Azure Multifactor Authentication (MFA) in

Athlone Institute of Technology (AIT)

Rossa Coleman, IT Manager, AIT

HEAnet Conference9 Nov ‘17

Radisson Hotel, Galway

What is this presentation about?

• Azure MFA and its roll-out in AIT to protect the Office365 and Moodle accounts (and data contained therein) of AIT staff

• To comprehensively explain our experience with Azure MFA, in order to assist any other 3rd level IT Depts. with:

• Understanding Azure MFA & how it works

• Making a decision whether to implement Azure MFA

• Composing an implementation strategy & roll out plan

The aim of the presentation

Pay attention, there is a test at the end!

Contents of this Presentation

• The AIT/Office365 architecture (background)

• Azure MFA

• Why?

• How?

• MFA - the end user experience

• Implementing Azure MFA in AIT – Project Overview

• Lessons Learned & Tips

The AIT/Office 365 Architecture

AIT uses ADFS to authenticate users to Office 365

Azure MFA can be “added” as an additional layer of authentication to our model (federated Identity or the cloud identity model)

• Global accessibility of Office 365 Accounts

Azure MFA – Why should we implement it?

• (are passwords alone sufficient to protect our data?)

• Global accessibility of Office 365 Accounts

• (are passwords alone sufficient to protect our data?)

• Global increase in cybercrime

Azure MFA – Why should we implement it?

• Global accessibility of Office 365 Accounts

• (are passwords alone sufficient to protect our data?)

• Global increase in cybercrime

• GDPR

Azure MFA – Why should we implement it?

• Global accessibility of Office 365 Accounts

• (are passwords alone sufficient to protect our data?)

• Global increase in cybercrime

• GDPR

• End-User education & protection

To receive your 3 wishes, simply enter

your username and password

Azure MFA – Why should we implement it?

What do Scooby Doo & Secret Sauce have in common with MFA?

Nothing! There is no mystery or secret sauce – MFA is simple and straightforward

Azure MFA – Implementation

• On premise & cloud options available (we used cloud)

• User licenses required• Azure MFA, Azure AD Premium, or EMS

• A prerequisite: Turn on “Modern authentication” in Office 365 tenant• Have Outlook 2013 (update later than March 2015 required) or higher

• Modern authentication also required for Skype for Business

Azure MFA – Implementation

MFA Prelims

Enable Account(s)

Set-Up Account(s)

MFA Admin

• Enabled by IT Administrators in MFA page in Office 365

* Scheduling required, to avoid academics having to do this in class

Azure MFA – Implementation

MFA Prelims

Enable Account(s)

Set-Up Account(s)

MFA Admin

• Once enabled:• User prompted to “Set-up MFA” on next Office 365 login*

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

jsmyth@ait.ie

• Once enabled, user is prompted to “Set it up now” on next Office 365 login

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

• Once enabled, user is prompted to “Set it up now” on next Office 365 login

• User chooses preferred authentication method:

For call or text:

• Enter number, select method, click Next

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

• Once enabled, user is prompted to “Set it up now” on next Office 365 login

871234567

• User chooses preferred authentication method:

For call or text:

• Enter number, select method, click Next

• Respond to the call or text (to verify)

• Click Done!

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

If Mobile App is selected, choose:• Receive notifications or,

• Use verification code & click Next

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

Download Microsoft Authenticator app to phone

MicrosoftAuthenticator

• Select Add Account

• Select work or school account

• Scan QR code for automatic registration of Account

If Mobile App is selected, choose:• Receive notifications or,

• Use verification code & click Next

Text Message Authenticator App(6 digit code)

Authenticator App(notification)

Ease of Setup

Ease of Use

+1 (425) 409-2623

Phone call (recorded message)

Azure MFA – Implementation

MFA Options -End-user experience

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

App PasswordsUsed for “stuff that doesn’t work with stuff”

E.g. Native smartphone email apps, Apple products (Macs etc.)

Can be created by users (any time)

Required on above devices to facilitate MFA (in place of account password)

• MFA admin is straightforward (Enabling accounts, accounts for the majority of admin)

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

Once accounts are set-up properly, support calls will be extremely infrequent

Azure MFA – Implementation

Enable Account(s)

Set-Up Account(s)

MFA Admin

MFA Prelims

Service Settings

1. App Passwords – allowed or not

2. Trusted IP ranges (e.g. for on-Campus)

3. Verification Options

• Call

• Text

• Notification via App

• Code via App

4. Remember MFA on a device

“Don’t ask me again for xx days”

Client

Start: Client requires access to Office 365/Moodle and browses to Office 365 login page

Client enters credentials

(or ADFS Login page)

Azure MFA (The end-user experience)

and clicks Sign in

Client

Start: Client requires access to Office 365/Moodle and browses to Office 365 login page

Client enters credentials

(or ADFS Login page)

and clicks Sign in

MFA

MFA is now required

MFA notifies user (using chosen option)

Azure MFA (The end-user experience)

Client

Start: Client requires access to Office 365/Moodle and browses to Office 365 login page

Client enters credentials

(or ADFS Login page)

and clicks Sign in

MFA

MFA is now required

MFA notifies user (using chosen option)

User approves MFA request and is granted access

Azure MFA (The end-user experience)

