If you only have a “break glass” account using the. sign-ins that are configured for any user account they will not be protected by MFA. One other thing to point out is that unless you are using the conditional access method to protect your Office 365 tenant then only the federated domains are protected with Duo MFA. You have to turn on MFA, AND turn off basic auth in order to be safe. NOTE: only turning on MFA will not stop bad actors from easily bypassing MFA and breaching your environment.
If you see no sign-ins in the last month, then turn off all basic auth options in the same spot you enabled modern auth in the pic above. You can check for basic auth in use by going to Azure AD admin center, clicking sign-ins, add a filter for status = successful, and a filter for clientapp and add all 13 of the legacy authentication options. Ideally, you’ll want to disable basic auth while you are at it, but this may take a lot of work depending on your environment. To work around this issue, you can add the following Registry keys on the client machine to suppress WAM and revert Outlook back to ADAL:ĭisable ADALatopWAMOverride"=dword:00000001 (remove space between Disable and ADAL) The user will see the authentication window open briefly then immediately close while Outlook continues to show the message “Need Password”. When the IdP is the DAG, this process will fail causing the user to be unable to re-connect to O365 with applications such as Microsoft Outlook. The expected end-user experience is a popup window showing the login page of the IdP asking the user to re-authenticate. When a user’s access/refresh tokens become invalid, such as after a password reset, the WAM framework tries to re-authenticate the user.
Currently this is not supported in the Duo Access Gateway (DAG). When a Windows 10 workstation is joined to an on-premise Active Directory, WAM/O365 requires the IdP to support the WS-Trust protocol. WAM introduces new requirements for Identity Providers (IdP) used to federate Office 365 (O365) logins. But, I still had issues and had to follow this article, which resolved my issue: Users unable to authenticate (particularly after a password reset)
After federating my domain, I had to rebuild each person’s Outlook profile so that it would correctly recognize authenticating via MFA.
0 kommentar(er)
