Multi Factor Authentication & Self Password Reset

Prepared by: Mohammad Asmayal Jawad

https://ca.linkedin.com/in/asmayal

August 14, 2017

Multi Factor Authentication & Self Password Reset

Page | 1 Of 22

Table of Contents

Selectable Verification Methods ................................................................................................................... 2

Set up multi-factor authentication in the O365AdminCenter ...................................................................... 3

Modify MFA Setting for a user, ..................................................................................................................... 4

MFA Setup on user End ................................................................................................................................. 5

Fraud Alert .................................................................................................................................................... 6

View fraud reports ........................................................................................................................................ 8

One-time bypass ........................................................................................................................................... 8

Custom voice messages ................................................................................................................................ 8

Set up a custom message .......................................................................................................................... 9

Caching in Azure Multi-Factor Authentication ............................................................................................. 9

Set up caching ........................................................................................................................................... 9

Trusted IPs..................................................................................................................................................... 9

App Passwords ............................................................................................................................................ 10

Important things to know about app passwords .................................................................................... 10

Configuring Self Password Reset................................................................................................................. 11

Self Password Registration, ......................................................................................................................... 14

Password Reset Registration Steps ............................................................................................................. 14

Steps to Reset Password using Self Rest password .................................................................................... 16

Reference .................................................................................................................................................... 18

Multi Factor Authentication & Self Password Reset

Page | 2 Of 22

Selectable Verification Methods You can choose which verification methods are available for your users. The table below provides a brief overview of each method. When your users enroll their accounts for MFA, they choose their preferred verification method out of the options that you enabled.

Method Description

Call to phone Places an automated voice call. The user answers the call and presses # in the phone keypad to authenticate. This phone number is not synchronized to on-premises Active Directory.

Text message to phone

Sends a text message containing a verification code. The user is prompted to either reply to the text message with the verification code or to enter the verification code into the sign-in interface.

Notification through mobile app

Sends a push notification to your phone or registered device. The user views the notification and selects Verify to complete verification. The Microsoft Authenticator app is available for Windows Phone, Android, and IOS.

Verification code from mobile app

The Microsoft Authenticator app generates a new OATH verification code every thirty seconds. The user enters this verification code into the sign-in interface. The Microsoft Authenticator app is available for Windows Phone, Android, and IOS.

Multi Factor Authentication & Self Password Reset

Page | 3 Of 22

Set up multi-factor authentication in the O365AdminCenter 1. Sign in to O365 Portal with your work or school account. 2. Go to the Office 365 Admin Center. 3. Navigate to Users > Active users.

In the Office 365 admin center, click More > Setup azure multi-factor auth.

1. Find the user or users who you want to enable for MFA. In order to see all the users, you might need to change the Multi-Factor Auth status view at the top.

The views have the following values based on the MFA state of the users: o Any Displays all users. This is the default state o Enabled The user has been enrolled in multi-factor authentication, but has not completed the

registration process. They will be prompted to complete the process the next time they sign in. o Enforced The user may or may not have completed registration. If they have completed the

registration process, then they are using multi-factor authentication. Otherwise, the user will be prompted to complete the process at next sign-in.

2. Check the check box next to the users you want to enable. On the right user info pane, under quick steps you'll see Enable and Manage user settings. Choose Enable. In the dialog box that opens, click enable multi-factor auth.

Multi Factor Authentication & Self Password Reset

Page | 4 Of 22

Click on the Enable, then click on the Enable Multi-Factor auth

Modify MFA Setting for a user, Got to Office Portal, Users, Active Users, More, Setup, Azure Multi-Factor Authentication

Multi Factor Authentication & Self Password Reset

Page | 5 Of 22

Locate any user that you want to modify then click on the Manage User settings, below settings are available to manage a user

MFA Setup on user End After enabling MFA on the user via O365 Console, end users must follow below steps in order assigned his Mobile Number for MFA services.

1. Logged in to Office Portal

2. User will get notified for setting up the MFA Services.

3. Select the MFA Method

4. Assigned the type for receiving the verification code

Multi Factor Authentication & Self Password Reset

Page | 6 Of 22

assigned your Mobile Number.

The user end configuration is complete, after this after typing password the system asks him for the verification code.

Fraud Alert Fraud alert can be configured and set up so that your users can report fraudulent attempts to access their resources. Users can report fraud either with the mobile app or through their phone.

Multi Factor Authentication & Self Password Reset

Page | 7 Of 22

Turn on fraud alert

1. Sign in to the Azure Portal as an administrator. 2. Navigate to Azure Active Directory > MFA Server > Fraud alert.

1. Turn Allow users to submit fraud alerts to On. 2. Select Save.

Configuration options

• Block user when fraud is reported - If a user reports fraud, their account is blocked.

Feature Description

Fraud alert Fraud alert can be configured and set up so that your users can report fraudulent attempts to access their resources.

One-time bypass A one-time bypass allows a user to authenticate a single time by "bypassing" multi-factor authentication.

Custom Voice Messages

Custom voice messages allow you to use your own recordings or greetings with multi-factor authentication.

