Home

Identity & Authentication

123 Conversations

Latest Activity

Custom List Message Item
Hi, I'm wondering if it's possible in Office 365 w. E3 licence to setup MFA for Admins so the only authentication method they can use is app only (e.g. Azure Authenticator), not SMS or voice. All other non- admins should be able to use any method.
Does any... Read More
87 Views
4 Replies

I setup my O365 E3 IDs individually turning off/on MFA for each ID.  Since Microsoft has released PowerShell modules that accept MFA connection for Exchange and Skype, I'

... Read More

Nope. You can disable specific methods, but the configuration will indeed apply to all users.

I hope this is the right spot for this post...

 

We have Office 365 E3 in our environment, setup using ADFS.  All of our email is in Exchange Online.

 

Because of this - when a user opens up MS Edge, and browses to https://outlook.office.com/ourdomain.dom

... Read More
202 Views
7 Replies
Or you can ask them to browse to the site via an InPrivate session in the browser, as that does not auto submit credentials

They are effectively logging in with the current windows credentials, as per the "magic" bit. Either disable the WIA auto-login in the browser options on those devices or

... Read More

Dear All,

 

I have one question, I have local domain and custom domain. when I setup azure adconnect and office 365. I synced with the OU filtering that has user has .local and .com in the same OU. my .com domain is synced corretly but .local domain is sync

... Read More
72 Views
2 Replies

In the Azure Sync rules editor create a new Inbound rule with the below settings. Users with the @fabri.local UPN will not be synced to Office 365. 

 

Connected system ob

... Read More

That's really up to you. The .local value can be present in multiple attributes, so you need to decide which one to filter on. A simple solution is to populate one of the

... Read More

Hi All,

 

I am attempting to utilize SSO into O365 via our Google IDP and am running into some snags. When the user attempts to authenticate, they are properly redirected to the Google sign-in page, however after successful authentication the user is retu

... Read More
148 Views
8 Replies

Do you have any error message to share?

I have configured AD FS on a Windows 2016 server to authenticate against a national IDP. I get a successfully logon from the IDP, but when I Return to the ADFS server fails to redirect to my web site(wtrealm parameter). I get "Error occurred" in my browse

... Read More
76 Views
2 Replies

Because it fails with the crypto issue, my guess would be:

1. They are using token encryption

2. They used the wrong certificate to encrypt the token

As a result, ADFS ca

... Read More
Best Response confirmed by Tore Veiseth (New Contributor)

Hi, I have a question.

Can anyone tell me if it is required to extend the schema to implement ADFS 2016?

According to this link yes:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-2016-requirements
Schema requirements
New install

... Read More
2,551 Views
8 Replies

There is known issue with that.

 

The 2016 farm behavior level requires the ADDS 2016 schema (DC can be at a lower level, but the schema needs to be 2016). BUT, when you

... Read More
Best Response confirmed by Vasil Michev (MVP)
I'm a little confused about that statement as well.

That doesnt seem right, probably they meant to say it's a requirement for *some* features.

We have received many troubleshooting calls lately from windows 7 users whom cant use their office apps over VPN. Outlook is the main call driver, but I have tested thoroughly and see it happening on all office apps. The problem is the authentication popu

... Read More
55 Views
1 Reply
I wanted to add, if we authenticate before connecting the VPN, outlook works fine, connected to outlook.office365.com.

Hey everyone -

 

I am currently using ADFS on Windows 2012 R2 as authentication with my O365 tenant.  I have been asked to enable password expiration notification for end users that access EXO for email via the web.  

 

I did some searching and found 2 ar

... Read More
79 Views
1 Reply

As the article mentions, those notifications are only supported by some applications. Read, Outlook.

Our school has deployed Office 365 and is experiencing problems where it is not possible for users to log out of the Forms application except through deleting all browser history.  Other users can log into office.com and access their email and other appli

... Read More
68 Views
2 Replies

Well, that's the reality for shared devices. Many of the O365 services use different caching mechanisms in order to reduce the number of login prompts, and on top of that

... Read More

Hi everyone,

 

I have the following task: Connect to a SharePoint 2016 Site which is Secured by ADFS using an Angular Client.

