MFA



EMS TTT Online MFAMFAAzure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a simple sign in process. It delivers strong authentication with a range of easy verification options - phone call, text message, or mobile app notification - allowing users to choose the method they prefer.During this lab, you will run several exercises that will help you achieve a better understanding of Azure Multi-Factor Authentication (MFA). In this lab you will:Configure MFA in Azure Active Directory and use it to enforce multi-factor authenticationDeploy the Azure MFA Server and configure AD FS to capitalize on it for integrated and policy-driven multi-factor authenticationUse the Azure MFA app password feature set to facilitate authentication for active clients such as Outlook or LyncDisable MFANote: To complete this lab, you must have completed all the steps in the Setup/Pre-Requisite guide, including the "On-Premises" hydration and copying the Allfiles folder to the root of the C: drive on the DC1 VM.You must also have completed the ADFS lab.Enable MFA for a UserTask Detailed StepsComplete these steps from an internet-connected Windows computer. Create an MFA provider and view the options found in the MFA Admin ConsoleBring up the browser session with the Microsoft Azure Management Portal, and sign in as Admin2@<YourTenant>.In the ACTIVE DIRECTORY workspace, select the Contoso… directoryClick MULTI-FACTOR AUTH PROVIDERSClick CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDEREnter the name <YourDomain>MFAEnsure that the Usage Model is set to Per Enabled UserSelect the Directory called is set to <YourDomain> Click CREATEClick MANAGE (bottom toolbar)On the left menu, under User Administration, click Block/Unblock Users - this section allows administrators to unblock user accounts after a potential fraud alert (note also a number of reports are available that relate to this)Click One-Time Bypass – here administrators can configure users to authenticate once without MFA – the bypass is temporary and expires after a specified number of seconds and a reason can be recorded for reporting purposesOn the left menu, under Configure, click Settings – this section allows organizations to customize the MFA experienceClick Caching – here you can configure it so that once a user has successfully authenticated using MFA, subsequent authentication attempts for a set number of seconds will automatically succeed without MFA, and this can be per user across all applications, per user for a specific application name and authentication type, or all of these plus the same IP address – otherwise MFA will be required againClick Notifications - this section allows organizations to set up notification messages to specified email addresses - these can be configured for Fraud Alerts, One-Time Bypasses, and Account LockoutsEnable MFA for a specific userReturn to the Microsoft Azure Management Portal Internet Explorer tabIn the ACTIVE DIRECTORY workspace, click the Contoso… directoryClick UsersClick MANAGE MULTI-FACTOR AUTH (at the bottom)Click the View drop-down and notice that you can apply this to sensitive roles automatically for example to all global administrators Click the View drop-down and select Sign-in allowed usersSelect Aldo Muller and click Enable Click enable multi-factor authClick closeSelect Aldo Muller and click EnforceClick enforce multi-factor authClick closeUser MFA experienceOpen Internet Explorer in InPrivate Browsing mode and navigate to and sign in as AldoMWhen prompted click Set it up now to set up multi-factor authentication, noting the different authentication methods Select your country and enter your phone number (you can use your real mobile number) and select the desired Method (Send text message/Call me), then click Contact meComplete the verification process (ignore the app password for now, we will look at this in a later lab)Sign out and sign in as AldoM againYou are sent a verification code via your chosen method – complete the verification and complete the sign inSign outReporting on MFA Return to the Microsoft Azure Management Portal Internet Explorer tabIn the ACTIVE DIRECTORY workspace, select the Contoso… directoryClick MULTI-FACTOR AUTH PROVIDERSClick MANAGEClick VIEW A REPORT (or Usage on the left) - you have the following reports: Summary, User Summary, and User DetailsClick User Summary - notice that you can filter the information displayed in the reportClick Run – the report is now in the queue and will be accessible once completeClick QueuedLocate the report you just created and click View – this report lists an in-depth summary of the MFA requests made by particular users within a set time rangeClose the Multi-Factor Authentication tabInstall and Configure the Multi-Factor Authentication ServerTask Detailed StepsComplete these steps from an internet-connected Windows computer. Add a mobile number for JohnFBring up the browser session with the Microsoft Azure Management Portal.In the VIRTUAL MACHINES workspace, select the DC1 virtual machine and then click CONNECTLog in as corp\LabAdmin using the password pass@word1Run Active Directory Users and Computers Navigate to the Corporate, HR OURight-click JohnF and click PropertiesSwitch to the Telephones tab and in the Mobile field, provide your mobile phone number, with country code, in the following format: +XXXXXXXXXXXX - Make sure you use this format exactly, including your country code to prevent issues later in this labInstall the Windows Azure Multi-Factor Authentication Server on