Office 365 Multi-Factor Authentication requirements explained

Short version

mf_authMulti-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

  • What is MFA?
    • Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
    • MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
    • Read more here
  • What is Modern Authentication?
    • Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
    • In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
    • Read more here
  • What is oAuth?
    • Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
    • Read more here
  • What is ADAL?
    • Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
    • Read more here
  • Two options are available for SSO with on-premises AD that requires Modern Authentication
    • Pass Through Authentication (PTA)
      • Works with Office 365 only
      • Enabled on latest AADC with outbound connection only, no DMZ server
      • Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
      • Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
      • In combination with password sync you are not dependent on AADC uptime
      • Read more here and here
    • ADFS 3.0
      • Used for hybrid Skype for Business and Exchange environments
        • Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here 
        • I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
        • Exchange Server hybrid requires MFA Server, read more here
        • For best Azure MFA result an Online only deployment is recommended
      • ADFS is best for larger organizations
      • More complex and requires proxy servers in DMZ with public IP and Certificate
      • Requires loadbalancer for high-availability
      • Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
      • Read more here
  • You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
  • Read about conditional access, MFA with Intune Hybrid and SCCM
  • Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here


Best Practices for Active Directory Schema changes

Any Post starting with this disclaimer means that this post was not written by me however I liked it and added to my blog to easily find it later. I will also include the link to the original or similar post to provide credit to the original author.

First off, a quick review of AD schema, and what it is and the function it performs. The Schema is essentially the “database” that AD resides in, so when we say things like “extending the schema” we mean the same thing any SQL DBA would mean – we are adding additional objects attributes to AD. These new additions allow for features in products that were not previously there to store their settings in Active Directory. Some of the recent Schema extensions you will see:

  • Exchange 2007 SP2 requires schema extension.
  • Exchange 2010 requires schema extension.
  • OCS 2007 R1 or R2 require schema extension.

Additionally, while not an extension, these best practices also apply before raising your forest or domain functional levels.

Step One – Determine your Schema Master FSMO role holder

  1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then click OK.
  2. Type roles, and then press ENTER.
  3. Type connections, and then press ENTER.
  4. Type connect to server <servername>, where servername is the name of the server you want to use, and then press ENTER.
  5. At the server connections prompt, type q, and then press ENTER again
  6. At the FSMO maintenance prompt, type Select operation target, and then press ENTER again.
  7. At the select operation target prompt, type List roles for connected server, and then press ENTER again.
  8. This will display all 5 FSMO roles. The one that has Schema is the one we need to back up.
  9. Type q 3 times to exit the Ntdsutil prompt.

Step Two – Ensure you have your DSRM password

  1. Most of the time, even if this is known, it has not been changed in a long time and is likely due.
  2. Follow instructions to reset DSRM password from KB322672
  3. This allows your backup to be authoritatively restored in the case you need to. Without this password being correct, your backup may not be usable. 

Step Three – Take a system state backup (or two)

  1. Take an ntbackup.exe (Windows 2003) or Windows Server Backup (Windows 2008) if you are more comfortable with Microsoft restore procedures.
  2. Take another backup using whatever third party vendor product you typically use, if you are more comfortable with their restore procedures.
  3. It is recommended taking BOTH of the above for the Schema Master FSMO role holder.

While I have YET to run into any issues or problems with Schema extensions, if I ever did, I know I want a really good backup or two!

Migrate from Server 2000 DC to Server 2008 DC

I was doing some research before a domain migration at a customer site when I found this great forum post over at the techarena forum.

The general steps to migrate from Windows Server 2000 to Windows Server 2008 is almost the same as the steps to migrate from Windows Server 2003 to Windows Server 2008.

Old server: Windows Server 2000 box
New server: Windows Server 2008 box

  1. Verify that Windows 2000 SP4 have been installed on the old server and Windows Server 2008 SP1 have been installed on the new server.  Note: the domain functional level should be in Windows 2000 native mode for the Windows 2000 domain
  2. Upgrade the Windows 2000 forest schema by running “adprep /forestprep” command on old server. Note: you can copy the adprep folder from the Windows Server 2008 installation disc to the old server to run “adprep /forestprep”. The location is \source\adprep on the installation disc.
  3. Upgrade the Windows 2000 domain schema by running “adprep /domainprep” command on old server
  4. Verify the new server’s TCP/IP configuration has been pointed to existing DNS server.
  5. Add new server to existing Windows 2000 domain as a member server.
  6. Run dcpromo on new server to promote it as an additional domain controller in existing Windows 2000 domain, afterwards you may verify the installation of Active Directory.
  7. Enable Global Catalog on new server and manually Check Replication Topology and afterwards manually trigger replication to synchronize Active Directory database between 2 replica.
  8. Disable Global Catalog on old server.
  9. Use NTDSUTIL utility to transfer all the 5 FSMO roles from old server to new server. You’d better transfer FSMO roles via GUI method instead of using NTDSUTIL.
  10. Install DNS component on new server and configure it as a new DNS Server(Active Directory Integrated-Zone is preferred). Note: all the DNS configuration need to be transferred from the existing DNS Server.
  11. Migrate DHCP service from Windows Server 2000 to Windows Server 2008. Migrate File Sharing service. You can also use robocopy.exe from the Windows Server Resource kit to copy the files and maintain NTFS permissions.
    For the shares, the shares definitions and permissions are stored in the following registry key on the server: “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares”. If you export out the whole key and import in the new server, and if you have the files and folders in the same path as in the old server, then you will retain all you shares and share permissions.
  12. It’s better to make the old DC offline for several days and check whether everything works normally with the new server online. If so, you may let the old DC online and run DCPROMO to demote it.

For more information, please refer to: