Our Voice

NIS2: Changes to Data Compliance

Learn the layers of data security which will be required to successfully achieve NIS2 compliance before the directives October deadline.

Learn More
BOOK A MEETING

Microsoft Modern Authentication and MobileIron.

Important

As of August of 2017, all new Office 365 tenants that include Skype for Business online and Exchange online will have modern authentication enabled by default. Pre-existing tenants won’t have a change in their default MA state, but all new tenants automatically support the expanded set of identity features you see listed above. To check your MA status, see the Check the modern authentication status of your on-premises environment section.

What is Modern Authentication?

Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:

  • Authentication methods: Multifactor authentication (MFA); smart card authentication; client certificate-based authentication
  • Authorization methods: Microsoft’s implementation of Open Authorization (OAuth)
  • Conditional access policies: Mobile Application Management (MAM) and Azure Active Directory (Azure AD) Conditional Access

What Changes when I use Modern Authentication?

When using modern authentication with on-premises Skype for Business or Exchange server, you’re still authenticating users on-premises, but the story of authorizing their access to resources (like files or emails) changes. This is why, though modern authentication is about client and server communication, the steps taken during configuring MA result in evoSTS (a Security Token Service used by Azure AD) being set as Auth Server for Skype for Business and Exchange server on-premises.

The change to evoSTS allows your on-premises servers to take advantage of OAuth (token issuance) for authorizing your clients, and also lets your on-premises use security methods common in the cloud (like Multi-factor Authentication).

Additionally, the evoSTS issues tokens that allow users to request access to resources without supplying their password as part of the request. No matter where your users are homed (of online or on-premises), and no matter which location hosts the needed resource, EvoSTS will become the core of authorizing users and clients once modern authentication is configured.

For example, if a Skype for Business client needs to access Exchange server to get calendar information on behalf of a user, it uses the Microsoft Authentication Library (MSAL) to do so. MSAL is a code library designed to make secured resources in your directory available to client applications using OAuth security tokens. MSAL works with OAuth to verify claims and to exchange tokens (rather than passwords), to grant a user access to a resource. In the past, the authority in a transaction like this one–the server that knows how to validate user claims and issue the needed tokens–might have been a Security Token Service on-premises, or even Active Directory Federation Services. However, modern authentication centralizes that authority by using Azure AD.

Cyber security network

This also means that even though your Exchange server and Skype for Business environments may be entirely on-premises, the authorizing server will be online, and your on-premises environment must have the ability to create and maintain a connection to your Office 365 subscription in the Cloud (and the Azure AD instance that your subscription uses as its directory).

What doesn’t change? Whether you’re in a split-domain hybrid or using Skype for Business and Exchange server on-premises, all users must first authenticate on-premises. In a hybrid implementation of modern authentication, Lyncdiscovery and Autodiscovery both point to your on-premises server.

Check the Modern Authentication Status of your On-Premises Environment

Because modern authentication changes the authorization server used when services apply OAuth/S2S, you need to know if modern authentication is enabled or disabled for your on-premises Skype for Business and Exchange environments. You can check the status on your Exchange servers by running the following PowerShell command:

PowerShellCopy

Get-OrganizationConfig | ft OAuth*

If the value of the OAuth2ClientProfileEnabled property is False, then modern authentication is disabled.

For more information about the Get-OrganizationConfig cmdlet, see Get-OrganizationConfig.

You can check your Skype for Business servers by running the following PowerShell command:

PowerShellCopy

Get-CSOAuthConfiguration

If the command returns an empty OAuthServers property, or if the value of the ClientADALAuthOverride property is not Allowed, then modern authentication is disabled.

For more information about the Get-CsOAuthConfiguration cmdlet, see Get-CsOAuthConfiguration.

Modern Authentication and MobileIron

If you have enabled Modern Authentication and are pushing a configuration from your MobileIron core to end users’ devices, then you will need to ensure the following steps are taken to avoid any interruption to email on mobile devices.

OAuth for Sentry on Core

Lady using an iPad

OAuth is supported with Standalone Sentry for Office 365.

