Office 365 2FA?

glenimp617 · 11 Sep 2018 at 14:40

Hi all,

Has anyone enabled 2FA for their Office365 users?

My main two questions really are:

1. If a hacker has managed to get hold of a users username and password, what is to stop them inputting their own mobile number to recieve the code?

2. Can you customize the setup form to only allow the users mobile number which is stored in AD (therefore preventing the issue in Q1)?

anything else to think about?

We have users at work who keep filling in their username and passwords into spam sites. Unfortunately a small number get through exchange, and of those a small few have links which get through our firewall. Between the time an email goes around the company and the time our firewall team can block the link 20 or so users have filled in the form!

Thanks!!

Yaayuh! · 11 Sep 2018 at 15:01

I have only enabled for admin users via the Authentication app.

As for the mobile numbers, these are predefined when enabling aren't they?

glenimp617 · 11 Sep 2018 at 15:12

Rossi~ said:
I have only enabled for admin users via the Authentication app.

As for the mobile numbers, these are predefined when enabling aren't they?

No, unless I'm missing something there's bugger all options (surprise, surprise). It's basically on or off.

When I turn it on, next time I login it's asks me for my mobile number so it can send a txt

Yaayuh! · 11 Sep 2018 at 15:23

TheOracle said:
No, unless I'm missing something there's bugger all options (surprise, surprise). It's basically on or off.

When I turn it on, next time I login it's asks me for my mobile number so it can send a txt

IIRC the first time you use it you have to set the mobile number, but from then on it should only work with that number unless it gets reset via an admin option.

Been a while since I've looked at it to be fair, as I said, I just use the app on admin accounts.

glenimp617 · 11 Sep 2018 at 15:49

Rossi~ said:
IIRC the first time you use it you have to set the mobile number, but from then on it should only work with that number unless it gets reset via an admin option.

Been a while since I've looked at it to be fair, as I said, I just use the app on admin accounts.

ah I see, I understand there is an extra paid for version of MFA so I may look into that

Next thing I want to do is link it into our RDS platform you see so I'm going to have to stump up the money either way

Thanks!!

Throrik · 11 Sep 2018 at 18:06

We utilise ADFS with DUO as our 2FA - we allow them to send a DUO push which is on the mobile application. They'd have to get the physical device enrolled in DUO to get the secondary authentication.

katana6434 · 11 Sep 2018 at 19:57

I have enabled it for some users and will be rolling it out to others, although we are using conditional access with MFA using the authenticater app. Conditional access is part of Azure AD Premium P1 which we get as part of EMS E3. it all works really well.

The first time they log in (in our case only externally to the portal website - using conditional access), they get asked to setup the information needed for 2FA, the primary method being the authenticater app. Once the app is setup, we ask them to update the other information in their 'additional security verification' settings, so text etc can be used. Users can update this information themselves once they have logged in if needed.

glenimp617 · 13 Sep 2018 at 10:50

Just got pricing for Premium P1. In my mind, if staff are clicking on spam links or being careless with their passwords anyone could login to our RDS platform and steal/encrypt data (gdpr issue?)

I also notice P1 comes with writeback and self-service. Does this have a windows 10 plugin to have the "forgot password" link underneath the password login box? We have a third party solution at the minute, but could cancel that in favour of azure.

Caged · 13 Sep 2018 at 22:23

Buy Azure AD Premium licenses and use conditional access policies. Gives you a ton more flexibility over how it's deployed, and you can e.g. mandate certain cloud applications always require MFA, while others only need it when authenticating outside of your office network.

Also disable the option for people to forward their email, and don't let anybody grant third-party apps permission to their Office 365 data.

Self-service password reset (with writeback if necessary) can be user-initiated from another device, I am not sure it's integrated with Windows 10, though improvements in that area are meant to be on the way.

glenimp617 · 16 Sep 2018 at 07:57

^^ some good advice there! thanks

HoneyBadger · 23 Sep 2018 at 00:51

We run O365 2FA for all users, I’m trialling AD Premium and on certain services, we use Duo.

glenimp617 · 24 Sep 2018 at 16:57

Well I've ordered premium p1 for all users, just waiting for finance to do their bit and the licences to go in

glenimp617 · 28 Sep 2018 at 08:57

It looks like this is a lot more complex than I first thought:

Turned on 2FA for my account, outlook 2016 stopped working. You have to enable a global exchange online setting (OAuth2ClientProfileEnabled:$true). The issue however is that once this setting is set, all users are unable to use outlook lol They get prompted for their password but it never works. Even though they are not enabled for 2FA. Joy!

