Two factor authentication outlook for office 365 pro#
With these updates, you’ll see a single unified authentication window for all of the clients, similar (but not necessarily identical) to the existing login window you get on Windows when signing into a SkyDrive or SkyDrive Pro library from within an Office client. In January 2014 Microsoft announced a “ Works With Office 365 – Identity” logo program, so if you don’t want to use AD FS you can choose another federation toolset that better meets your requirements.Ĭlient updates are coming to the Office 2013 clients: Outlook, Lync, Word, Excel, PowerPoint, and SkyDrive Pro. Federated identity uses a federation broker or service such as Active Directory Federation Services (AD FS), Okta, Centrify, and Ping to allow your organization’s AD to answer authentication queries from Office 365 services.This essentially gives services that consume AAD a mostly-read-only copy of your organization’s AD. Directory sync (or just “dirsync”) uses Microsoft’s dirsync tool, or an equivalent third-party tool, to sync an on-premises account with AAD.There’s no synchronization with on-premises AD because there isn’t one. Cloud identities are homed in Azure Active Directory (AAD).Without going into every detail, it’s fair to summarize these as follows: To start with, we have to distinguish between the three types of identities that can be used to authenticate against the service. With that said, here’s what Erik and Franklin talked about… You can, if you wish, buy a separate subscription to Azure MFA if you want additional functionality, like the ability to customize the caller ID that appears when the service calls your users. All of these services are included with Office 365 SKUs, and they rely on the Azure MFA service. You have to enable MFA for your tenant, then enable it for individual users. You can use SMS-based authentication, have the service call you via phone, or use a mobile app that generates authentication codes, and you can define “app passwords” that are used instead of your primary credentials for applications- like Outlook, as it happens- that don’t currently understand MFA.
I attended a great session at MEC 2014 presented by Microsoft’s Erik Ashby and Franklin Williams that both outlined the current state of Office 365-integrated MFA and outlined Microsoft’s plans to extend MFA to Outlook.įirst, keep in mind that Office 365 already offers multi-factor authentication, once you enable it, for your web-based clients. Now Microsoft is extending MFA support into Outlook and the rest of the Office 2013 client applications, with a few caveats. Microsoft bought into that trend with their 2012 purchase of PhoneFactor, which is now integrated into Azure. I was wrong when I assumed that smart cards would become ubiquitous as a second authentication factor instead, the “something you have” role is increasingly often filled by a mobile phone that can receive SMS messages. I stand by the second half of that statement: reusable passwords are still evil, 14 years later, but at least the word is getting out, and multi-factor authentication is becoming more and more common in both consumer and business systems. I’m going to let you in on a secret that’s little discussed outside the security world: reusable passwords are evil. Back in February 2000, in my long-forgotten column for TechNet, here’s what I said about single-factor passwords:
I don’t usually put on my old man hat, but indulge me for a second.