Office 365 – Multi Factor Authentication support part 2. – Enable MFA from user point of view


In previous article I have enabled MFA for user alsajid@salonovi.cz and now I will test its behavior, while MFA Enabled and Enforced

User setup

When I log on for the first time with new user or try to access https://portal.onmicrosoft.com with user with just enabled MFA, Login window will look different and after typing my password it will require to set up MFA.

TEST-setup1

Office 365 talks to you in your prefered language, you can choose mobile application or mobile phone or normal phone to contact and pick up whether to be contacted by SMS or phone call.

MFA setup2

I choose Mobile phone and SMS, next and I am required to verify my device

setup 3

I have received SMS code

setup4

Verification went OK and in next step I am warned, that my password will be working only in browser (1) and for other aplications named in (2) I need to generate App Passwords (3) or agree, that these applications will not be used for my account (4)

setup5

APP Passwords (support for thick clients)

To generate App Passwords I was redirected to Windows Azure Active Directory logon screen, where I have been MFAuthenticated via SMS ūüôā

appp1

Now I can create App Passwords

appp2

Next is name of application and then the password is generated and displayed once. You must copy it to clipboard

apppol1 apppol2

Now use the password as you have used your password for Office 365 previously. So basically you use your App Password instead of your Office 365 password.

Described here. This is most important link for support persons on MFA enabled customer¬īs helpdesk:

http://technet.microsoft.com/library/en-us/dn270518.aspx#apppasswordchange

User¬īs output¬†with MFA defined and registration process completed in Azure Active Directory (in my case default one way SMS)

PS C:\Windows\system32> get-msoluser -UserPrincipalName testuser@zbycha.onmicrosoft.com | select *au* | select strongaut
henticationmethods -expandproperty strongauthenticationmethods

StrongAuthenticationMethods   ExtensionData                                     IsDefault MethodType
---------------------------   -------------                                     --------- ----------
{Microsoft.Online.Administ... System.Runtime.Serializati...                          True OneWaySMS
{Microsoft.Online.Administ... System.Runtime.Serializati...                         False TwoWayVoiceMobile

 
PS C:\Windows\system32> get-msoluser -UserPrincipalName testuser@zbycha.onmicrosoft.com | select *au* | select strongaut
henticationrequirements -expandproperty strongauthenticationrequirements |fl
StrongAuthenticationRequirements : {Microsoft.Online.Administration.StrongAuthenticationRequirement}
ExtensionData                    : System.Runtime.Serialization.ExtensionDataObject
RelyingParty                     : *
State                            : Enforced

Well so far so good but now , what I finally don¬īt like. Lets say, that App Passwords are need for not MFA ready apps..ok, you can define as much App Passwords as you want, you can name those, but you can use all of them to all aplications. That is a bit strange. I have generated two App Passwords and I was able to use both for LYNC client.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s