Azure Multifactor Authentication (MFA) in Athlone ... · Start: Client requires access to Office...
Transcript of Azure Multifactor Authentication (MFA) in Athlone ... · Start: Client requires access to Office...
Azure Multifactor Authentication (MFA) in
Athlone Institute of Technology (AIT)
Rossa Coleman, IT Manager, AIT
HEAnet Conference9 Nov ‘17
Radisson Hotel, Galway
What is this presentation about?
• Azure MFA and its roll-out in AIT to protect the Office365 and Moodle accounts (and data contained therein) of AIT staff
• To comprehensively explain our experience with Azure MFA, in order to assist any other 3rd level IT Depts. with:
• Understanding Azure MFA & how it works
• Making a decision whether to implement Azure MFA
• Composing an implementation strategy & roll out plan
The aim of the presentation
Pay attention, there is a test at the end!
Contents of this Presentation
• The AIT/Office365 architecture (background)
• Azure MFA
• Why?
• How?
• MFA - the end user experience
• Implementing Azure MFA in AIT – Project Overview
• Lessons Learned & Tips
The AIT/Office 365 Architecture
AIT uses ADFS to authenticate users to Office 365
Azure MFA can be “added” as an additional layer of authentication to our model (federated Identity or the cloud identity model)
• Global accessibility of Office 365 Accounts
Azure MFA – Why should we implement it?
• (are passwords alone sufficient to protect our data?)
• Global accessibility of Office 365 Accounts
• (are passwords alone sufficient to protect our data?)
• Global increase in cybercrime
Azure MFA – Why should we implement it?
• Global accessibility of Office 365 Accounts
• (are passwords alone sufficient to protect our data?)
• Global increase in cybercrime
• GDPR
Azure MFA – Why should we implement it?
• Global accessibility of Office 365 Accounts
• (are passwords alone sufficient to protect our data?)
• Global increase in cybercrime
• GDPR
• End-User education & protection
To receive your 3 wishes, simply enter
your username and password
Azure MFA – Why should we implement it?
What do Scooby Doo & Secret Sauce have in common with MFA?
Nothing! There is no mystery or secret sauce – MFA is simple and straightforward
Azure MFA – Implementation
• On premise & cloud options available (we used cloud)
• User licenses required• Azure MFA, Azure AD Premium, or EMS
• A prerequisite: Turn on “Modern authentication” in Office 365 tenant• Have Outlook 2013 (update later than March 2015 required) or higher
• Modern authentication also required for Skype for Business
Azure MFA – Implementation
MFA Prelims
Enable Account(s)
Set-Up Account(s)
MFA Admin
• Enabled by IT Administrators in MFA page in Office 365
* Scheduling required, to avoid academics having to do this in class
Azure MFA – Implementation
MFA Prelims
Enable Account(s)
Set-Up Account(s)
MFA Admin
• Once enabled:• User prompted to “Set-up MFA” on next Office 365 login*
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
• Once enabled, user is prompted to “Set it up now” on next Office 365 login
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
• Once enabled, user is prompted to “Set it up now” on next Office 365 login
• User chooses preferred authentication method:
For call or text:
• Enter number, select method, click Next
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
• Once enabled, user is prompted to “Set it up now” on next Office 365 login
871234567
• User chooses preferred authentication method:
For call or text:
• Enter number, select method, click Next
• Respond to the call or text (to verify)
• Click Done!
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
If Mobile App is selected, choose:• Receive notifications or,
• Use verification code & click Next
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
Download Microsoft Authenticator app to phone
MicrosoftAuthenticator
• Select Add Account
• Select work or school account
• Scan QR code for automatic registration of Account
If Mobile App is selected, choose:• Receive notifications or,
• Use verification code & click Next
Text Message Authenticator App(6 digit code)
Authenticator App(notification)
Ease of Setup
Ease of Use
+1 (425) 409-2623
Phone call (recorded message)
Azure MFA – Implementation
MFA Options -End-user experience
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
App PasswordsUsed for “stuff that doesn’t work with stuff”
E.g. Native smartphone email apps, Apple products (Macs etc.)
