Today we've got some pretty cool news! We've just released the preview of our new Windows Azure Active Authenticaton service. A few months ago we showed you how to enable multi-factor authentication for your Azure AD Global Admins. With this preview we're giving you the ability to give all your employees, customers and partners a rich set of smartphone based two factor authentication options.
Starting now, companies can use this preview to enable multi-factor authentication for all their Windows Azure Active Directory identities securing access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online and many of the other applications that are integrated with Windows Azure AD. Additionally Developers can also use the Active Authentication SDK to build multi-factor authentication into their custom applications and directories.
To start using multi-factor authentication with your Windows Azure Active Directory tenant, you’ll first need to add the Active Authentication service. To do that:
Fig 1: Active Auth Provider Tab
Fig 2: Adding a new provider
a. Name – The name of the Active Auth Provider, so you can associate for billing purposes for example, “Messaging DEMO”
b. Usage Model – Select the usage model you prefer - “Per Enabled User” or “Per Authentication”. This sets the billing model for this authentication provider as either per user or per authentication.
Note: You can learn more about these usage models and pricing here
c. Directory – Enter the Windows Azure Active Directory tenant that the Active Authentication Provider is going to be used with e.g. Contoso Demo
Fig 3: Completing the Authentication Provider Quick Create form
Now you've got Active Authentication provisioned and ready to use. Time to configure which users will have it enabled.
Turning on multi-factor authentication for specific users
Fig 4: Activating 2 Factor Authentication for a user
Your admin tasks are all done. Pretty easy eh?
Signing in with Windows Azure Active Authentication Service
Once Active Authentication has been enabled for a user the next time that user signs into a service that uses Windows Azure AD, they will be asked to select and configure one of these multi-factor authentication methods:
This auto-enrollment feature, makes deploying multi-factor authentication easy and hassle free for ITPros while providing the end user the flexibility to configure the primary method that suits their needs. Users can add or change methods later.
While all four of these authentication methods work great, my favorite is our Active Authentication app (available for Windows Phone, iOS and Android smartphones and tablets). You can download the free app from the device store and activate it. If you are a gadget geek like me, this is the one you’ll want to use!
Configuring your account to use the Windows Azure Active Authentication smart phone app:
Fig 5: Prompt to configure Multi-Factor Auth when signing in the first time.
Fig 6: Additional Verification Page
Fig 7: Configure App Screen
Fig 8: Active Authentication App Configuration Screen
You are all set!
The next time you sign-in to a cloud application or service protected by Windows Azure AD, the app will activate on your phone and ask you to authenticate or deny the login. You also have the option to report the attempt as being fraudulent.
Of course, the app is my personal favorite but you might like receiving a phone call better and most of the folks on our team prefer the SMS messaging option. The great thing about the service is that your users can choose the method they like best and switch between methods without any additional configuration on your part.
We’ll have a lot more coming in this space in the very near future, so stay tuned. And as always, we would love to hear your feedback. Head over to the Windows Azure Active Authentication forum to let us know what you think.
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
I cannot get the Active Auth method to work for me, I have the latest version installed on my Nokia 920 on ATT and have Push notification turned on and pinned to my start screen.
keep getting "Mobile App Configuration Failed, Please try again", after it spins on Checking Activation Status for a couple minutes
Saw you tweet on this. Thanks for the heads up.
Were you able to scan the bar code and get the six digit code back?
Yes the scan works and I get the code on my phone. I click done then it just goes to Checking for several minutes and then the failed message
ok - that helps. Let me check with the team to see if we are seeing failures in our service logs.
Where can we get the SDK to build this into our custom apps? We are building a cross-platform mobile app for Dynamics CRM, so I'm looking to implement this on Windows Phone, iOS, Android and BlackBerry.
Can you send me the details of your errors so that we can investigate? Or if you can email me your contact info (name/phone/email) I can have one of the engineers call you and collect the information for investigation. Please email me at email@example.com
@Jeffry: We'll have a detailed post on the SDK next week. But if you want to get started now here's how:
1.) Log on to the Windows Azure Portal using the Global Admin for your Azure AD tenant.
2.) Select the Active Directory tab on the left
3.) On the Active Directory page, select Active Auth Providers across the top.
4.) In the tray at the bottom of the page, click Manage.
This will take you to the 2FA configuration pages where you can download the SDK.
We have versions for Perl, Ruby, PHP, ASP.NET and Java.
Hope that helps!
Can we use this function in Japan without no additional charge? (What I mean is call charge to the mobile phones)
Any charges you pay when using you smart phone to receive SMS messages or calls will still apply.
I couldn't screen to configure the app to come up. It generated an error. I continued without setting it up, and the texting works fine, but how can I go back and try to set the app up again? I also posted on the forum with more details.
I experience the same issue as Sean, please contact me for details if needed.
As well, the walkthrough is a bit misleading. It says:
•Scan the barcode picture that came up with the configure phone app screen.
•After a few seconds you should see a 6 digit code on the app screen. Once you see this click the check mark button on the configure phone app screen.
In reality, after you scan the barcode (Lumia 920), there are no check mark or save buttons. The app just shows six-digit codes, and only available button is "+" to create new account and settings.
One more question: will the charges for Active Auth apply to Azure subscription?
Such as, if I have 200$ a month free on MSDN, can I use some of them for Active Auth?
@Sean: Talking with the team, we fixed this issue today. Thank you for your help on this and for verifying it worked for you!
Thanks for your feedback.
Yes, Active Auth charges will apply to your Azure Subscription that was referenced when you created the Active Auth Provider.
Regarding your Phone App Activation issue,
- The save button is to be clicked on the configure phone app screen browser window and not on your phone app.
- Anton are you syncing your users from AD to AAD using Dirsync?
The dual-factor is great.
What will the charge for Office 365 users be to be able to use Active Auth? Is it the same as those that have the Azure subscription?