What steps did you all take on this?

glenimp617 · 28 Sep 2018 at 10:10

another niggle, I noticed a few have enabled 2FA for admins......yet when I tried, it stops you from using powershell commands to connect to azure/o365/exchangeonline

Yaayuh! · 28 Sep 2018 at 11:19

TheOracle said:
another niggle, I noticed a few have enabled 2FA for admins......yet when I tried, it stops you from using powershell commands to connect to azure/o365/exchangeonline

You'll need to use the new Microsoft Exchange Online PS Module and connect via:

Connect-EXOPSSession -UserPrincipalName <UPN>

For anything specifically AzureAD related, I use the AzureAD V2 Module: https://www.powershellgallery.com/packages/AzureAD/2.0.0.71

Yaayuh! · 28 Sep 2018 at 11:22

TheOracle said:
It looks like this is a lot more complex than I first thought:

Turned on 2FA for my account, outlook 2016 stopped working. You have to enable a global exchange online setting (OAuth2ClientProfileEnabled:$true). The issue however is that once this setting is set, all users are unable to use outlook lol They get prompted for their password but it never works. Even though they are not enabled for 2FA. Joy!

What steps did you all take on this?

There's an annoying issue with Outlook regarding an authentication method looping. Create this registry change as a test:

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]

"DisableADALatopWAMOverride"=dword:00000001

glenimp617 · 28 Sep 2018 at 13:11

Thanks!!

I've been having a bit of a nightmare. Read the white paper for the RDS Azure 2FA plugin which said to install it on your existing NPS infrastructure (not rds). Did what it said and everything broke!!!!

Looking through the logs, and googling the error it seems Microsoft are wrong and you need to use standalone NPS servers for RDS as the dll library files don't place nice with other things like our wireless setup.

https://social.msdn.microsoft.com/F...l-file?forum=windowsazureactiveauthentication

Question going back to O365 2FA...........what's to stop a hacker logging in and using their own mobile number to get the verification code?

as mentioed here: https://feedback.azure.com/forums/1...-azure-ad-sync-to-prepopulate-the-authenticat

d_brennen · 28 Sep 2018 at 13:20

I did some contracting for a firm that had MFA enabled for their O365 accounts. When my contract was up, my account was of course disabled but my Outlook app (android) continued to function for about two weeks... It was signed in with the MFA app password. Didn't seem too secure tbh, might just be their lazy setup though.

LizardKing · 28 Sep 2018 at 14:43

Modernauth goes under the radar very easily, its on by default in newer tenencys irc but if you've been around for a while its very easy to have missed that one, and its only a very small step in setting up MFA!

TheOracle said:
Question going back to O365 2FA...........what's to stop a hacker logging in and using their own mobile number to get the verification code?

as mentioed here: https://feedback.azure.com/forums/1...-azure-ad-sync-to-prepopulate-the-authenticat

I thought that as well, seems a bit of a weak point! so i enabled MFA on a set of users then emailed them straight away to get them to setup the MFA rather than wait for them to happen across it.

d_brennen said:
I did some contracting for a firm that had MFA enabled for their O365 accounts. When my contract was up, my account was of course disabled but my Outlook app (android) continued to function for about two weeks... It was signed in with the MFA app password. Didn't seem too secure tbh, might just be their lazy setup though.

Apps are a bit of a weird one, they use cached tokens that expire after a period rather than authentication persay (or something along those lines?), even active sync would work for a period after a password reset.
I may need to test this for my own learning, usually we disable accounts as well as resetting the password. I wouldn't expect anything to work 2 weeks after an account was disabled. But im learning 365 is anything but clear cut/logical!

glenimp617 · 28 Sep 2018 at 15:13

Thanks everyone.....really helpful.

I wasn't under any impression that this was going to be easy. I've allocated myself a good few months to get this working properly inc testing everything and ensuring all users are registered.

The RDS stuff for example requires an additional two servers for the plugins for starters lol