Azure Information Protection.
app password ATP Authentication Azure Azure Active Directory Azure AD Azure Information Protection AzureAD conditional access EM+S email enterprise mobility + security management mcm mcsm MFA modern authentication multi-factor auth Multi-Factor Authentication sspr MFA and End User Impacts.
August 14, 2019.
7 Comments on MFA and End User Impacts.
This article will look at the various different MFA settings found in Azure AD (which controls MFA for Office 365 and other SaaS services) and how those decisions impact users.
There is lots on the internet on enabling MFA
and lots on what that looks like for the user – but nothing I could see that directly laid out all the options and the impact of each option.
The options that the admin can set that I will cover in this article are: Default settings for the MFA registration service.
The enhanced registration service (now depreciated).
The refreshed enhanced registration service (MFA and Self-Service Password Reset registration combined).
The general impact to the user is that the user needs to provide a second factor to login.
In this article I will not detail the above registration for each of the second factors and only cover the general process of registration – your exact experience on registration will depend upon what second factors (app notifications, app code, phone call and text message) you choose to implement.
This article will look mainly at the different between having no MFA and what happens from the users perspective as the admin turns on a requirement to have MFA.
The various options that the admin can use to enable MFA are as follows: Office 365 MFA (aka the legacy method) that is available to all users with or without a licence.
Azure AD Conditional Access and setting a rule that requires MFA (when the user is not registered).
Azure AD Premium 2 licence and MFA Registration (register without requiring MFA to be enabled).
Azure AD Free fixed Conditional Access rules (MFA for all users) which is in preview at the time of writing (Aug 2019).
Terminology and Settings.
This article refers back to a series of different settings in each of the following sections.
To make the article avoid repeating itself, this section outlines each of the general settings, what I mean by the description I use and where I turn that setting on or off.
Office 365 MFA – This is the legacy MFA options set via https://admin.microsoft.com > User Management > Multi-Factor Authentication.
This user experience turns on or off MFA for users regardless of app or location (unlike Conditional Access) and has settings for the different second factor methods (for example you can disable SMS from here).
Conditional Access Based MFA – This is where you set rules for accessing cloud apps based on the user, the location, the risk (P2 licence required), the device (domain joined or compliant), the location (IP), the device risk (MDATP licence required), compliance (Intune required) etc.
If you rule requires MFA and the logging in user passes the requirements for this rule (and is not otherwise blocked) then this is what I call Conditional Access Based MFA.
This is set in https://portal.azure.com > Azure Active Directory > Enterprise Applications > Conditional Access Azure AD Premium 2 MFA Registration – This is where you can get users to register before you turn on MFA via either of the above routes.
Without the P2 licence you turn on MFA and at the next login the user needs to register
With P2 you can turn on registration at login without forcing MFA
You would then enable MFA later or you can have registration at next login (and defer that by 14 days) so that the user registers even if they never hit an endpoint that the need to do MFA on.
For example, .
MFA when external and the user never works remotely
Therefore they will never have to do MFA and therefore never be required to register – which P2 licence you can get them to register independent of the requirement to do MFA.
You access these settings via https://portal.azure.com > Azure AD Identity Protection > MFA Registration Self Service Password Reset Registration – This is shown if the user is in scope for SSPR and SSPR is enabled.
This is not MFA registration – but if the user is in scope they will be asked to register for this as well.
This therefore can result in two registrations at next login – one for SSPR and one for MFA.
We will show this below, .
But it is best if you move to the combined MFA/SSPR registration wizard mentioned below
Enhanced Registration (Depreciated) – This was the new registration wizard in 2018 and have been replaced by the next option.
If you still have users on this option you will see it, otherwise the option to enable this older wizard is now removed.
This is accessed via https://portal.azure.com > Azure AD > User Settings > Manage user features preview Combined MFA and SSPR Registration – This is the current recommended MFA registration process and it includes self-service password reset registration as well.
You should aim to move your settings to this.
All the new MFA reporting and insights are based on this process
This is accessed via https://portal.azure.com > Azure AD > User Settings > Manage user features preview.
Note that if you still have users on the previous “Enhanced Registration” shown above then this one is listed as “enhanced”.
If not – if only one slider is shown – it is the new registration process.
