Office 365 2FA?

glenimp617

glenimp617

glenimp617

Soldato
Joined
30 Sep 2005
Posts
16,736
Hi all,

Has anyone enabled 2FA for their Office365 users?

My main two questions really are:

1. If a hacker has managed to get hold of a users username and password, what is to stop them inputting their own mobile number to recieve the code?

2. Can you customize the setup form to only allow the users mobile number which is stored in AD (therefore preventing the issue in Q1)?

anything else to think about?

We have users at work who keep filling in their username and passwords into spam sites. Unfortunately a small number get through exchange, and of those a small few have links which get through our firewall. Between the time an email goes around the company and the time our firewall team can block the link 20 or so users have filled in the form!

Thanks!!
 
Rossi~ said:
I have only enabled for admin users via the Authentication app.

As for the mobile numbers, these are predefined when enabling aren't they?
Click to expand...

No, unless I'm missing something there's bugger all options (surprise, surprise). It's basically on or off.

When I turn it on, next time I login it's asks me for my mobile number so it can send a txt
 
Rossi~ said:
IIRC the first time you use it you have to set the mobile number, but from then on it should only work with that number unless it gets reset via an admin option.

Been a while since I've looked at it to be fair, as I said, I just use the app on admin accounts.
Click to expand...

ah I see, I understand there is an extra paid for version of MFA so I may look into that

Next thing I want to do is link it into our RDS platform you see so I'm going to have to stump up the money either way

Thanks!!
 
Just got pricing for Premium P1. In my mind, if staff are clicking on spam links or being careless with their passwords anyone could login to our RDS platform and steal/encrypt data (gdpr issue?)

I also notice P1 comes with writeback and self-service. Does this have a windows 10 plugin to have the "forgot password" link underneath the password login box? We have a third party solution at the minute, but could cancel that in favour of azure.
 
It looks like this is a lot more complex than I first thought:

Turned on 2FA for my account, outlook 2016 stopped working. You have to enable a global exchange online setting (OAuth2ClientProfileEnabled:$true). The issue however is that once this setting is set, all users are unable to use outlook lol They get prompted for their password but it never works. Even though they are not enabled for 2FA. Joy!

What steps did you all take on this?
 
another niggle, I noticed a few have enabled 2FA for admins......yet when I tried, it stops you from using powershell commands to connect to azure/o365/exchangeonline
 
Thanks!!

I've been having a bit of a nightmare. Read the white paper for the RDS Azure 2FA plugin which said to install it on your existing NPS infrastructure (not rds). Did what it said and everything broke!!!!

Looking through the logs, and googling the error it seems Microsoft are wrong and you need to use standalone NPS servers for RDS as the dll library files don't place nice with other things like our wireless setup.

https://social.msdn.microsoft.com/F...l-file?forum=windowsazureactiveauthentication

Question going back to O365 2FA...........what's to stop a hacker logging in and using their own mobile number to get the verification code?

as mentioed here: https://feedback.azure.com/forums/1...-azure-ad-sync-to-prepopulate-the-authenticat
 
Thanks everyone.....really helpful.

I wasn't under any impression that this was going to be easy. I've allocated myself a good few months to get this working properly inc testing everything and ensuring all users are registered.

The RDS stuff for example requires an additional two servers for the plugins for starters lol
 
Caged said:
Places that “disable” accounts by resetting the password will need to learn to change how they do things, especially with self-service password reset.

If you use Azure AD Application Proxy with your RD Gateway then you don’t need to worry about plugins.
Click to expand...

Until the windows 10 update is released to connect into azure mfa, we'll carry on using nervepoint for self-service.....but yeah, anything to help the helpdesk....I mean users :-)
 
Now we have P1, how do we block logins from outside the UK? I got one of my engineers to do it, but I don't think it's working (eg: I use torguard vpn to route me via USA and I can still login)

Thanks
 
Managed to get RDS working with MFA. Really happy with that.

Outlook 2016 and Skype are still giving me grief. I don't want to confuse users with MFA whilst at work, we only want it for users coming in from home.

Tried various registry settings, but either we have to go through MFA, or we get the password loop

EnableADAL = 0 <- This results in a constant password login box
EnableADAL = 1 <- This obviously asks users for MFA which we don't want

This seems to work for skype but I need to test it more

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync
AllowAdalForNonLyncIndependentOfLync = 1

any tricks?

Thanks!!
 
Last edited:
Caged said:
How old is your Office 365 tenant? Modern Authentication only defaulted to on for tenants created relatively recently, for everyone else you need to switch it on.
Click to expand...

I have turned it on for exchange and skype. Adding the IP ranges into the exclusions has fixed all my woes :-)
 
You must log in or register to reply here.
Back
Top Bottom