 

The parties I have are: 

* Angular JS Client Application using ADAL

* WCF Middleware also using AuthenticationContext

* ADFS on Server

... Read More
202 Views
1 Reply

Ok, so just for closure:

 

I did not get the setup running like I wanted it to. I still do not know if the flow with ADFS involved can be done the way I tried it.

 

So he

... Read More
Best Response confirmed by Alexander Adelmann (New Contributor)

We're currently using the simple password sync feature with AADConnect.

 

If we turn on "Pass-through Authentication" as well as "Seamless-SSO", what are the immediate end-user impacts? What will users experience when:

 

  • They launch Outlook/Skype/Office
... Read More
84 Views
2 Replies

Worst case - they have to enter password. Best case - they never notice login prompts anymore (well at least on a domain-joined machine).

Best Response confirmed by Daniel Smith (Occasional Contributor)

We have integrated ADFS into one of our SharePoint application for authentication. Our internal security team has performed Vulnerability Assessment & found high severity VA point of AD password visible in Clear text. they have installed interceptor tool

... Read More
94 Views
1 Reply

I'm not quite sure what the problem is or where the interceptor you mentioned is located. 

 

When user enters credentials in AD FS proxy, they are plain text. But the con

... Read More
Best Response confirmed by Brian Reid (MVP)

Hi there

 

I was hoping that I could get a bit of guidance to the challenge I have.

 

We are an established Office365 customer with SSO with ADFS, for the purpose of this we are using the email address @companya.com

 

Our organisation recently acquired an

... Read More
77 Views
2 Replies

Hi David,

 

I think that the biggest problem is the authentication part. There are many ways to migrate emails after that is sorted out so I'll skip that part for now.

 

... Read More

Hi David,

 

You will need to do a Tenant to Tenant migration. But for that problem is only possible to have your domainname.com in only one Tenant.

 

You can read here th

... Read More

Our Tenant currently has "Sharing - Let users add new guests to the organization" set to Off.  All the external sharing settings for SharePoint/OneDrive for Business (ODFB) and Microsft Teams guest are set to on to the maximum permissive level. When users

... Read More
74 Views
3 Replies
You're right - it is inconsistent.
It's because they are different types of guest mechanisms.
When inviting a guest into a Team, it's adding them into a Group which is base... Read More

Hi there,

I have a requirement to check wether a user is trying to authenticate against my ADFS farm using a domain joined device or not and dependent on that set actions.

My question now is how to check on the ADFS side if the device is domain joined or

... Read More
267 Views
8 Replies

The method used by Microsoft is to detect the (primary) group membership of the device and check whether it's a member of the "Domain Computers" group.  This is the claim

... Read More

Hi, 

 

We currently have ADFS in place for user auth to 365 using a single domain 'domain1.com'

 

I now need to add additional federated domains - 'domain2.com and domain3.com'

   The new domains have been added and verified in 365 so now show as managed

... Read More
93 Views
2 Replies
Best Response confirmed by Paul Paginton (Occasional Contributor)

Hello,

 

I wanted to redirect our users to a company portal after they log out from office 365, I've tried setting the LogOffUri parameter in the MsolDomainFederationSettings but log out still redirects to the same url as before

 

any alternative or workaroun

... Read More
61 Views
1 Reply

Hi,

 

As far as I know, this scenario is not supported. The LogOffUri refers to the web address the user is actually performing the log off.

Hi,

we have an Office 365 tenant configured with Password Sync and Single Sign On enabled, which works fine.

Now we want to integrate a child company with a new forest which should work with AD Connect. The child company is already having an Office 365 with

... Read More
107 Views
2 Replies

Michael Obernberger wrote:

"The child company is already having an Office 365 with ADFS enabled"

"So now my question is, when I add the new forest to our AD Connect server.

... Read More
Best Response confirmed by Michael Obernberger (New Contributor)

Hi.

I am testing MFA on some admin users. I have given the MFA admins a EMS licens so whitelisting of IPs is supported.