The following scenarios must be compliant for OAuth to function correctly:

  • The email client must support OAuth (iOS Native Mail, iOS Email+ and Android Email+)
  • UEM must push an OAuth configuration to the email client
  • UEM must enable Sentry for OAuth

Sentry 9.14.0 and 9.15.0 supports Azure AD Conditional Access Policy. For more information, see Configuring conditional access policy in Azure AD.

Configuring Sentry on Core for OAuth

You must configure Sentry to enable OAuth and provide the endpoints.

Before you Begin

Verify that you have Sentry 9.14.0 or later and Core 11.0.0.0 or later.

Procedure

  1. Login to Core with admin credentials.
  2. Click Services Sentry.
  3. Click Add New > Standalone Sentry.
  4. Select Enable ActiveSync and enter the following details for OAuth.

a. Select Pass Through for Server Authentication

b. Select Enable Pass Through with OAuth

c. Destination OAuth2 Authorization Endpoint: “https://login.windows.net/common/oauth2/authorize”

d. Destination OAuth2 Token Endpoint: “https://login.windows.net/common/oauth2/token”

e. Sentry Resource: https://<SentryHostName>

f. Destination Resource: https://outlook.office365.com/
If Active Sync servers are not added by default, then configure Active sync server as outlook.office365.com.

Click Save.

Configuring iOS native email configuration with OAuth

Before you Begin

Verify that you have enabled “Use OAuth for Authentication” for iOS 5 and later versions.

Procedure

  1. Login to Core with admin credentials.
  2. Click Policies and Configs.
  3. Click Edit on the exchange configuration.
  4. Enable Use OAuth for Authentication.
  5. Under iOS 5 and Later Settings, enter the following details:

OAuth Sign In URL: https://<SentryHostName>/proxyservice/oauth2/authorize

OAuth Token Request URL: https://<SentryHostname>/proxyservice/oauth2/token

Click save.

Configuring Android and iOS Email+ with OAuth

For more information on configuring Android or iOS Email+ for OAuth, see Email+ Product Documentation.

KVPs for Email+ Configuration

For OAuth, ensure to set “eas_min_allowed_auth_mode” to “modern_auth” and provide the modern_auth_authority_url and modern_auth_resource_url for appropriate OAuth configuration:

  • eas_min_allowed_auth_mode: modern_auth
  • modern_auth_authority_url: https://<SentryHostname>/proxyservice
  • modern_auth_resource_url: https://<SentryHostname>

For OAuth Email+ CBA user, the following KVP must be provided:

  • email_login_certificate = <CBACertificateName>.pfx

Configuring conditional access policy in Azure AD

You can configure the conditional access rules in Azure for OAuth to function correctly.

  1. Login to Azure portal with admin credentials.
    The admin has to be super admin who has premium features to configure Conditional Access rules.
  2. Click Azure AD Conditional Access > Named Locations > IP Range Locations > New IP Range Location.
  3. Click Add and enter the IPv4 or IPv6 address range.
  4. Figure a name and Sentry IP address with Subnet Add > and enable Mark as Trusted location > Create.
  5. On the Home tab, click Conditional Access Policies > Create New Policy.
  6. Under Users and Groups, select Users and Groups.
  7. Search for the appropriate Users or Groups and click Select.
  8. Under Cloud apps or actions, select apps Office 365.
  9. Under Conditions Locations Any Location > Configure “Yes” under Include to “Any Location“.
  10. Under list of locations, select Selected locations under Exclude.
  11. Select Grant access as block access > require one of the selected controls.
  12. Select Enable Policy > OnCreate.

Please note that users will be prompted to enter in their email password so they will need to have this to authenticate on the device.

If you have any queries, please feel free to contact us here at [email protected]

Resources

Our Voice

5 Ways to Evolve Your Remote Working Cyber-Security Strategy

Learn More

Our Voice

CWSI announced as one of Ireland’s Best Managed Companies

Learn More

Webinar

An Overview of Microsoft 365 Security

Learn More