Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Authentication

Published byGervase Green Modified over 8 years ago

Similar presentations

Presentation on theme: "Active Authentication"— Presentation transcript:

1 Active Authentication
Microsoft

2 Office 365 End User Training--Student Guide
Agenda About this Training Overview of Active Authentication Considerations of Active Authentication Configure Active Authentication Troubleshooting Active Authentication Agenda This agenda slide provides a high-level overview of the main topics covered in this module.

3 Active Authentication Release Course Objectives
About this Training Active Authentication Release Course Objectives About This Training This section slide highlights the topics that are discussed in the subsequent slides.

4 Active Authentication Release Release Information
Early preview release is currently slated for June 11 GA is slated for middle of July KB Articles to be available by preview release date Policy, Process and Procedures Articles scheduled for availability for early preview Read escalation procedures carefully All dates are subject to change.

5 Course Objectives Define Active Authentication
Understand how Active Authentication works with Office 365 Describe the current Office 365 limitations to Active Authentication Configure Active Authentication Troubleshoot Active Authentication Introduce KB and PPP articles

6 Overview of Active Authentication
Define Active Authentication Why Active Authentication Active Authentication Applicability Active Authentication Methods

7 What is Active Authentication Strong Authentication
Strong Authentication (Strong AuthN) A higher level of security than standard authentication of user name and password Requests additional proof (factors) for identity Factors include: Something the user knows Ex. – User name and password Something the user has Ex. – Cell phone, RSA Token Something the user “is” (biometric) Ex. – Finger print, voice, retinal

8 What is Active Authentication Step-up Authentication
After a user logs into a location using a “low-strength” method they may be required to provide a “high-strength” method to access a high- value resource. Example: Authentication level 1 Customer connects to MOP and provides User Name and Password to log in. Authentication level 2 After customer logs into Office 365 they connect to SharePoint Online Customer must provide User Name and RSA Token password to log in NOTE: Office 365 does not provide Step-up Authentication at this time

9 What is Active Authentication Contextual Authentication
Contextual Authentication analyzes real-time events about a user's authentication request, such as the time, device, location, network and application, and adjusts the authentication method dynamically based on those events Office 365 uses Contextual Authentication to provide Active Authentication Device - Phone Over the Phone (OTP) requires the use of the customers phone(s) Time – used in conjunction with the phone OTP request “times out” if not responded to in specified time

10 What is Active Authentication Active Authentication for Office 365
Office 365 Active Authentication includes Something the user knows – User Name and Password Something the user has – Phone (Office and/or Mobile) Contextual Authentication Device – Phone Time – Phone request “times out” if not responded to in specified time

11 Why Provide Active Authentication Additional Security Needs
Passwords are not enough Windows Azure AD is used for multiple online services Growing need for stronger security measures for identities and high value resources Competition is driving expectation for Strong AuthN Increase use of mobile access demands stronger seamless security measures Compliance of federal and other security certifications

12 Why Provide Active Authentication Why use phones
Phones are extremely difficult to duplicate Phone numbers extremely difficult to intercept Widely adopted personal device that is normally carried everywhere by employees/students Prevents additional IT costs of hardware RSA security tokens Smart Cards

13 Lesson Review Q-1: What factors (proof) can be used for Strong AuthN?
Something the user knows Something the user has Something the user “is” (biometric) Q-2: What two items are used by Office 365 for Contextual Authentication? A-2: Phone and Time ANIMATED SLIDE – click mouse to view answers 13 | Microsoft Confidential

14 Lesson Review Q-3: Define OTP? A-3: Over the Phone.
Q-4: Why does Office 365 use phones to provide Active Authentication? A-4: Phone duplication Phone number intercept, carried by all, and IT cost. ANIMATED SLIDE – click mouse to view answers 14 | Microsoft Confidential

15 Considerations of Active Authentication
Accounts that can use Active Authentication Supported applications Future supported features

