Trusted Contributor.
Trusted Contributor.
146 views

How do you do MFA to Office 365 and which federation protocol do you use

Jump to solution

Hi,

I'm trying to figure the best way to be able to support both thin and fat clients/applications and also to be able to do MFA to Office365

It looks to me that the only way to do mfa or step up auth in NAM  is with Saml federation, but if using Saml not all O365 clients/application supports Saml (granted I haven't tested all, but from what I'm been reading).

But I figure that O365 is a part of most Nam peoples life now, so how do you deal with it?

/Lelle

0 Likes
1 Solution

Accepted Solutions
Highlighted
Respected Contributor.
Respected Contributor.

Re: How do you do MFA to Office 365 and which federation protocol do you use

Jump to solution

Hi Lellle!

 

Question is not if SAML or other federation can be used for MFA to fat clients, but if fat MS application supports so called Modern authentication (ADAL sign in). If it supports, it will work with SAML or WS-Fed, which can both be used for MFA.

If app does not support ADAL auth, it can use only WS-Trust, which cannot be used for MFA.

And this is the list of apps that support ADAL authentication:

https://docs.microsoft.com/en-us/office365/enterprise/office-365-client-support-modern-authentication

 

So basically we are encouraging clients to update fat clients to latest version, where modern authentication is supported.

 

Kind regards,

Sebastijan

View solution in original post

0 Likes
4 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Re: How do you do MFA to Office 365 and which federation protocol do you use

Jump to solution

Hi Lellle!

 

Question is not if SAML or other federation can be used for MFA to fat clients, but if fat MS application supports so called Modern authentication (ADAL sign in). If it supports, it will work with SAML or WS-Fed, which can both be used for MFA.

If app does not support ADAL auth, it can use only WS-Trust, which cannot be used for MFA.

And this is the list of apps that support ADAL authentication:

https://docs.microsoft.com/en-us/office365/enterprise/office-365-client-support-modern-authentication

 

So basically we are encouraging clients to update fat clients to latest version, where modern authentication is supported.

 

Kind regards,

Sebastijan

View solution in original post

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: How do you do MFA to Office 365 and which federation protocol do you use

Jump to solution

Hi Sebastijan,

thanks for your reply,

Of course your absolutely right regarding ADAL

How do you do step up for WS-fed in NAM?

In the settings for ws-fed you have methods, but as far as I understand there are no way do step up there?

/Lelle

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: How do you do MFA to Office 365 and which federation protocol do you use

Jump to solution


Hi!

> How do you do step up for WS-fed in NAM?

Good question, forgot to add in my previous reply 😊

At our customers we don't do a step up authentication but rather define a default authentication which is risk based authentication. And there we define rules where MFA should be used (e.g. internal networks should use kerberos, users from internet MFA).

Then we use that authentication for everything in NAM, so users always have same experience.

 

I know that this might not work everywhere (we have some federations that require step-up auth, but those are fortunately SAML), but at least for ws-fed apps at our customers is sufficient.

Hope this info helps😊

 

Kind regards,

Sebastijan

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: How do you do MFA to Office 365 and which federation protocol do you use

Jump to solution

Hi,

Yeah that's the problem for me, customer only want's it (as of now) for O365.

One way would to do it the other way around only use default contract when step up is needed and use step up that is more step down for the other federations.

But probably easier to switch the domain to saml

Thanks for your help

/Lelle

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.