Let us assume Reltic Data, Inc. wants to implement multi-factor authentication for their Office 365 without using Active Directory Federation Services (AD FS). Their employees must use the corporate email address and succeed the multi-factor authentication to access Microsoft Office 365 suite.
This section explains the prerequisites, flow of actions, and step-by-step configuration details to achieve this. This example refers to the following user profiles:
Susan: An administrator of Reltic Data, Inc.
Sam: An employee of Reltic Data, Inc.
Susan, the administrator, needs to enforce multi-factor authentication with the Card and Email OTP methods for Office 365. After multi-factor authentication is implemented, Sam the employee, needs to authenticate both methods to access Office 365.
Ensure that you meet the following prerequisites:
The Advanced Authentication server is installed. For more information, see Installing Advanced Authentication .
Add Active Directory of Reltic Data, Inc. as a repository in Advanced Authentication from where the user details are fetched for validation. For more information, see Adding a Repository.
Download Office 365 SAML metadata from Microsoft Online Service.
Identify and obtain ideal contactless card readers and cards for employees. The employee can use the card to enroll and authenticate to the Office 365. For more information, see Supported Card Readers and Cards.
The Advanced Authentication Device Service is installed on the workstation. For more information, see Installing and Upgrading Device Service.
Susan, the administrator, needs to perform the following tasks:
Perform the following steps to create a chain with Card and Email OTP methods:
Click Chains > New Chain in the Advanced Authentication Administration portal.
Specify the following details:
Field |
Action |
---|---|
Name |
Specify the name for the chain. NOTE:Ensure to remember the name of the chain for further use. In this example, we named the chain Card+ Email OTP. |
Methods |
Select the Card and Email OTP methods to add to the chain. |
Click Save.
Click Events > New Event to add a new event.
Specify the following details:
Field |
Action |
---|---|
Name |
Specify a name for the event. |
Event type |
Select SAML2. |
Chains |
Select the required chains. In this example, we select Card+ Email OTP. |
In Upload SP SAML 2.0 metadata file, click Choose File and upload the saved XML file.
Set Send Immutable Id (User object Id) as Name ID (required for Microsoft Office 365) to ON.
Click Save.
Policies contain configuration settings for the Advanced Authentication methods, events, and so on. Perform the following steps to configure the policy:
Click Policies > Web Authentication.
Specify a valid DNS name of an Advanced Authentication server in the Identity Provider URL field.
For example, https://caf.realticsol.cf/
Click Save.
Click Policies > Mail sender to add a configure the Email OTP method
Specify the following details:
Field |
Action |
---|---|
Host |
Specify the outgoing mail server name. |
Port |
Specify the port number. |
Username |
Specify the username of an account that is used to send the authentication email messages. |
Password |
Specify the password for the specified account. |
Sender email |
Specify the email address of the sender. |
Click Save.
Open Server Option.
Click Signing Certificate.
Click Signing Certificate and save the certificate content for further use.
To enable single sign-on to Office 365, perform the following tasks:
Log in to the domain-joined computer where you have installed the following components:
Microsoft Online Services Sign-in Assistant.
Microsoft Azure Active Directory Module for Windows PowerShell.
Azure AD Connect tool.
Launch Azure AD Connect on the domain-joined computer.
In Express Settings, click Use express settings.
In User Sign-in, select Do not Configure.
Click Next.
Specify the Azure AD global administrator credentials in Connect to Azure AD.
Click Next.
In Identifying users, select Choose a specific attribute.
Select objectGUID.
Verify the Active Directory Synchronization and activate the Office 365 licensing for the unlicensed but synchronized user
Launch Windows PowerShell.
Run the following command to connect to your Office 365 tenant:
Connect-MsolService
Specify the tenant administrator credentials of your office 365 domain.
Click Sign in.
Run the following command to verify whether your Office 365 domain is federated:
get-msoldomain -domain samplecompany.com
In this example, get-msoldomain -domain realticsol.com
In case the authentication type of your Office 365 domain is set to Federated, you must convert the authentication type to Managed using the following command:
Set-MsolDomainAuthentication –DomainName realticsol.com -Authentication Managed
Run the following commands:
$dom="fully_qualified_domain_name"
In this example, $dom="realticsol.cf".
$uri="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/metadata"
In this example, $uri="https://caf.realticsol.cf/osp/a/TOP/auth/saml2/metadata"
$url="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/sso"
In this example, $url"https://caf.realticsol.cf/osp/a/TOP/auth/saml2/sso"
$logoutUrl="https://AdvancedAuthenticationServerAddress/osp/a/TOP/auth/saml2/slo"
In this example, $logoutUrl="https://caf.realticsol.cf/osp/a/TOP/auth/saml2/slo"
$protocol="SAMLP"
$cert="paste the signing certificate copied from Server options of Advanced Authentication."
Run the following command to convert your Office 365 domain to Federated authentication:
Set-MsolDomainAuthentication –DomainName $dom -Authentication Federated -PassiveLogOnUri $url -IssuerUri $uri -LogOffUri $logoutUrl -PreferredAuthenticationProtocol SAMLP -SigningCertificate $cert
Run the following command to verify the federation settings of your Office 365 domain:
Get-MsolDomainFederationSettings -domain samplecompany.com
In this example, Get-MsolDomainFederationSettings -domain realticsol.cf
Sam, the employee, must perform the following actions to access Office 365.
NOTE:The Email OTP method enrolls automatically. If you need to enroll with another email ID, see Email OTP.
Before enrolling the Card authenticator, ensure that the card reader is connected to the computer.
Log in to the Advanced Authentication Self-Service portal.
Click the Card icon in Add Authenticator.
A message Click "Save" to begin is displayed.
(Optional) Specify a comment related to the Card authenticator in Comment.
(Optional) Select the preferred category from the Category.
Click Save.
A message Waiting for the card is displayed.
Tap a card on the reader.
A message Authenticator "Card" has been added is displayed.
Launch http://office.com/.
Click Sign In.
Specify the email address of the Office 365 account.
The page redirects to the Advanced Authentication server authentication screen.
NOTE:Ensure the card reader is plugged into the workstation.
Tap the card on the reader.
Check your email. You will receive an email with an OTP.
Specify the OTP from Email in Password.
Click Login.