You can enable this for a group of users (for pilot) or all users: Office 365 MFA + Original Registration.
This is not recommended to be used any more – use the Azure AD Free Conditional Access rules for all users or all admins instead.
But for completion of the process to show all the options, .
You select a user(s) in the Office 365 MFA page and click Enable
In the below screenshot we can see that Cameron White is enabled for MFA
This means that it has been turned on for him, but he has not yet gone through the registration wizard: The video below shows the first run experience of this user – they login and are prompted to register for MFA.
They register using the legacy experience and are then granted access to the application.
OFFICE 365 MFA + LEGACY REGISTRATION Office 365 MFA + Enhanced Registration
For this scenario I have a user called Brian Johnson.
He has been enabled for MFA as above (Office 365 method) but additionally has been added to a group that is configured to support the new MFA+SSPR combined registration process.
Brian is not enabled for SSPR.
The video shows the user experience.
Note that the user needs a valid licence to be able to use this experience.
If they do not have any licences they will get the old experience: VIDEO OFFICE 365 MFA + ENHANCED REGISTRATION Conditional Access MFA.
The following video looks at the experience of two users who are enforced for MFA via Conditional Access.
The login will trigger the registration for MFA as neither user is already registered
The first user (Christie) gets the old registration wizard and the second (Debra) gets the new registration wizard.
The Conditional Access settings are basic – MFA in all circumstances for our two users: CONDITIONAL ACCESS WITH OLD AND NEW REGISTRATION Impact of SSPR on MFA Registration and User Sign-In.
When users are set up to register their password reset security methods and MFA
but using the old registration wizard the user needs to do two sets of registration.
Again, it is recommended that the combined registration process is used instead of this process.
For this demostration, we are enabling SSPR for our test users.
One with the old registration wizard and one with the new one: SSPR WITH AND WITHOUT COMBINED REGISTRATION Adding SSPR To Already Registered Users.
Once a user has registered for MFA (old or new registration) it might come a time where you enable SSPR for them after that (and not at the time of original registration).
In this scenario the users that registered with the old registration wizard are asked to register for SSPR, but users who went through the new wizard – though they did not specifically register for SSPR – there is enough details already available for them to use the service (as long as app notifications and codes is enabled for SSPR).
If SSPR is left on the default of SMS and Email, then the new registration wizard does not have your alternative email and so SSPR is unavailable to you.
The user process and flow is shown in the next video: ENABLE SSPR AFTER REGISTRATION Azure AD Identity Protection and MFA Registration.
The Azure AD Premium 2 licensed feature called Identity Protection contains the ability to request that the user registers for MFA (and SSPR if via the new combined registration wizard) even if the user is not required to perform MFA for login – all our previous registrations only required registration because the user needed to do MFA.
You can ask users to pre-register via https://aka.ms/mfasetup but Identity Protection adds this functionality with a 14 day option to defer.
The video shows the settings and the user experience: Azure AD IDENTITY PROTECTION WITH AND WITHOUT NEW REGISTRATION Azure AD Free Conditional Access for All Users.
Early Q2 2019 Microsoft rolled out new baseline policies for Azure AD Conditional Access.
These are available even without the Azure AD P1 licence needed for Conditional Access – but as they are licence free they are heavily restricted – they apply to all users and need MFA if sign-in is risky.
So though they do not require MFA on all logins (unlike the O365 MFA legacy settings) they do require registration.
But they offer a 14 day deferral process if the user is not ready to register.
But unlike Azure AD Identity Protection mentioned above, you cannot do this for some users – it is enabled for all users upon enabling the rule.
Lets see the settings and the user experience in the video.
The video will also enable the “all admins” baseline policy as well, as that should always be turned on.
BASELINE POLICY FOR ALL USERS WITH REGISTRATION Tags MFA.
Azure Azure Information Protection cloud firewall proxy SSL SSL Inspection and Office 365.
July 18, 2018.
No Comments on SSL Inspection and Office 365.
Lots of cloud endpoint URL’s break service flow if you enable SSL Inspection on the network devices between your client and the service.
My most recent example of this Enterprise State Routing in Windows 10.
Microsoft have a list of URLs for the endpoints to their service, where they are categorised as Default, Allow or Optimize.
The URLs that are Allow or Optimize should avoid SSL inspection.
The endpoint list is found at https://support.office.com/en-us/article/managing-office-365-endpoints-99cab9d4-ef59-4207-9f2b-3728eb46bf9a#webservice and the JSON for this can be downloaded, as well as a PowerShell script to return the IPs and URLs.
Within this JSON file you can look for the category and if the category is Allow or Optimize then ensure the matching URLs are not SSL inspected.
aadrm Azure Information Protection certificates IRM Office rms SSL Azure Information Protection and SSL Inspection.
July 6, 2018.
No Comments on Azure Information Protection and SSL Inspection.
I came across this issue the other day, so thought I would add it to my blog.
We were trying to get Azure Information Protection operating in a client, and all we could see when checking the download of the templates in File > Info inside an Office application was the following: The sequence of events was File > Info, click Set Permissions.
You get the “Connect to Rights Management Servers and get templates” menu item.
Clicking this shows a box saying “Retrieving templates from server” (which you might not see as this step takes no real time at all) and then an error that reads “Your machine isn’t set up for Information Rights Management (IRM).
To set up IRM, sign into Office, open and existing IRM protected message or document, or contact your helodesk”.
For each of these recommendations, we tried them and still got the same message.
So what was the issue.
In https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements#firewalls-and-network-infrastructure Microsoft state the the IRM client in Windows uses Certificate Pinning.
This is where the client application knows what certificate it expects to see at the service it is connecting to.
If it gets a different certificate it will fail to connect.
Within enterprise organizations, firewalls and proxy devices that do SSL Inspection change the certificate in use so that they can see the content being sent to the service in the clear.
For the IRM client in Windows, this means that IRM does not trust the certificate and so will not work.
You can test for SSL Inspection on a URL by browsing the target URL in Chrome.
For example, for IRM go to https://admin.na.aadrm.com/admin/admin.svc and click the Secure banner in the address bar: You will get a popup – hover over the “Certificate (Valid)” message.
If the certificate is not valid then either your PC is missing some important updates or SSL inspection is happening, but not implemented correctly.
You can use this same test to check for SSL Inspection on any network.
The certificate listed when you hover over the “Certificate (Valid)” message should read (for AIP) a Microsoft CA issued certificate.
It should not list your company or proxy service as the issuer.
Do not terminate the TLS client-to-service connections (for example, to do packet-level inspection) to the Azure Rights Management service.
Doing so breaks the certificate pinning that RMS clients use with Microsoft-managed CAs to help secure their communication with the Azure Rights Management service.
For network performance, Microsoft also have a list of URLs that they recommend you do not inspect for Office 365 services.
This list of endpoints that should not be inspected are those categorised as Optimize or Allowed when you browse https://endpoints.office.com/endpoints/O365Worldwide?ClientRequestId=GUID.
Interestingly at the time of writing this lists aadrm.com as Default, which means it can be inspected – I have reported this to the team that manages the endpoint service so that this URL can be moved up in its classification.
Once you bypass SSL Inspection for *.aadrm.com you will find that the Office and RMS clients work fine (assuming everything else is enabled correctly of course).
aadrm AIP Azure Information Protection encryption IAmMEC rms Azure Information Protection General Troubleshooting.
November 9, 2016.
3 Comments on Azure Information Protection General Troubleshooting.
Azure Information Protection (AIP) is the new name, and new features for Azure Rights Management.
Azure Information Protection allows a company to create a series of labels to apply to documents and to have those documents tags and labelled.
For example a watermark or header is easy to set in the Azure Information Protection management blade in portal.azure.com.
In fact its so easy to turn on I did just that.
The actual work and business consulting with Azure Information Protection is the why and business reasons for using it rather than the technical steps to enable it.
So once I enabled it and the client installed I found that I had a banner toolbar in Office applications as shown: Clicking any of the labels will perform the default function of the product.
These can be modified in the Azure Portal as shown: The above two graphics show one example label (Confidential) that has had a sub label added (called NBConsult UK).
The larger image above shows the details for this “NBConsult UK” label.
In the properties blade for the label you can see I have turned on a template from RMS.
Once the changes are made and saved, you can publish the changes.
Clients will pick up these changes on restarting the client application.
And then started my issues and the steps to troubleshoot this.
First I got the following prompt twice: Followed by: And so I was finding my documents did not get the RMS based labels applied.
Reasons why this might be the case can be checked using the RMS tool in the Office application.
So I tried to protect the document manually via File > Info tab: This worked – I had the rights to use the template in the application – just AIP could not apply the template via the AIP tool.
To fix this I ran the Azure Information Protection (AIP) diagnostics tool.
To get this click the AIP lock icon and choose Help and Feedback from the menu: From this a popup appears: And from this choose Run diagnostics: Let the tool complete.
I got the following errors before the application failed (crashed) and then did not complete again if left it again and then To get around this issue, as the reset option to fix the AIP application in the diagnostics tool was not available due to the application crash, I followed the steps in http://social.technet.microsoft.com/wiki/contents/articles/19251.ad-rms-troubleshooting-reset-the-client-msipc.aspx to bootstrap the client manually.
If the AIP diag client completes, fix the listed issue or choose Reset in the client.
Once I had deleted the files and related registry keys mentioned in the above website I could restart any Office application.
The RMS certs, keys and settings where downloaded to the client again and the AIP client was able to protect a document where as before it was not: Select Category 2003 2004 2007 2008 2008 R2 2010 2012 2012 R2 2013 2016 2019 2FA 64 bit AADConnect aadrm AADSync access acdc active directory activesync add-in ADDS ADFS ADFS 2.0 ADFS 3.0 ADFS Connector AdminSDHolder adsiedit Advanced Threat Protection agent AIP android antivirus anycast app password Application Guard archive asterisk asterisknow ATP Authentication autodiscover autodiscover v2 az Azure Azure Active Directory Azure AD Azure Information Protection AzureAD backup baseline bing bios booking bpos branding cafe calendar certificates Chrome citrix Click To Run Click2Run cloud Cloud PBX Clutter cmak compliance conditional access conversation crm cross-forest cyber bullying dell Deployment device device registration dirsync dkim DLP dmarc DNS domain door download draytek DSC duplicate dynamic delivery Dynamics EAS ebs 2008 Edge EM+S email encryption Endpoint Manager enterprise mobility + security Entourage EOP Exchange Online Protection error EWS exchange exchange online Exchange Server EXO ExpressRoute federation FIDO firewall Focused Inbox FOPE Free/Busy GeoDNS Global Catalog GPO Group Policy groups hosting hotfix https hybrid hyper-v IAmMEC IFilter iis illustration install Intune iOS ip iPad iPhone ipsec ipv4 ipv6 iQ.
Suite IRM isa ISA Server 2004 ISA Server 2006 JetNexus journal journaling Kemp kerberos lab licence Live Event load balancer Load Master loadbalancer logo Lync Server mailbox malware management mcafee mcas mcm mcsm mdatp MDM media player MFA microsoft Microsoft 365 Microsoft Cloud App Security Microsoft Defender Advanced Threat Protection Microsoft Teams migration Mobile Device Management mobile phones modern authentication monthly channel move msExchDelegateListBL msExchDelegateListLink MSOL multi-factor auth Multi-Factor Authentication MVP MX ndr Netscaler networking NTL OAuth OD4B ODFB off offensive Office Office 365 Office 365 Advanced Threat Protection Office 365 Groups Office 365 ProPlus oledb OneDrive OneDrive For Business openmanage orange organization relationships osma Outlook owa OWA for Devices password paxton pbx permissions PFDAVAdmin phish phishing phone factor pkcs pki places policy powershell pptp preview Proof Of Concept proxy pst PSTN PSTN Conferencing Public Folders recovery remote desktop remote web workplace retention retention policies rms room router rras rtp rules rww Safe Attachments Safe Documents Safe Links Salesforce sbs 2008 SCOM sdk search security Security and Compliance Center self-service password reset semi-annual channel send-on-behalf server administrator server core shared mailbox sharepoint sip Skype For Business Online Skype for Business Server smarthost smartphone sms smtp spam spf spoof spv SQL sql express SSL SSO sspr sstp starttls storage card Stream supervision sync error sysprep Teams TechEd terminal server Terminal Services text message Threat Management TLS tmg token2 transport transport agent ts gateway Uncategorized unif unified messaging update upgrade vc++ vhd virtual pc virtual server virtualisation vista visual studio vm VNet Voicemai voicemail.