggs

WMUG @wmug Presented by Maurice Daly & Terence Beggs

WMUG @wmug About The Presenters… Maurice Daly Working in IT for the past 17 years. Currently working as an in-house Systems Admin. Background in consultancy for 5 years and System Admin roles for the past 10 years. Working with a wide scope of technologies including Hyper-V, SCCM, Office 365, Azure, Group Policy and Windows Server. • Blog - https: //modalyitblog. wordpress. com/ • Twitter - @modaly_it

WMUG @wmug About The Presenters… Terence Beggs Moved to London in 2000 from Dublin to study for a degree in Computer Science and never left. Started my professional career in application packaging and moved on to enterprise management mainly focusing on SCCM, VMware, Group Policy's and Anti-Virus management. • Twitter - @terencebeggs

WMUG @wmug Who Here Is Using Multi-Factor Authentication?

@wmug WMUG Gartner Magic Quadrant – User Authentication What’s Happened Over The Last 5 Years… • • Nordic. Edge acquired by Intel in 2011. Discontinued in 2015 RSA Secure. ID hacked in 2011

WMUG @wmug Gartner Magic Quadrant – IDaa. S 2014 - 2016

WMUG @wmug A Brief History of Azure MFA Server • Originally developed by Phone. Factor, established in 2001 • Hybrid solution using a hosted authentication server and a local server instance to authenticate users against AD, LDAP & Radius servers • Microsoft acquired Phone. Factor in 2012 for an undisclosed figure • General availability of Azure MFA - 26/09/2013 • Azure / Office 365 / Dynamics CRM support (in cloud) • On-Premise • SDK availability

WMUG @wmug Why Should I Use Azure MFA? (Caution: May Contain Marketing Info) 2 1 0 34 No devices or user certificates to purchase, provision, and maintain No end user training is required Users replace their own lost or broken phones Users manage their own authentication methods and phone numbers Integrates with existing directory for centralized user management and automated enrollment

WMUG @wmug Why Should I Use Azure MFA? (Caution: May Contain Marketing Info) Works with all leading on-premises applications Supports ADFS and SAML-based apps for federation to the cloud Built into Microsoft Azure Active Directory for use with cloud apps SDK for integration with custom apps and directories Reliable, scalable service supports high-volume, missioncritical scenarios

WMUG @wmug Why Should I Use Azure MFA? (Caution: May Contain Marketing Info) Strong multi-factor authentication Real-Time Fraud Alert PIN option Reporting and logging for auditing Enables compliance with NIST 800 -63 Level 3, HIPAA, PCI DSS, and other regulatory requirements

@wmug WMUG So. . How Does Azure MFA Server (On-Premise) Work? 1 Users sign in from any device using their existing username/password. 2 Users must also authenticate using their phone or mobile device before access is granted.

@wmug WMUG So. . How Does Azure MFA Server (On-Premise) Work? 1. 2. 3. 4. 5. 6. 7. 8. 9. Employee accesses MFA protected resource(s) MFA server receives auth token MFA server authenticates against LDAP/AD/Radius Authentication Approved / Rejected MFA Authentication signal to Azure Push notification / SMS / Call / OATH issued to Employee Input from Employee Approve / Reject to local MFA Server Approve / Reject

@wmug WMUG Office 365 MFA vs Azure MFA Server MFA for Office 365/Azure Administrators Azure Multi-Factor Authentication Administrators can Enable/Enforce MFA to end-users Yes Use Mobile app (online and OTP) as second authentication factor Yes Use Phone call as second authentication factor Yes Use SMS as second authentication factor Yes Application passwords for non-browser clients (e. g. Outlook, Lync) Yes Default Microsoft greetings during authentication phone calls Yes Suspend MFA from known devices Yes Custom greetings during authentication phone calls Yes Fraud alert Yes MFA SDK Yes Security Reports Yes MFA for on-premises applications/ MFA Server. Yes One-Time Bypass Yes Block/Unblock Users Yes Customizable caller ID for authentication phone calls Yes Event Confirmation Yes Trusted IPs Yes