Can be created by users (any time)
Required on above devices to facilitate MFA (in place of account password)
• MFA admin is straightforward (Enabling accounts, accounts for the majority of admin)
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
Once accounts are set-up properly, support calls will be extremely infrequent
Azure MFA – Implementation
Enable Account(s)
Set-Up Account(s)
MFA Admin
MFA Prelims
Service Settings
1. App Passwords – allowed or not
2. Trusted IP ranges (e.g. for on-Campus)
3. Verification Options
• Call
• Text
• Notification via App
• Code via App
4. Remember MFA on a device
“Don’t ask me again for xx days”
Client
Start: Client requires access to Office 365/Moodle and browses to Office 365 login page
Client enters credentials
(or ADFS Login page)
Azure MFA (The end-user experience)
and clicks Sign in
Client
Start: Client requires access to Office 365/Moodle and browses to Office 365 login page
Client enters credentials
(or ADFS Login page)
and clicks Sign in
MFA
MFA is now required
MFA notifies user (using chosen option)
Azure MFA (The end-user experience)
Client
Start: Client requires access to Office 365/Moodle and browses to Office 365 login page
Client enters credentials
(or ADFS Login page)
and clicks Sign in
MFA
MFA is now required
MFA notifies user (using chosen option)
User approves MFA request and is granted access
Azure MFA (The end-user experience)
Project Green Light
Proposal to and
approval from EMT
Implementing Azure MFA in AIT – Project Overview
May June July Aug September October November
Our Planned Approach1. Roll out MFA to all managerial & admin staff initially
2. Use the experience to compose roll-out plan for academic staff
Project Green Light
Proposal to and
approval from EMT
Advanced Notification to All Staff
Office 2016 Upgrade
2016
Modern Authentication
Enabled
May June July Aug September October November
All staff email issued advising of project
MFA incompatible with versions of Outlook older than the March 2015 update as they do not support “modern authentication”
Modern Authentication enabled on Office 365 tenant (a prerequisite of MFA/Outlook integration)
June 2017
Implementing Azure MFA in AIT – Project Overview
Project Green Light
Proposal to and
approval from EMT
Advanced Notification to All Staff
Office 2016 Upgrade
2016
Modern Authentication
Enabled
ComputerServices
Early Adopter(Phase 1)
MarketingDept
May June July Aug September October November
Early Adopter Phase 1
July 2017
This period facilitated skilling up of technical staff & drafting end-user guidance documentation
Implementing Azure MFA in AIT – Project Overview
We allowed 4 weeks for any potential user issues to arise before proceeding to Phase 2 (Early Adopter)
Project Green Light
Proposal to and
approval from EMT
Advanced Notification to All Staff
Office 2016 Upgrade
2016
Modern Authentication
Enabled
ComputerServices
Early Adopter(Phase 1)
MarketingDept
May June July Aug September October November
August 2017
Implementing Azure MFA in AIT – Project Overview
Human Resources
Early Adopter(Phase 2)
FinanceDept
Project Green Light
Proposal to and
approval from EMT
Advanced Notification to All Staff
Office 2016 Upgrade
2016
Modern Authentication
Enabled
ComputerServices
Early Adopter(Phase 1)
MarketingDept
May June July Aug September October November
Implementing Azure MFA in AIT – Project Overview
Human Resources
Early Adopter(Phase 2)
FinanceDept
Completion of Technical & End User Guidance
Documents
AwarenessCampaign includingAll StaffBriefing
September 2017Return of academic staff
Project Green Light
Proposal to and
approval from EMT
Advanced Notification to All Staff
Office 2016 Upgrade
2016
Modern Authentication
Enabled
ComputerServices
Early Adopter(Phase 1)
MarketingDept
Human Resources
Early Adopter(Phase 2)
FinanceDept
Completion of Technical & End User Guidance
Documents
AwarenessCampaign includingAll StaffBriefing
On-boarding Phase - all
non-academic staff
Early AdopterPhase
Lecturing Staff
May June July Aug September October November
Implementing Azure MFA in AIT – Project Overview
“Hearts & Minds” approach UAT for MFA with Moodle
After 4 weeks, feedback requested from early adopters – all gave positive feedback
September 2017Return of academic staff
“Hearts & Minds” approach UAT for MFA with Moodle
Project Green Light
Proposal to and
approval from EMT
Advanced Notification to All Staff
Office 2016 Upgrade
2016
Modern Authentication
Enabled
On-boarding Phase
academic staff
ComputerServices
Early Adopter(Phase 1)
MarketingDept
Human Resources
Early Adopter(Phase 2)
FinanceDept
Completion of Technical & End User Guidance
Documents
AwarenessCampaign includingAll StaffBriefing
On-boarding Phase - all
non-academic staff
Early AdopterPhase
Lecturing Staff Project Closeout
May June July Aug September October November
Implementing Azure MFA in AIT – Project Overview
Lessons Learned and Tips – Preparatory Planning• If MFA is a hard sell, consider an IT security educational campaign in advance to
highlight importance of IT security
• A “hearts and minds” approach
• Separate roll out plans for academics and non-academics
• Appropriate timing for academic staff roll-out
Week 1 Week 2 Week 3 No teaching week
D-DayEnable remaining
accounts
Advanced Notice of Roll out Plan
Offer scheduled account enabling
Advertiseddrop-in sessions
• Staff who never/rarely access Office 365 off-Campus
• Phone call or text message is recommended due to simplicity of set up/use
MicrosoftAuthenticator
MicrosoftOutlook
• Staff who have email on smartphone & frequent (off Campus) Office 365 users
• Highly recommend using the Authenticator app and the Outlook app - seamless (no app passwords)
Lessons Learned and Tips – MFA Options
Lessons Learned and Tips – User Account Set-Up
• User Set-up is straight forward, app passwords are not
• User Set-up offers an initial app password which cant be renamed – best to ignore this
• Set-Up process returns user to portal page without opportunity to set up additional app passwords
• MFA Settings page in Office 365 is hard to find (5 clicks required) – consider a shortcut
• Advise users that no call or text charges will be incurred and that phone numbers are not visible to IT technical staff
• On enabling, email to smartphone will be disabled (until Set-up)
• MFA Admin GUI is poor – can only filter by MFA status• A separate spreadsheet of users is required (breakdown per Dept etc.)
• Consider disabling the “Use code from the App” option – no requirement for it
Lessons Learned and Tips – MFA Admin
In summary…. Azure MFA is….
IT Security Benefits
Implementation overhead
Test……. What have your learned?
We have learned that:
Azure MFA is _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ a 3rd level Institution, and _ _ _ _ _ _ _ _ _ _ _ _ for IT security & data protection!
one small step for one giant leap
Any Questions?
Thank you for listening….