Project Green Light

Proposal to and

approval from EMT

Implementing Azure MFA in AIT – Project Overview

May June July Aug September October November

Our Planned Approach1. Roll out MFA to all managerial & admin staff initially

2. Use the experience to compose roll-out plan for academic staff

Project Green Light

Proposal to and

approval from EMT

Advanced Notification to All Staff

Office 2016 Upgrade

2016

Modern Authentication

Enabled

May June July Aug September October November

All staff email issued advising of project

MFA incompatible with versions of Outlook older than the March 2015 update as they do not support “modern authentication”

Modern Authentication enabled on Office 365 tenant (a prerequisite of MFA/Outlook integration)

June 2017

Implementing Azure MFA in AIT – Project Overview

Project Green Light

Proposal to and

approval from EMT

Advanced Notification to All Staff

Office 2016 Upgrade

2016

Modern Authentication

Enabled

ComputerServices

Early Adopter(Phase 1)

MarketingDept

May June July Aug September October November

Early Adopter Phase 1

July 2017

This period facilitated skilling up of technical staff & drafting end-user guidance documentation

Implementing Azure MFA in AIT – Project Overview

We allowed 4 weeks for any potential user issues to arise before proceeding to Phase 2 (Early Adopter)

Project Green Light

Proposal to and

approval from EMT

Advanced Notification to All Staff

Office 2016 Upgrade

2016

Modern Authentication

Enabled

ComputerServices

Early Adopter(Phase 1)

MarketingDept

May June July Aug September October November

August 2017

Implementing Azure MFA in AIT – Project Overview

Human Resources

Early Adopter(Phase 2)

FinanceDept

Project Green Light

Proposal to and

approval from EMT

Advanced Notification to All Staff

Office 2016 Upgrade

2016

Modern Authentication

Enabled

ComputerServices

Early Adopter(Phase 1)

MarketingDept

May June July Aug September October November

Implementing Azure MFA in AIT – Project Overview

Human Resources

Early Adopter(Phase 2)

FinanceDept

Completion of Technical & End User Guidance

Documents

AwarenessCampaign includingAll StaffBriefing

September 2017Return of academic staff

Project Green Light

Proposal to and

approval from EMT

Advanced Notification to All Staff

Office 2016 Upgrade

2016

Modern Authentication

Enabled

ComputerServices

Early Adopter(Phase 1)

MarketingDept

Human Resources

Early Adopter(Phase 2)

FinanceDept

Completion of Technical & End User Guidance

Documents

AwarenessCampaign includingAll StaffBriefing

On-boarding Phase - all

non-academic staff

Early AdopterPhase

Lecturing Staff

May June July Aug September October November

Implementing Azure MFA in AIT – Project Overview

“Hearts & Minds” approach UAT for MFA with Moodle

After 4 weeks, feedback requested from early adopters – all gave positive feedback

September 2017Return of academic staff

“Hearts & Minds” approach UAT for MFA with Moodle

Project Green Light

Proposal to and

approval from EMT

Advanced Notification to All Staff

Office 2016 Upgrade

2016

Modern Authentication

Enabled

On-boarding Phase

academic staff

ComputerServices

Early Adopter(Phase 1)

MarketingDept

Human Resources

Early Adopter(Phase 2)

FinanceDept

Completion of Technical & End User Guidance

Documents

AwarenessCampaign includingAll StaffBriefing

On-boarding Phase - all

non-academic staff

Early AdopterPhase

Lecturing Staff Project Closeout

May June July Aug September October November

Implementing Azure MFA in AIT – Project Overview

Lessons Learned and Tips – Preparatory Planning• If MFA is a hard sell, consider an IT security educational campaign in advance to

highlight importance of IT security

• A “hearts and minds” approach

• Separate roll out plans for academics and non-academics

• Appropriate timing for academic staff roll-out

Week 1 Week 2 Week 3 No teaching week

D-DayEnable remaining

accounts

Advanced Notice of Roll out Plan

Offer scheduled account enabling

Advertiseddrop-in sessions

• Staff who never/rarely access Office 365 off-Campus

• Phone call or text message is recommended due to simplicity of set up/use

MicrosoftAuthenticator

MicrosoftOutlook

• Staff who have email on smartphone & frequent (off Campus) Office 365 users

• Highly recommend using the Authenticator app and the Outlook app - seamless (no app passwords)

Lessons Learned and Tips – MFA Options

Lessons Learned and Tips – User Account Set-Up

• User Set-up is straight forward, app passwords are not

• User Set-up offers an initial app password which cant be renamed – best to ignore this

• Set-Up process returns user to portal page without opportunity to set up additional app passwords

• MFA Settings page in Office 365 is hard to find (5 clicks required) – consider a shortcut

• Advise users that no call or text charges will be incurred and that phone numbers are not visible to IT technical staff

• On enabling, email to smartphone will be disabled (until Set-up)

• MFA Admin GUI is poor – can only filter by MFA status• A separate spreadsheet of users is required (breakdown per Dept etc.)

• Consider disabling the “Use code from the App” option – no requirement for it

Lessons Learned and Tips – MFA Admin

In summary…. Azure MFA is….

IT Security Benefits

Implementation overhead

Test……. What have your learned?

We have learned that:

Azure MFA is _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ a 3rd level Institution, and _ _ _ _ _ _ _ _ _ _ _ _ for IT security & data protection!

one small step for one giant leap

Any Questions?

Thank you for listening….