 

So I have whitelisted our office IP, and when my admin go to https://outlook.office365.com, MFA is not active. Doing so outside the offi

... Read More
7,468 Views
21 Replies

Hi Jesper,

 

Not sure if this is still an issue for you, but we've been able to get this working for our Admins (note that for this to work the admin account needs to be cl

... Read More

I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue

... Read More

I am glad you re-opened this discussion. MS security scores https://securescore.office.com/ recommendation is MFA and we cannot use for admins due to the Powershell issue

... Read More
Found a thread that indicates that it is not possible to administrate EXO with Powershell when admin is MFA enabled: https://techcommunity.microsoft.com/t5/Identity-Authentication/Authenticating-to-O365-using-Powershell-and-MFA/m-p/3954#M14 Read More
I am also interested in this response.

Currently Jesper my understanding is that Powershell administration with MFA turned on is not supported. Or at least wasn't supporte... Read More

I am running into issues with autheticating to O365 on Powershell and in this case my account has been enabled with MFA.
I already installed the preview from https://blogs.technet.microsoft.com/enterprisemobility/2015/10/20/azure-ad-powershell-public-preview-of-support-for-azure-mfa-new-device-management-commands/

... Read More
18.5K Views
19 Replies
You can still use the apppassword as a regular password for these cases until MFA is good and natively supported.

Anyone have a clue as to how to use MFA login in an unattended powershell script?

 

I have MFA working fine with powershell interactively - The login and MFA dialogs come u

... Read More

Seems that Exchange Online ist MFA enabled now.

Have a look at this article:

"Connect to Exchange Online PowerShell using multi-factor authentication"

https://technet.microsoft.com/en-us/library/mt775114(v=exchg.160).aspx

Read More

We've been able to get our Office 365 Admin accounts with MFA enabled working with Powershell for Exchange Online, Skype for Business etc.....with some caveats:

  • This requi
... Read More

The PnP powershell cmdlets can be use with MFA to peform many actions in SPO, see https://github.com/OfficeDev/PnP-PowerShell and use the https://github.com/OfficeDev/PnP-PowerShell/blob/master/Documentation/ConnectSPOnline.md

... Read More

Besides Focused Inbox, is anyone aware of any other features dependent on having Modern Authentication enabled?

130 Views
4 Replies

MAPI/HTTP, Conditional access, tenant restrictions, pass-trough auth, you name it... You should be planning to switch to using Modern auth as soon as possible, regardless

... Read More
Best Response confirmed by CC Adeyemo (Contributor)

I'm considering enabling ADAL/Oauth for our Office 365 tenant to begin working with MFA, and am using the information in this wiki:

https://social.technet.microsoft.com/wiki/contents/articles/36101.office-365-enable-modern-authentication.aspx

 

It seems rela

... Read More
4,697 Views
34 Replies

Hi Matt,

 

It's not risky at all. At my experience it's simple as you mention.

I didn't experience any issues when enabling OAuth in my tenancy - apart from not being able to log in to my account when on a different users PC, which is to be expected

... Read More

In my environment we are running Exchange 2013 Hybrid.  All mailboxes are in O365.  We have certain requirements around our implementation that require ADFS.  With that being said, I am really struggling with coming up with the set of claims based rules t

... Read More
3,336 Views
13 Replies

Which version are you using? x-ms-proxy only works with the 2008 R2 version, if you are on 2012 R2 you should use insidecorporatenetwork. If your clients are Office 2016/

... Read More
Best Response confirmed by Stephen Bell (Contributor)

@Trevor Seward gave a presentation on configuring ADFS in Azure yesterday, he may be able to offer some assistance.

Read More

Hi,

 

We are interested in enabing Modern Authenication for SfB and EXO. We are in the middle of migrating to EXO, so we are in a Hybrid configuration at the moment.

 

All our users are using Outlook 2016, so we don't anticipate any compatibility issues. We a

... Read More
124 Views
2 Replies

Hybrid can be tricky, especially when mixing Exchange/SfB. They just announced public preview for the Hybrid modern auth scenario: https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/SfB-Hybrid-Modern-Auth-w-EXO-goes-Public-Preview/ba-p/114360

... Read More

Hi Thomas,

 

It's always adviced that you have another Office 365 Tenant to evaluate those changes.

 

When you enable Modern Auth is asked to the end users in next logon or n

... Read More

Unable to connect Skype for business online PowerShell after enable multi factor authentication.

I am able to conenct Exchange Online through connect-EXOPSSession and connect-msolservice.

 

Anyone can help me

 

 

Read More
766 Views
5 Replies