16 Active Authentication Supported vs. Non-supported
Administrator and User accounts User accounts can be configured with Active Authentication through the Azure AD Portal Existing on-premises multi-factor authentication Not supported Rich client application Outlook and Lync MOP, Windows Intune and PowerShell Cmdlets “Access denied” error received when using Lync-based IP phone NOTE: Current non-supported features may be available in future releases

17 Active Authentication Existing on-premises multi-factor authentication
Existing on-premises multi-factor authentication is supported Able to use on-premises multi-factor authentication to access Microsoft Cloud Services Cannot use Active Authentication built-in Windows Azure AD for federated admin accounts that use on-premises multi-factor authentication

18 Active Authentication Phone Options
Voice with mobile phone A voice asks admin to press # to confirm Voice with office phone SMS (default) Text is sent to Mobile phone with instructions Phone application A push notification is sent to the phone via an application

19 Active Authentication Phone Application
Title: Active Authentication Application Formally known as PhoneFactor Notifies you of a pending verification request by popping an alert on your mobile device Tap Approve or Deny May require to enter a passcode in application

20 Active Authentication Admin account Best Practice
Leave one admin account with Active Authentication disabled. Recommended: Should always have more than one admin account An Active Authentication disabled admin account is needed for: Client Rich applications, such as PowerShell Back up account to modify/unlock Active Authentication enabled admin accounts

21 Lesson Review Q-1: What type of account(s) can be configured for Active Authentication? A-1: Administrator and User accounts Q-2: List the non-supported applications. A-2: Outlook, Lync, Windows Intune, PowerShell, Lync IP Phone. ANIMATED SLIDE – click mouse to view answers 21 | Microsoft Confidential

22 Lesson Review Q-3: What must be selected when confirming a voice call to your phone? A-3: The # must be selected on your phone. Q-4: True or false, at least one admin account should not use Active Authentication? A-4: True. A non Active Authentication admin account can be used for password/phone management and PowerShell. ANIMATED SLIDE – click mouse to view answers 22 | Microsoft Confidential

23 Configuration of Active Authentication
Enable Active Authentication Disable Active Authentication

24 Enable/Disable Active Authentication Portal
Customers can only purchase and enable Active Authentication from Azure AD. There is a link from MOP to connect to Azure AD Once enablement is completed, customers can return to MOP by clicking a return arrow. Note: This training will be updated before GA with the necessary screenshots.

25 Activate Active Authentication Portal
Access MOP Click Users or User and Groups Click Setup under “Set stronger verification requirements

26 Activate Active Authentication Portal
Choose the correct administrator group Select account(s) Click Enable

27 Activate Active Authentication Portal
Click Yes in the Enable multi-factor verification? pop-up widow. Click Close to accept update notification.

28 De-activate Active Authentication Portal
Access MOP Click Users or User and Groups Click Setup under “Set stronger verification requirements

29 De-activate Active Authentication Portal
Choose the correct administrator group Select account(s) Click Disable

30 Configure Active Authentication Setup
Admin must log in to configure their account for the first time. Access MOP Sign-in with recently enabled Active Authentication account Click Set it up now

31 Activated Active Authentication Select Primary Phone
Select phone type Select Country or Region NOTE: Not all countries are listed at this time Enter phone number Select Text me instead of calling to enable SMS Note: Only Mobile Phone type enables the text option.

32 Activated Active Authentication Select Backup Phone
Select phone type Enter phone number Select Text me instead of calling to enable SMS Click Save

33 Activated Active Authentication Verification
Verify phone Phone(s) will receive a call or text depending on the selection Click # when prompted Follow text instructions Click Close after verification is completed successfully and when prompted

34 Active Authentication Phone Application - Activation
Tenant Admin provides one of the following: Activation Code QR Code URL Enter information into app or scan QR code Possible to activate multiple companies and accounts.

