How to configure Password-less phone sign-in with the Microsoft Authenticator app (This is public preview)

This is one of the most excited feature which I have ever seen so far. This is because with this option, we can have more security and password less environment. Therefore, the Microsoft Authenticator application uses key-based authentication to enable users credentials which bind to their respective devices and allow them to use a biometric or a PIN number.

After entering a username, a person who has enabled phone sign-in, in the Microsoft Authenticator app will see a message telling the user to click a number which show in the Authenticator app. The user must match the number as the first step and click Approve tab. Finally, they have to provide their PIN or biometric to initiate the authentication process.

I am going to show you how to enable this in my test tenant. Since this feature is still in preview mode, we have to use PowerShell to enable it.

As the prerequisites, we have to install the latest version of Azure Active Directory V2 Preview PowerShell Module.

Please refer the below for more information about the Azure Active Directory V2 Preview PowerShell Module.

https://www.powershellgallery.com/packages/AzureADPreview/2.0.2.5

Based on the above link, following indicates the most recent versions available for AADV2.


clip_image001[10]

Now lets see how we do this.

Step-1 Open the PowerShell with Admin Rights and type the below command.

Install-Module -Name AzureADPreview

clip_image001[12]

Step 2– Connect your tenant using the below command.

Connect-AzureAD -TenantId xxxxxx.onmicrosoft.com

In your case, make sure to mentioned your Azure Tenant name followed by .onmicrosoft.com

clip_image001[14]

Step 3– After you execute the above command, you will see a screen to enter your login user name for this tenant. The user name you are entering here must have either Global or Security administrator privileges. Click Next after you enter the User name and Password.

clip_image001[16]

The outcome of the above command will give you the following results.

clip_image001[18]

Step 4– After you successfully connected to your Tenant, run the below command.

  1. New-AzureADPolicy -Type AuthenticatorAppSignInPolicy -Definition '{"AuthenticatorAppSignInPolicy":{"Enabled":true}}' -isOrganizationDefault $true -DisplayName AuthenticatorAppSignIn

clip_image001[20]

The outcome will be as follows

clip_image001[22]

At this stage, we have completed the tenant configuration for Phone-Sign-In.

Step 5– next step is to enable the phone-sign-in for users. Make sure you have installed the latest Authenticator app in your phone.

Step 6– Enable the Multifactor Authentication (MFA) for the users and add the MFA account to their respective device. Once that is completed Click the Down Arrow Key related to your Account and Select Phone Sign-In as follows.

image

Step 7– On the next step, we have to do the Device registration in to this tenant. Click Next to continue.

Note- At this moment due to device registration restrictions, a device can only be registered in a single tenant only. This means that, only one work or school account can be enabled for phone sign-in using the Authenticator App.

clip_image001[24]

Step 8– Type the Password and Click Sign In tab.

clip_image001[26]

Step 9- Click Register button to complete the device registration.

image

Step 10– Once the registration is completed, you can see the profile in your Authenticator app has a new icon as below.

image

Step 11– Now on the next step, lets check how user experience this behaviour.

Let me login in to my office portal first. Type the User Name and Click Next.

clip_image001[28]

Now instead of asking the password, it gives you are number to match with your Microsoft Authenticator App in your phone.

clip_image001[30]

Lets open the Authenticator App in your phone and see how we do the number matching to get through this verification.

image

Select the exact number indicate in your Authenticator App and let the Authentication to process. In case if you want to Deny, Click Deny option.

Once you select the Correct Number, next step will ask your Tough ID for Authentication. Just have a look at the below screen. In this case I have used my Biometric access option in my iPhone.

image

So it is more secure and no need to type password. For me this is really cool!! Hope you all feel the same.

Advertisements

Awareness sessions done for the country (Myanmar) on EMS+S, Azure and System Center stack on 29th September 2017

I had the privilege of speaking in an event which focused for enthusiastic individuals about Microsoft EMS+S, Azure and System Center stack event held on 29th September 2017 in Myanmar (backed by Microsoft Myanmar). I spoke about the EMS+S and Microsoft System Center stack in two separate sessions. The Azure IaaS topic has covered by Microsoft Myanmar. There were about 20 attendees on that day.