@wmug WMUG Office 365 Modern Authentication Modern authentication brings Active Directory Authentication Library (ADAL)-based sign-in to Office client apps across platforms Office client application Windows Mac OS X Office clients Available now for Office 2013 and Office 2016. Windows Phone i. OS Android Office 2016 Mac Preview Available now. supports ADAL including Word, Excel, Power. Point and One. Note was released with ADAL in 2014. Word, Excel and Power. Point are available now. For Android phones: Word, Excel and Power. Point are available now. For Android tablets: Word, Excel and Power. Point are coming soon. Skype for Business Included in Office client. (formerly Lync) In Preview. Coming soon. Available now*. Outlook Included in Office client. Available now. Coming soon. Available now. One. Drive for Business Included in Office client. One. Drive for Business Sync is TBD. Available now for Windows One. Drive for Business is Phone 8. 1. available now. Legacy clients There are no plans for Office 2010 or. Office 2007 to support ADALbased authentication. There are no plans for Office for Mac 2011 to support ADAL-based authentication. There are no plans for There are no plans to enable There are no plans to Office on Windows Phone older Outlook i. OS clients. enable older Outlook 7 to support ADAL-based Android clients. authentication. One. Drive for Business is available now.

@wmug WMUG What Authentication Methods Are Available? Mobile Apps / Tokens • Mobile App (i. OS / Android / Windows Phone) • OATH Token Phone Call “Thank you for using Microsoft sign in. . . ” £=# Mobile Apps Phone Call Text Message • One-Way OTP • Two-Way OTP • One/Two-Way OTP + PIN Text Message

@wmug WMUG Security – Where To Place Your MFA Server 1. Azure VM: Place your Azure MFA Server on your production LAN, install the User / Mobile Web App portal on a machine running inside the Azure Cloud and use Azure Site to Site VPN Corporate Network Corporate Firewall Public Networks SSL Port 443 & 4898 Azure Site to Site VPN SSL Port 443 Perimeter Firewall

@wmug WMUG Security – Where To Place Your MFA Server 2. DMZ: Place your Azure MFA Server on your production LAN and install the User / Mobile Web App portal on a machine within an DMZ. Corporate Network Corporate Firewall Public Networks SSL Port 443 & 4898 SSL Port 443 Perimeter Firewall DMZ

@wmug WMUG Security – Where To Place Your MFA Server 3. Reverse Proxy: Place all Azure MFA Server services on a machine on your corporate network and publish via a reverse proxy appliance Corporate Network Corporate Firewall Public Networks SSL Port 443 Perimeter Firewall DMZ SSL Port 443 & 4898 Reverse Proxy Appliances

WMUG @wmug Before Installing Azure MFA Server Pre-Requisites KB 2919355 is a pre-requisite on Server 2012 R 2 https: //support. microsoft. com/kb/2919355 The updates must be installed in the following order: clearcompressionflag. exe, KB 2919355, KB 2932046, KB 2959977, KB 2937592, KB 2938439, and KB 2934018. Other Pre-Requisites • • • IIS. Net Framework 4. 5 Trusted External CA Certificate Known Limitations RDP authentication does not currently work with Windows Server 2012 R 2

WMUG @wmug Installing Azure MFA Server – Demo • • • Adding Multifactor Authentication to your Azure Portal Downloading the Azure MFA Server component Installing required IIS components Installing the Mobile App IIS optional component Adding the Mobile App URL Launching the End User Portal Editing the End User Web. Config IIS configuration files Setting up Active Directory OU/User Sync Setting up a Replication / Backup MFA Server

WMUG @wmug

WMUG @wmug

WMUG @wmug

WMUG @wmug Deployment Notes • When using Radius authentication each MFA server can only use a single target if forwarding the request • Web. Service. SDK must be accessible via https for both the User and Mobile portals and specified in the web. config of both portals Site Branding can be modified by editing the following section of the Web. Config user portal file • <pages theme="Default" control. Rendering. Compatibility. Version="3. 5" client. IDMode="Auto. ID"/> Themes are located in the following location; C: inetpubwwwrootMulti. Factor. AuthApp_Themes • Third party OATH tokens must be imported in Base 32 format

WMUG @wmug Common Helpdesk Scenario's & Reporting - Demo • End-user loses their phone and needs to access the corporate network 1. Using the self-service user portal 2. Changing user authentication methods 3. Adding / Changing contact numbers • Testing authentication with end users • Blocking access to corporate resources • Reporting on user activity via the Azure MFA admin portal

WMUG @wmug Useful Resources Microsoft Azure MFA Installation Docs https: //azure. microsoft. com/en-us/documentation/articles/multi-factorauthentication-get-started-portal/ Firewall Requirements https: //azure. microsoft. com/en-us/documentation/articles/multi-factorauthentication-get-started-server/ Azure Active Directory PS with Modern Authentication https: //connect. microsoft. com/site 1164/content. aspx? Content. ID= 32016

WMUG Questions & Answers @wmug