35 Lesson Review Q-1: What should be selected in order to send a text message to a phone number? A-1: Select Text me instead of calling to enable SMS. Q-2: True or False, all countries are listed in the Select Country or Region field. A-2: False, the countries are limited at this time. ANIMATED SLIDE – click mouse to view answers 35 | Microsoft Confidential

36 Troubleshoot Active Authentication
Disable Active Authentication from Admin reduced to User Additional phones numbers Verification issues

37 CAP Coding CAP Issue codes
The following Issue Codes have been add to CAP to track MFA issues. Single Sign On\Two Factor Sign On Failed Single Sign On\Setting Up Two-Factor authentication Azure AD Multifactor Authentication Azure AD Multifactor Authentication Reset

38 Admin Reduced to User Disable Active Authentication for User
If a Active Authentication Admin account is reduced to a User account, Active Authentication remains enabled for the account. Promote the user to Administrator role Disable Active Authentication from multi-factor authentication page Demote user to back to User role KB: Removing multi-factor (Active Authentication) authentication for Administrator user account. ( )

39 Update Phone Settings Primary and Backup Phone
Log into Portal Click your user name at the top-right corner of the page and then click My profile. Click Change additional security verification settings. Under primary phone, type your phone number. Click Save. Recommended: Use mobile phone as primary phone KB: How to Add or Change multi-factor (Active Authentication) authentication security verification phone settings

40 No Response on Phone No Call or Text Message Verify phone is cell or land line IP phones not supported Try again using backup number Request admin disable Active Authentication After Active Authentication is disabled, user can login with user name and password Active Authentication re-enabled, user must complete configuration process again KB: Administrator with multi-factor (Active Authentication) authentication enabled is not receiving text message or voice message that contains authentication code ( )

41 Password/Phone Reset Password or Phone Reset
SE should follow the standard password reset policy and only reset account if there is one admin. Support must wait 72 hours to perform a password or phone reset if a phone reset has previously been requested. Follow KB article “How and when to reset multifactor authentication” ( ) to submit a SWT request to reset the phone

42 Locked out Only One Admin Account
SE should follow the standard password reset policy and only reset account if there is one admin. If additional admins, redirect customer to another admin If only one admin, escalate using SWT

43 Multiple Prompts During Configuration Setup Does Not Complete
Customer is prompted multiple times during phone configuration Wait a few seconds then click browser refresh button

44 Error 0x800434D4L PowerShell cmdlet error
Administrator with multi-factor authentication (Active Authentication) enabled is getting 0x800434D4L when trying to run Windows Azure Active Directory Module for Windows PowerShell cmdlets. Active Authentication does not support rich client applications at this time Use non Active Authentication enabled account to run PowerShell cmdlets KB: Administrator with multi-factor authentication (Active Authentication) enabled receives error 0x800434D4L when running Windows Azure Active Directory Module for Windows PowerShell cmdlets ( )

45 Federated Admins unable to use Active Authentication with federated admin accounts
Federated admin accounts are not able to use Active Authentication at this time. Active Authentication may be enabled for a federated admin account Admin account is not re-directed to proof page to Add multi-factor (Active Authentication) authentication security verification phone settings KB: Removing Federated Administrator with multi-factor authentication (Active Authentication) enabled, never redirected to the proof page resulting in Active Authentication not being enforced for Federated administrator accounts. ( )

46 Account verification system is having trouble Unable to provide Active Authentication verification
Administrator is receiving error message when trying to login with Active Authentication enable. “Sorry, our account verification system is having trouble. This could be temporary, but if you see it again, you might want to contact your admin. User2WaySMSAuthFailedWrongCodeEntered 0” Verify correct code is entered Try backup or primary phone number. Disable, re-enable Active Authentication on affected account KB: Administrator with Active Authentication enabled receives message "User2WaySMSAuthFailedWrongCodeEntered 0". ( )

47 “We did not receive a response” Active Authentication page times out
Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive a response. Please try again.” Customer did not receive Active Authentication request on phone User authentication failed due to duplicate request Verify phone numbers provided are correct KB: Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” ( )

