Office 365 Multi-Factor Authentication requirements explained

Short version

mf_authMulti-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

  • What is MFA?
    • Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
    • MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
    • Read more here
  • What is Modern Authentication?
    • Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
    • In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
    • Read more here
  • What is oAuth?
    • Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
    • Read more here
  • What is ADAL?
    • Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
    • Read more here
  • Two options are available for SSO with on-premises AD that requires Modern Authentication
    • Pass Through Authentication (PTA)
      • Works with Office 365 only
      • Enabled on latest AADC with outbound connection only, no DMZ server
      • Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
      • Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
      • In combination with password sync you are not dependent on AADC uptime
      • Read more here and here
    • ADFS 3.0
      • Used for hybrid Skype for Business and Exchange environments
        • Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here 
        • I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
        • Exchange Server hybrid requires MFA Server, read more here
        • For best Azure MFA result an Online only deployment is recommended
      • ADFS is best for larger organizations
      • More complex and requires proxy servers in DMZ with public IP and Certificate
      • Requires loadbalancer for high-availability
      • Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
      • Read more here
  • You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
  • Read about conditional access, MFA with Intune Hybrid and SCCM
  • Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here

mfastalehansen

Lync HA/DR Deep Dive Class in Norway

January 19-22 I am running a 4 day Lync High Availability and Disaster Recovery Deep Dive class in Oslo, Norway. The focus of the class is to get a deep understanding of the concepts and features of how a highly available Lync deployment works. I am running the class together with my colleague at Knowledge Factory, Morten Enger, to ensure that the hands on labs run smoothly and that the content have hight quality.

SLA

Here is an overview of the content we are focusing on. Each day starts with a deep dive in to how stuff works and then the rest of they day will be spent in the custom made lab setup.

  • Day 1 – SLA, Disaster recovery and high availability concepts deep dive and initial lab setup
  • Day 2 – Configure and experience the effects of Disaster Recovery hands-on labs
  • Day 3 – Configure High Availability using KEMP load balancers, SQL Server mirroring and redundant SIP Trunks hands-on labs
  • Day 4 – Experience the effects of High Availability during production and maintenance hands-on labs

The goal of the class is that attendees will experience how failover and disaster scenarios behave on server level and for end-users. After completing this class the students will be able to tune their own environment and decide how to best implement DR or HA for Lync environments.

All the content will be created in english and if we have english speaking students, the class will be delivered in english.

Sounds interesting? Sign up at Global Knowledge http://www.globalknowledge.no/kurs/microsoft/voice/gklyncic.html

 

Microsoft Office Communications Server 2007 R2 Site Resiliency White Paper

Using backup and restoration procedures for site disaster recovery as described in the Microsoft Office Communications Server 2007 R2 documentation library topic Backup and Restoration, can entail some downtime for users. This white paper describes a site resiliency solution for Office Communications Server 2007 R2. The solution includes an Enterprise pool that spans two geographically separate sites. The solution provides a failover mechanism between the two sites to ensure that Office Communications Server functionality such as instant messaging, presence, and conferencing remains available even if one of the sites becomes unavailable.

This white paper is divided into three main sections:

  • The Solution section provides an overview of the tested and supported site resiliency solution described in this paper.
  • The Test Methodology section describes the testing topology, expected behavior, and test results.
  • The Findings and Recommendations section provides practical guidance for deploying your own failover solution.

To successfully follow this paper, you should have a thorough understanding of Office Communications Server 2007 R2 and Windows Server 2008 Failover Clustering.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c930febb-3a44-4bf3-969d-1c52675a7063