Office 365 2FA?

Caged · 28 Sep 2018 at 19:38

Places that “disable” accounts by resetting the password will need to learn to change how they do things, especially with self-service password reset.

If you use Azure AD Application Proxy with your RD Gateway then you don’t need to worry about plugins.

glenimp617 · 28 Sep 2018 at 22:36

Caged said:
Places that “disable” accounts by resetting the password will need to learn to change how they do things, especially with self-service password reset.

If you use Azure AD Application Proxy with your RD Gateway then you don’t need to worry about plugins.

Until the windows 10 update is released to connect into azure mfa, we'll carry on using nervepoint for self-service.....but yeah, anything to help the helpdesk....I mean users :-)

glenimp617 · 30 Sep 2018 at 10:45

Now we have P1, how do we block logins from outside the UK? I got one of my engineers to do it, but I don't think it's working (eg: I use torguard vpn to route me via USA and I can still login)

Thanks

Caged · 30 Sep 2018 at 19:26

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition

glenimp617 · 3 Oct 2018 at 10:33

Managed to get RDS working with MFA. Really happy with that.

Outlook 2016 and Skype are still giving me grief. I don't want to confuse users with MFA whilst at work, we only want it for users coming in from home.

Tried various registry settings, but either we have to go through MFA, or we get the password loop

EnableADAL = 0 <- This results in a constant password login box
EnableADAL = 1 <- This obviously asks users for MFA which we don't want

This seems to work for skype but I need to test it more

HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync
AllowAdalForNonLyncIndependentOfLync = 1

any tricks?

Thanks!!

LizardKing · 3 Oct 2018 at 11:23

Have you got your external IP's as a trusted IP in the MFA configuration?

glenimp617 · 3 Oct 2018 at 11:28

LizardKing said:
Have you got your external IP's as a trusted IP in the MFA configuration?

No, I'll check that! thanks

LizardKing · 3 Oct 2018 at 11:30

With that set your on prem users should never be prompted for the extra authentication!

glenimp617 · 3 Oct 2018 at 11:34

LizardKing said:
With that set your on prem users should never be prompted for the extra authentication!

I remember thinking yesterday I needed to put those IP ranges in......my brain got stuck on damn registry settings doh!

Caged · 3 Oct 2018 at 13:57

How old is your Office 365 tenant? Modern Authentication only defaulted to on for tenants created relatively recently, for everyone else you need to switch it on.

glenimp617 · 3 Oct 2018 at 17:20

Caged said:
How old is your Office 365 tenant? Modern Authentication only defaulted to on for tenants created relatively recently, for everyone else you need to switch it on.

I have turned it on for exchange and skype. Adding the IP ranges into the exclusions has fixed all my woes :-)