Microsoft has released a preview of the two factor authentication feature for Office 365, Windows Azure, Windows Intune or Dynamics CRM Online.
Enable Two Factors Authentication
- Sign in to Windows Azure (https://manage.windowsazure.com/) with an administrator account
- Go to the Active Directory section from the left and choose Active Auth Providers
- Then create a new Active Authentication Provider
- Follow the wizard
- Name: define what you want
- Usage Model – this is related to the pricing see http://blogs.msdn.com/b/windowsazure/archive/2013/06/12/introducing-multi-factor-authentication-on-windows-azure.aspx
- Per authentication: pay by total number of authentication each month
- Per user: pay by the number of user with multi factors enabled
- Directory: allows you to link with your Active Directory
- The new provider is now created and appear in the providers list
- You can NOT change the Usage Model but you can change the subscription and the directory associated by hitting the provider name
Enable Users to use Two Factors Authentication
- Go to the Active Directory section from the left and choose Directory and select the Active Directory tenant
- Select the user for which you want to enable Two Factors Authentication, scroll down to the Role section which propose the option Require Multi-Factor Authentication
NOTE once enabled, the user will not be able to sign-in to non-browser clients like Outlook, Lync or PowerShell
- Next time the user will logon, he will be asked to choose one of the multi-factor authentication methods
- App Notification – Use the Active Authentication smart phone app
- App One-time password (OTP) – Use a One-time Password with their Active Authentication smart phone app
- Phone Call – A phone call to their mobile or landline phone
- Text Message –A text message sent to their mobile phone
End user multi factor configuration
- Once the user has been enabled for multi-factor, the first time he logon again he will have to choose one of the multi-factor authentication methods
- The first 3 options are phone related (SMS or call), so there is nothing more to do than defining which phone number to use
- The last one is Mobile App which will allows to define an OTP (One Time Password)
- A configuration page will be displaying a Qrcode; this requires to install BEFORE the Active Authentication app from the App Store (on Windows Phone 7 or 8 this is called Active Auth – publisher PhoneFactor; but this is also available for iOS or Android) – I added the link to the app for each platform
You must enabled Push notification to be able to add an account
- Once the app displays 6 number, you can click Done button and let the system checking the activation
- Once activation has been validated, the user will be asked to use the app to allow or deny the access to the application
- By default, the system will use the Preferred authentication method define when configuring the multi-factor authentication but off course (if for any reason he has not the device to be used as preferred) he can choose another one