Caching Caching allows you to set a specific period so that subsequent authentication attempts succeed automatically.

Trusted IPs Administrators of a managed or federated tenant can use Trusted IPs to bypass two-step verification for users that sign in from the company’s local intranet.

App Passwords An app password allows an application that is not MFA-aware to bypass multi-factor authentication and continue working.

Remember Multi-Factor Authentication

Allows you to remember devices for a set number of days after a user has successfully signed in using MFA.

Selectable Verification Methods

Allows you to choose the authentication methods that are available for users to use.

Multi Factor Authentication & Self Password Reset

Page | 8 Of 22

• Code to report fraud during initial greeting - When users receive a phone call to perform two-step verification, they normally press # to confirm their sign-in. If they want to report fraud, they enter a code before pressing #. This code is 0 by default, but you can customize it.

View fraud reports 1. Sign in to the Azure Portal. 2. On the left, select Active Directory. 3. Select the directory you want to manage. 4. Select Configure 5. Under Multi-Factor Authentication, select Manage service settings. 6. At the bottom of the Service Settings page, select Go to the portal. 7. In the Azure Multi-Factor Authentication Management Portal, under View a Report, click Fraud Alert. 8. Specify the date range that you wish to view in the report. You can also specify usernames, phone

numbers, and the user's status. 9. Click Run. This brings up a report of fraud alerts. Click Export to CSV if you wish to export the report.

One-time bypass A one-time bypass allows a user to authenticate a single time without performing two-step verification. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone-call, you can enable a one-time bypass, so the user can access the desired resource. Create a one-time bypass

1. Sign in to the Azure Portal as an administrator. 2. Navigate to Azure Active Directory > MFA Server > One-time bypass. 1. Select Add. 2. If necessary, select the replication group for this bypass. 3. Enter the username (in the form of username@domain.com), the number of seconds that the bypass will

exist, and the reason for the bypass. 4. Select Add. The time limit goes into effect immediately, so the user needs to sign in before the one-time

bypass expires. View the one-time bypass report

1. Sign in to the Azure Portal. 2. On the left, select Active Directory. 3. Select the directory you want to manage. 4. Select Configure 5. Under Multi-Factor Authentication, select Manage service settings. 6. At the bottom of the Service Settings page, select Go to the portal. 7. In the Azure Multi-Factor Authentication Management Portal, under View a Report, click One-Time

Bypass. 8. Specify the date range that you wish to view in the report. You can also specify usernames, phone

numbers, and the user's status. 9. Click Run. This brings up a report of bypasses. Click Export to CSV if you wish to export the report.

Custom voice messages Custom voice messages allow you to use your own recordings or greetings for two-step verification. These can be used in addition to or to replace the Microsoft records. Before you begin being aware of the following:

• The supported file formats are .wav and .mp3.

• The file size limit is 5 MB.

Multi Factor Authentication & Self Password Reset

Page | 9 Of 22

• Authentication messages should be shorter than 20 seconds. Anything longer than this could cause the verification to fail because the user may not respond before the message finishes, causing the verification to time out.

Set up a custom message

1. Sign in to the Azure Portal as an administrator. 2. Navigate to Azure Active Directory > MFA Server > Phone call settings. 1. Select Add greeting. 2. Choose the type of greeting and the language. 3. Select an .mp3 or .wav sound file to upload. 4. Select Add.

Caching in Azure Multi-Factor Authentication Caching allows you to set a specific period so that subsequent authentication attempts within that period succeed automatically. This is primarily used when on-premises systems such as VPN send multiple verification requests while the first request is still in progress. This allows the subsequent requests to succeed automatically after the user succeeds the first verification in progress. Caching is not intended to be used for sign-ins to Azure AD.

Set up caching

1. Sign in to the Azure Portal as an administrator. 2. Navigate to Azure Active Directory > MFA Server > Caching rules. 3. Select Add. 4. Select the cache type from the dropdown list, and specify the number of max cache seconds. 5. If necessary, select an auth type and specify an application. 6. Select Add.

Trusted IPs Trusted IPs is a feature of Azure MFA that administrators of a managed or federated tenant can use to bypass two-step verification for users that are signing in from the company’s local intranet. This feature is available with the full version of Azure Multi-Factor Authentication, not the free version for administrators. For details on how to get the full version of Azure Multi-Factor Authentication.

Type of Azure AD Tenant

Available Trusted IP options

Managed Specific IP address ranges – Administrators can specify a range of IP addresses that can bypass two-step verification for users that are signing in from the company’s intranet.

Multi Factor Authentication & Self Password Reset

Page | 10 Of 22

This bypass only works from inside a company’s intranet. For example, if you selected all federated users, and a user signs in from outside the company’s intranet, that user must authenticate using two-step verification even if the user presents an AD FS claim. End-user experience inside corpnet When Trusted IPs is disabled, two-step verification is required for browser flows, and app passwords are required for older rich client apps. When Trusted IPs is enabled, two-step verification is not required for browser flows, and app passwords are not required for older rich client apps, provided that the user hasn't already created an app password. Once an app password is in use, it remains required. End-user experience outside corpnet Whether Trusted IPs is enabled or not, two-step verification is required for browser flows, and app passwords are required for older rich client apps. To enable Trusted IPs

1. Sign in to the Azure Portal. 2. On the left, select Active Directory. 3. Select the directory you want to manage. 4. Select Configure 5. Under Multi-Factor Authentication, select Manage service settings. 6. On the Service Settings page, under Trusted IPs, you have two options:

• For requests from federated users originating from my intranet – Check the box. All federated users who are signing in from the corporate network will bypass two-step verification using a claim issued by AD FS.