DC1Still on DC1, in Internet Explorer navigate to and sign in using your admin2 credentials (admin2@<YourTenant>.)Click Active Directory in the navigation barClick MULTI-FACTOR AUTH PROVIDERS Click MANAGE in the command barIn the left navigation bar under the Downloads header, click ServerUnder the Multi-factor Authentication Server header, click the Download link - leave this page open in Internet ExplorerClick RunClick Yes and complete the installationNote: If you are warned that updates are required, complete those. If the install fails after this, try the download again.When the Windows Azure Multi-Factor Authentication wizard launches, select Skip using the Authentication Configuration Wizard, and click NextNote: If the wizard fails to launch, run Multi-Factor Authentication Server.Activate the Multi-Factor Authentication Server on DC1Still on DC1, switch back to Internet Explorer, and click Generate Activation CredentialsCopy the email address to the Email field on the Activate page of the Multi-Factor Authentication Server management consoleCopy the password to the Password field on the Activate page of the Multi-Factor Authentication Server management console and then click ActivateOn the Join Group dialog box, click OKClick Yes to run the Multi-Factor Authentication wizardClick NextDeselect Certificates and click NextAccept the defaults and click NextClick Finish to reboot the serverEstablish MFA synchronization with Active DirectoryFrom the Microsoft Azure Management Portal, connect up to the DC1 VM, logging in as Corp\LabAdminNote: If you receive a “Remote Desktop can’t connect to the remote computer …” message, the machine is probably still starting its services, try again in a couple of minutes.On DC1 VM, from the Start menu, run Multi-Factor Authentication ServerClick YesIn the left navigation pane for the Multi-Factor Authentication Server management console, click Directory IntegrationSwitch to the Synchronization tabSelect Enable synchronization with Active Directory Select Remove users no longer in Active DirectoryDeselect Always perform a full synchronization Deselect Require administrator approval when disabled or removed users exceed threshold Click Add…Expand <YourDomain>.<xxx>, and click CorporateClick the Method Defaults tabSelect Text message - this configures Azure MFA to challenge users via a two-way text message; compare this to the one-way text message experience offered by Azure Active Directory - integrated MFAClick Add, click OK and click CloseClick Synchronize Now and click OKIn the left navigation pane, click UsersIf you don’t see a list of users, press F5 until they appearVerify that the JohnF@<YourDomain>.<xxx> user does not have an alert next to his user name and shows your mobile phone number in the Phone fieldSelect JohnF@<YourDomain>.<xxx> and click Test…In the Password field, type pass@word1 and click TestWhen you receive a text message from Microsoft, reply to the text with the six-digit verification code to complete authenticationWhen authentication completes, click OK and click CloseInstall the AD FS adapter for the Multi-Factor Authentication Server on DC1 and configure settingsIn the left navigation pane for the Multi-Factor Authentication Server management console, click AD FSSelect Allow user enrolmentSelect Allow users to select method, and select the Phone call and Text message checkboxesSelect Use security questions for fallback and type 2 in the associated fieldVerify that Enable logging is selectedClick Install AD FS Adapter…Complete the installationRegister the Multi-Factor Authentication Adapter with AD FSRun Windows PowerShell, as an administratorIn Windows PowerShell, enter the following commands:cd 'C:\Program Files\Multi-Factor Authentication Server'.\Register-MultiFactorAuthenticationAdfsAdapter.ps1net stop adfssrvnet start adfssrvConfigure AD FS Authentication Policy and Test Multi-Factor AuthenticationTask Detailed StepsComplete these steps from an internet-connected Windows computer. Enforce MFA for all external usersOn the DC1 VM, logged on as corp\LabAdmin, open AD FS ManagementClick YesIn the left navigation pane, click Authentication PoliciesIn the right actions pane, click Edit Global Multi-factor Authentication…At the bottom of the dialog box, select WindowsAzureMultiFactorAuthentication Note: Note the various criteria which can be configured to invoke multi-factor authentication for a user at a global level.Under Locations, select ExtranetClick OKLeave the AD FS page open, we will need it againAuthenticate as an external user with multi-factor authentication and complete the fallback registration processFrom your local machine, open Internet Explorer and navigate to Click Sign inOn the AD FS sign-in page, sign in as JohnF@<YourDomain>.<xxx>Under the Multi-Factor Authentication heading, click ContinueWhen you receive a text message from Microsoft, reply to the text with the six-digit verification code to complete authentication.After completing multi-factor authentication, AD FS prompts you to provide answers for a number of questions so your identity can be verified as a fallback method - supply answers for all questions and click ContinueNote: This feature is implemented by Azure Multi-Factor Authentication, but is presented seamlessly as part of the AD FS sign-in experience.You should now be redirected to Azure AD as an authenticated user, where Azure AD will stop you to invoke its own multi-factor authentication which we configured for JohnF already - complete authenticationClose Internet ExplorerAdd a new claim rule to supress the AAD MFANote: Perform the following steps on DC1Switch to the DC1 virtual machineIn the AD FS console, expand Trust Relationships in the left navigation pane, and click Relying Party TrustsRight-click Microsoft Office 365 Identity Platform, and click Edit Claim Rules…Click Add Rule…Select Send Claims Using a Custom Rule from the Claim rule template menu, and click NextType Suppress AAD MFA in the Claim rule name fieldCopy the following rule to the Custom rule field: => issue(Type = "", Value = "");Click Finish and click OKNote: The addition of this claim rule allows AD FS to enforce MFA while leaving Azure Active Directory-integrated MFA enabled for users without subjecting them to multiple MFA challenges. You may be asking yourself, why wouldn’t we just disable Azure Active Directory-integrated MFA when using the Azure MFA Server with AD FS? The answer is the app password feature which is available in the Azure Active Directory-integrated version of the service. By layering in this capability on top of AD FS-integrated MFA, you can apply expressive policy to govern MFA for passive browser-based clients while still allowing rich clients like Outlook and Lync to connect to Office 365.Use App Passwords to Support Active ClientsTask Detailed StepsComplete these steps from an internet-connected Windows computer. Enforce MFA for all external usersIn your host machine Windows 8 or newer machine, navigate to the Start screen and launch the modern Mail appNote: This application uses ActiveSync to connect to a user’s mailbox and will allow us to conduct some quick and easy tests for the app password feature.In the Mail app, bring up the charms menu on the right, click Settings and AccountsClick Add an account and click ExchangeType JohnF@<YourDomain>.<xxx> in the Email address field and pass@word1 in the Password fieldClick ConnectNote: You are unable to authenticate using the on-premises credentials for JohnF; this is because the Exchange ActiveSync protocol does not support multi-factor authentication and consequently cannot allow the user to interact with AD FS to invoke and complete multi-factor authentication.Click CancelGenerate a new app passwordIn your host machine, start a new Internet Explorer InPrivate browsing session Navigate to and enter the username JohnF@<YourDomain>.<xxx>, you are redirected; sign in to AD FSUnder the Multi-Factor Authentication heading, click Continue and complete the verification You should now be redirected to the profile page of the Azure Active Directory Access Panel as an authenticated userSwitch to the profile tabClick Additional security verificationClick app passwords Click createType Windows Laptop in the Name field and click nextNotice that the password generated is 16 characters long, but consists of only lettersClick copy password to clipboard and click closeNote: There is no way to obtain the generated password again. It can only be deleted.Use the app password to set up an Exchange ActiveSync clientSwitch back to the Windows Mail app on your host machineIn the Mail app, bring up the charms menu on the right, click Settings, and then click AccountsClick Add an account, and click ExchangeType JohnF@<YourDomain>.<xxx> in the Email address fieldPaste the app password from the clipboard to the Password fieldClick Connect - notice that you are able to successfully authenticate via ActiveSync to the Exchange Online mailbox using the app passwordIf you are prompted to make your PC more secure, click Cancel, and click Close when promptedBring up the charms menu on the right, click Settings and click AccountsSelect the account you just addedScroll down and click Remove account, click All my synchronised PCsReview administrative options for app passwordsOn DC1 VM navigate to from a new InPrivate Internet Explorer browsing session and sign in as admin2@<YourTenant>. Click Active Directory in the left navigation menu and click Contoso ...Navigate to the USERS tab and click MANAGE MULTI-FACTOR AUTH in the command barSwitch to the service settings tabNote: You can enable or disable app passwords for the entire organization, but cannot disable the feature at a more granular level. While you are here, also notice that you can also now specify IP whitelists (trusted IPs) which force Azure Active Directory to suppress MFA challenges when users are authenticating from well-known IP addresses, such as a private corporate network. Notice that you can also now configure Azure Active Directory to supress MFA for all federated users, which serves as a replacement for the claim rule you created in the previous exercise.Navigate to the users tabSelect JohnF and click Manage user settingsSelect the Delete all existing app passwords generated by the selected users and click save and closeDisable Multi-Factor AuthenticationTask Detailed StepsComplete these steps from an internet-connected Windows computer. Disable Azure Active Directory -integrated MFA for enabled usersOn DC1, in Internet Explorer you should have the Multi-Factor Authentication management portal openSelect JohnF (and any other enabled or enforced users) and click Disable Click yes, and click closeDisable multi-factor authentication in AD FSStill on the DC1 VM switch to the AD FS Management ConsoleIn the left navigation pane, click Authentication PoliciesIn the right actions pane, click Edit Global Multi-factor AuthenticationDeselect Extranet, and click OK ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download