48 “We did not receive the expected response” Incorrect Active Authentication credentials provided
Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again." User SMS authentication failed due to wrong SMS Code being entered. User Voice authentication failed due to phone being hung up prior to entering # Verify that correct SMS authentication code is being entered Try a different preconfigured phone number KB: Administrator with multi-factor authentication (Active Authentication) enabled receives message “We did not receive the expected response. Please try again." ( )

49 “Unable to reach your phone” Choose another option
Error: “We were unable to reach your phone. Please choose another verification option” User SMS voice authentication failed due to invalid phone extension User Voice authentication failed due to invalid phone number format Verify the correct phone number and extension is entered correctly Try a different preconfigured phone number KB: Administrator with Active Authentication enabled receives message “We did not receive a response. Please try again.” ( )

50 “Unable to reach your phone” Try again
Error: “We were unable to reach your phone. Please try again.” User Voice authentication failed due to provider could not send the call User Voice authentication failed due to provider could not send the SMS message Verify phone is working and service is available Try a different preconfigured phone number KB: Administrator with multi-factor authentication (Active Authentication) enabled receives message “We were unable to reach your phone. Please try again.” ( )

51 Module Summary Office 365 supports Active Authentication
Only admin accounts can use Active Authentication Customer can use a mobile or office phone Voice or text can be sent to the phones Non-supported items Rich client applications Lync-based IP Phone Module Review 51 | Microsoft Confidential 51 | Microsoft Confidential

52 Assessment Questions Access the GCSLearn site and take the assessment
Work alone Open book You may use the courseware to assists in answering questions Time to complete: 10 questions – 10 minutes 52 | Microsoft Confidential

53 Survey Congratulations on completing the Active Authentication training. please complete the 10-minute O365 Active Authentication Instruction Survey Form. The survey is anonymous so please be as honest as possible. You feedback is very valuable as we strive to make the material better for every delivery. Survey Congratulations on completing the Directory Synchronization training. Please complete the 10-minute O365 Active Authentication Instruction Survey Form. The survey is anonymous so please be as honest as possible. You feedback is very valuable as we strive to make the material better for every delivery. 53 | Microsoft Confidential

54 4/19/ :27 PM © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Active Authentication"

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms

AmeriCorps is introducing a new online payment system for the processing of AmeriCorps forms
Module: 201 Create and Manage Your Agent Account.

Module: 201 Create and Manage Your Agent Account.
Installation & User Guide

Installation & User Guide
Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.

Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.
CareCentrix Direct Training.

CareCentrix Direct Training.
Module 4: System Maintenance Intuit Financial Services University Internet Banking Certification Training.

Module 4: System Maintenance Intuit Financial Services University Internet Banking Certification Training.
101 P C O L S Recommended Role: New and Existing Cardholders How to Redeem a Cardholder Token in AIM I N T E R A C T I V E T U T O R I A L.

101 P C O L S Recommended Role: New and Existing Cardholders How to Redeem a Cardholder Token in AIM I N T E R A C T I V E T U T O R I A L.
Your NEW Social Services Verification Tool

Your NEW Social Services Verification Tool
Guide to using the myNATE website

Guide to using the myNATE website
Multi-Factor Authentication Added protection for a more secure you Presenter: Jeff Penn.

Multi-Factor Authentication Added protection for a more secure you Presenter: Jeff Penn.
Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.

Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.
How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support 301-594-6248 Summer 2006.

How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support Summer 2006.
11-01: Get Started with SCP Supply Chain Platform Training Presentation Updated April 2009.

11-01: Get Started with SCP Supply Chain Platform Training Presentation Updated April 2009.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.
System for Administration, Training, and Educational Resources for NASA SATERN Overview for Learners May 2006.

System for Administration, Training, and Educational Resources for NASA SATERN Overview for Learners May 2006.
Delight QuickBooks Online Banking Internal Support Training QuickBooks Windows 2009/2010 Online Banking.

Delight QuickBooks Online Banking Internal Support Training QuickBooks Windows 2009/2010 Online Banking.
HOW-TO guide This tutorial has sound. www.utrgv.edu.

HOW-TO guide This tutorial has sound.

Similar presentations

Ads by Google