• For requests from a specific range of public IPs – Enter the IP addresses in the text box provided using CIDR notation. For example: xxx.xxx.xxx.0/24 for IP addresses in the range xxx.xxx.xxx.1 – xxx.xxx.xxx.254, or xxx.xxx.xxx.xxx/32 for a single IP address. You can enter up to 50 IP address ranges. Users who sign in from these IP addresses bypass two-step verification.

7. Click Save. 8. Once the updates have been applied, click Close.

App Passwords

Some apps, like Office 2010 or older and Apple Mail, don't support two-step verification. They aren't configured to accept a second verification. To use these apps, you need to use "app passwords" in place of your traditional password. The app password allows the application to bypass two-step verification and continue working.

Important things to know about app passwords

The following is an important list of things that you should know about app passwords.

• App passwords should only need to be entered once per app. Users don't have to keep track of them and enter them every time.

Federated All Federated Users - All federated users who are signing in from inside the organization will bypass two-step verification using a claim issued by AD FS. Specific IP address ranges – Administrators can specify a range of IP addresses that can bypass two-step verification for users that are signing in from the company’s intranet.

Multi Factor Authentication & Self Password Reset

Page | 11 Of 22

• The actual password is automatically generated and is not supplied by the user. This is because the automatically generated password is harder for an attacker to guess and is more secure.

• There is a limit of 40 passwords per user.

• Apps which cache passwords and use it in on-premises scenarios might start failing since the app password isn't known outside of the organizational id. An example is Exchange emails that are on-premises, but the archived mail is in the cloud. The same password doesn't work.

• Once multi-factor authentication is enabled on a user's account, app passwords can be used with most non-browser clients such as Outlook and Lync, but administrative actions cannot be performed using app passwords through non-browser applications such as Windows PowerShell even if that user has an administrative account. Ensure you create a service account with a strong password to run PowerShell scripts and do not enable that account for two-step verification.

Configuring Self Password Reset Self-service password reset (SSPR) offers a simple means to empower users to reset or unlock their passwords or accounts. The system includes detailed reporting to track when users use the system along with notifications to alert you to misuse or abuse.

1. From your existing Azure AD tenant, select "Password reset" 2. From the "Properties" screen, under the option "Self Service Password Reset Enabled" choose one of the

following

• Nobody - No one can use SSPR functionality

• A group - Only members of a specific Azure AD group that you choose can use SSPR functionality

• Everybody - All users with accounts in your Azure AD tenant can use SSPR functionality

Multi Factor Authentication & Self Password Reset

Page | 12 Of 22

The Group which is used in this example is called Self Password Reset which is created on the Local AD, then sync it with Azure AD and select the Group.

Assigned users which we are required to user self password reset features to be member of the group.

Assigned the E5 License via Azure Portal the Group.

Multi Factor Authentication & Self Password Reset

Page | 13 Of 22

3. From the "Authentication methods" screen choose

• Number of methods required to reset - We support a minimum of one or a maximum of two

• Methods available to users - We need at least one, but it never hurts to have an extra choice available o Email sends an email with a code to the user's configured authentication email address o Mobile Phone gives the user the choice to receive a call or text with a code to their configured

mobile phone number o Office Phone calls the user with a code to their configured office phone number

Multi Factor Authentication & Self Password Reset

Page | 14 Of 22

Self Password Registration, A s an end user, you can reset your password or unlock your account without having to speak to a person using self-service password reset (SSPR).

Password Reset Registration Steps Page Url: http://aka.ms/ssprsetup or from Office portal select forget password.

1. Open the web browser on your device and go to the password reset registration URL. 2. Enter your username and password provided by your administrator 3. Depending on how your IT staff have configured things, one or more of the following options are available

for you to configure and verify. Your administrator may populate some of this for you if they have your permission to use the information.

• Office phone is only able to be set by your administrator

• Authentication Phone should be set to another phone number you would have access to like a cell phone that can receive a text or call.

• Authentication Email should be set to an alternate email address that you can access without the password you need to reset.

4. When done with all steps click finish to complete the password reset registrations.

Multi Factor Authentication & Self Password Reset

Page | 15 Of 22

Password reset registration is complete.

Multi Factor Authentication & Self Password Reset

Page | 16 Of 22

Steps to Reset Password using Self Rest password URL for Self Reset Password: https://passwordreset.microsoftonline.com Or select Can’t access your account on the O365 portal.

Multi Factor Authentication & Self Password Reset

Page | 17 Of 22

Multi Factor Authentication & Self Password Reset

Page | 18 Of 22

Reference https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication