Windows Azure Active Authentication: Multi-Factor for Security and Compliance

Windows Azure Active Authentication: Multi-Factor for Security and Compliance

  • Comments 22
  • Likes

Howdy folks,

Today we've got some pretty cool news! We've just released the preview of our new Windows Azure Active Authenticaton service.  A few months ago we showed you how to enable multi-factor authentication for your Azure AD Global Admins. With this preview we're giving you the ability to give all your employees, customers and partners a rich set of smartphone based two factor authentication options.

Starting now, companies can use this preview to enable multi-factor authentication for all their Windows Azure Active Directory identities securing access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online and many of the other applications that are integrated with Windows Azure AD.  Additionally Developers can also use the Active Authentication SDK to build multi-factor authentication into their custom applications and directories.

Getting Started

To start using multi-factor authentication with your Windows Azure Active Directory tenant, you’ll first need to add the Active Authentication service. To do that:

  • Sign in to the Windows Azure Portal as an Administrator.
  • On the Active Directory page, at the top, select Active Auth Providers
  • In the tray at the bottom of the page, click New.

 

Fig 1: Active Auth Provider Tab

 

  • Under App Services, select Active Auth Providers, and select Quick Create.

Fig 2: Adding a new provider

  • Fill in the following fields and when completed, select Create.

a.   Name – The name of the Active Auth Provider, so you can associate for billing purposes for example,  “Messaging DEMO”

b.   Usage Model – Select the usage model you prefer - “Per Enabled User” or “Per Authentication”. This sets the billing model for this authentication provider as either per user or per authentication. 

Note: You can learn more about these usage models and pricing here

c.   Directory – Enter the Windows Azure Active Directory tenant that the Active Authentication Provider is going to be used with e.g. Contoso Demo

Fig 3: Completing the Authentication Provider Quick Create form 

  • Once you click create, the Active Authentication Provider will be created and you should see a message stating:  Successfully created Active Authentication Provider. 
  • Click Ok

Now you've got Active Authentication provisioned and ready to use.  Time to configure which users will have it enabled.

Turning on multi-factor authentication for specific users

  • Click on the Active Directory tab on the left
  • Click the Directory tab underneath the Active Directory header
  • Click on your Windows Azure AD tenant. 
  • On the Users page, click the user you want to enable.
  • Select the Require Multi-factor Authentication check box

Fig 4: Activating 2 Factor Authentication for a user

Your admin tasks are all done. Pretty easy eh?

Signing in with Windows Azure Active Authentication Service

Once Active Authentication has been enabled for a user  the next time that user signs into a service that uses Windows Azure AD, they will be asked to select and configure one of these multi-factor authentication methods:

  • App Notification – Use the Active Authentication smart phone app.
  • App One-time password (OTP) – Use a One-time Password with their Active Authentication smart phone app.
  • Phone Call – A phone call to their mobile or landline phone.
  • Text Message –A text message sent to their mobile phone.

This auto-enrollment feature, makes deploying multi-factor authentication easy and hassle free for ITPros while providing the end user the flexibility to configure the primary method that suits their needs. Users can add or change methods later.

While all four of these authentication methods work great, my favorite is our Active Authentication app (available for Windows Phone, iOS and Android smartphones and tablets). You can download the free app from the device store and activate it.  If you are a gadget geek like me, this is the one you’ll want to use!

Configuring your account to use the Windows Azure Active Authentication smart phone app:

  • First, if you are logged into Windows Azure, Office 365, or another service integrated with Windows Azure AD, log-out.
  • Using your browser, sign in to Windows Azure or Office 365.
  • You will be prompted to configure your multi-factor options. Click the "Set it up now" button.

 

 Fig 5: Prompt to configure Multi-Factor Auth when signing in the first time.

 

  •  This will bring up the Additional Security Verification settings page. Once that page loads, under mobile app, select the check box and click Configure

  

  Fig 6: Additional Verification Page

 

  • That will bring up the App Configuration screen:

 

Fig  7: Configure App Screen

  • On the phone that has the Active Authentication app installed, launch the app.
  • Now click the + sign in the app to add a new account.
  • Then click the barcode scanner button on the far right in the app.  This will launch the camera.
 

Fig 8: Active Authentication App Configuration Screen 

  • Scan the barcode picture that came up with the configure phone app screen.
  • After a few seconds you should see a 6 digit code on the app screen.  Once you see this click the check mark button on the configure phone app screen.
  • Click Save.

You are all set! 

The next time you sign-in to a cloud application or service protected by Windows Azure AD, the app will activate on your phone and ask you to authenticate or deny the login. You also have the option to report the attempt as being fraudulent.

 

Of course, the app is my personal favorite but you might like receiving a phone call better and most of the folks on our team prefer the SMS messaging option. The great thing about the service is that your users can choose the method they like best and switch between methods without any additional configuration on your part.

We’ll have a lot more coming in this space in the very near future, so stay tuned. And as always, we would love to hear your feedback. Head over to the Windows Azure Active Authentication forum to let us know what you think.

Best Regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Active Directory

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • I cannot get the Active Auth method to work for me, I have the latest version installed on my Nokia 920 on ATT and have Push notification turned on and pinned to my start screen.

    keep getting "Mobile App Configuration Failed, Please try again", after it spins on Checking Activation Status for a couple minutes

    Any Ideas?

  • Hi Sean,

    Saw you tweet on this. Thanks for the heads up.

    Were you able to scan the bar code and get the six digit code back?

    Thanks

    Alex

  • Yes the scan works and I get the code on my phone.  I click done then it just goes to Checking for several minutes and then the failed message

  • ok - that helps. Let me check with the team to see if we are seeing failures in our service logs.

  • Where can we get the SDK to build this into our custom apps? We are building a cross-platform mobile app for Dynamics CRM, so I'm looking to implement this on Windows Phone, iOS, Android and BlackBerry.

  • Hi Sean,

    Can you send me the details of your errors so that we can investigate? Or if you can email me your contact info (name/phone/email) I can have one of the engineers call you and collect the information for investigation. Please email me at mohitsa@microsoft.com

    Thanks

  • @Jeffry: We'll have a detailed post on the SDK next week. But if you want to get started now here's how:

    1.) Log on to the Windows Azure Portal using the Global Admin for your Azure AD tenant.

    2.) Select the Active Directory tab on the left

    3.) On the Active Directory page, select Active Auth Providers across the top.

    4.) In the tray at the bottom of the page, click Manage.

    This will take you to the 2FA configuration pages where you can download the SDK.

    We have versions for Perl, Ruby, PHP, ASP.NET and Java.

    Hope that helps!

    Regards,

    Alex  

  • Can we use this function in Japan without no additional charge? (What I mean is call charge to the mobile phones)

  • Hi Masa,

    Any charges you pay when using you smart phone to receive SMS messages or calls will still apply.

    Regards,

    Alex

  • I couldn't screen to configure the app to come up.  It generated an error.  I continued without setting it up, and the texting works fine, but how can I go back and try to set the app up again?  I also posted on the forum with more details.

    social.msdn.microsoft.com/.../bfa677a4-74ec-4600-b211-6320169d336d

  • I experience the same issue as Sean, please contact me for details if needed.

    As well, the walkthrough is a bit misleading. It says:

    •Scan the barcode picture that came up with the configure phone app screen.

    •After a few seconds you should see a 6 digit code on the app screen.  Once you see this click the check mark button on the configure phone app screen.

    •Click Save.

    In reality, after you scan the barcode (Lumia 920), there are no check mark or save buttons. The app just shows six-digit codes, and only available button is "+" to create new account and settings.

  • One more question: will the charges for Active Auth apply to Azure subscription?

    Such as, if I have 200$ a month free on MSDN, can I use some of them for Active Auth?

  • @Sean: Talking with the team, we fixed this issue today. Thank you for your help on this and for verifying it worked for you!

  • Hi Anton,

    Thanks for your feedback.

    Yes, Active Auth charges will apply to your Azure Subscription that was referenced when you created the Active Auth Provider.

    Regarding your Phone App Activation issue,

    - The save button is to be clicked on the configure phone app screen browser window and not on your phone app.

    -  Anton are you syncing your users from AD to AAD using Dirsync?

    Thanks

    Bhavini

  • The dual-factor is great.  

    What will the charge for Office 365 users be to be able to use Active Auth?  Is it the same as those that have the Azure subscription?  

    Thanks!