591592593594595597598Capture612613611610608614file-1file1-1file2file3file4file5file6file7file8file9file15file16WhatsApp Image 2017-09-29 at 8.03.11 PMWhatsApp Image 2017-09-29 at 8.03.12 PM(1)WhatsApp Image 2017-09-29 at 8.03.12 PMWhatsApp Image 2017-09-29 at 8.03.13 PMWhatsApp Image 2017-09-29 at 8.03.14 PM(1)WhatsApp Image 2017-09-29 at 8.03.14 PM

Apple Push Certificate Renewal in Microsoft Intune Portal

Hello,

If you are managing your iOS devices through Microsoft Intune, the Apple push Certification renewal is something which you need to keep in mind. In the new intune portal, there is no way where we can set warning or alert generation same as the intune old portal. The only way is we have to keep an eye on the new portal for the warnings. However, in terms of keep the certificate valid is something very critical and this blog going to show you how to do it. On the very first screen, you can see that “Push Certificate Expiring on 35 days”. Therefore, we must renew this certificate for continuous work using Apple devices.

image

 

Screen clipping taken: 12/03/2018 12:03

Step 1- Lets start to renew the certificate. As the first step, Download the CSR file which you have to upload to Apple push certificate creation portal.

image

Step 2- After you download the CSR file, you have to upload it to the Apple Push Certificate Portal. You have to use your Apple ID and Password for the certificate creation/renewal.

image

Apple Push Certificate Portal – https://identity.apple.com/pushcert/

Step 3- Enter the user name and Password and hit Enter

clip_image004[4]

Screen clipping taken: 12/03/2018 12:03

Step 4- Once you logged in to the Apple Portal, you will be able to see the Apple MDM certificate which you need to renew and on the other hand going to expire in 35 days. Therefore, since we are going to renew the card. Jsyt click the Renew button.

image

 

Step 5- Once you Click the Renew Button, it will ask you to upload the downloaded .csr file. Just Choose the .CSR file from the downloaded location on previous step and Click Upload.

image

Screen clipping taken: 12/03/2018 12:08

Step 6- Once .CSR file upload process completes just Click Upload button as below.

image

Screen clipping taken: 12/03/2018 12:08

Step 7-Once upload finish, you will get a confirmation page as below and it is the time to Download the renewed Apple Push Certificate which we have to upload back to Intune Portal.

image

Screen clipping taken: 12/03/2018 12:09

Step 8- Once the renewal completes in Apple Portal, you can see the Expiry date of the certificate extended until March, 19, 2019.

image

Screen clipping taken: 12/03/2018 12:11

Step 9- On this step, as highlighted in the below screen (In Option 3) enter the Apple ID which you used to renew the Apple Certificate. Once that is done, Just upload the downloaded renewed Apple Push Certificate and Click Upload.

image

Screen clipping taken: 12/03/2018 12:13

Step 10- Once the Upload completes, Just got back to the Intune and check the certificate status .

image

Screen clipping taken: 12/03/2018 12:14

What are the New Information Protection capabilities across devices, apps, on-premises and the cloud

Hello Everyone,

Recent past, Microsoft announced a set of pretty much new Information Protection features specially focusing on GDPR compliance. This will be on preview form.

Here are the various blogs that went out yesterday:

·Some of the coolest features they announced were as below:

  • General availability of Azure Information Protection scanner
  • Private Preview of native labeling of Word, PowerPoint, and Excel files on Mac
  • Private Preview of unified labeling and protection schema in Office 365 and Azure Information Protection
  • Private Preview of Information Protection SDK for labeling and protection
  • Preview on native labeling of files in SaaS apps with integration of Azure Information Protection and Microsoft Cloud App Security
  • Office 365 Message Encryption Encrypt Only functionality
  • Preview of Information Protection administrator role

Further additional information you can refer using he below link.

https://blogs.office.com/en-us/2018/02/22/microsoft-365-provides-an-information-protection-strategy-to-help-with-the-gdpr/

How to Enable Super User Role and Assign Users in Azure Rights Management

Basically why we need to enable Azure RMS Super User Role ? Very Highlevel answer is as follows; For instance, if you want to access protected document which some one has already protected and that employee is no more in the office but still management needs to access all the documents which that user protected with certain permissions. In such cases, the best option for this is use the Super User Role. Therefore, lets see how we Active this User Role and assign users under Super User Role.

Step 1– First You must Install the Azure Rights Management PowerShell Module in to your PC. Installing the Azure PowerShell Module steps are already published in my previous post. Click HERE to access that post.

Step 2– Next you need to connect to Azure Rights Management Services as follows;

Connect-AadrmService

image

Step 3– Once the Azure RMS service is opened, the PowerShell will indicate the results as follows;

image

Step 4– Next we must Enable the Super User Feature. Use the below command for that.

Enable-AadrmSuperUserFeature

image

Step 5– In this step, we will assign a user to Super User Role.

Add-AadrmSuperUser -EmailAddress hasitha@wili.work

image

How to Customize certain option for Azure Information Protection

Based on the new options added in to the Azure RMS portal, Under the settings menu in Scoped and Global Policies, You can do certain customization. For example Showing  the  Information Protection Bar In office app.

Below screen show you the settings for the above mentioned one.

 image

If you OFF the Do Not Forward button, it will remove the below option from the Outlook ribbon; So this is kind of Shortcut rather than going through Options tab in the New Email menu tab.

image

Below Screen will indicates you what happens when you put the option to OFF Mode.

image

The results will be as follows;

image

On the Final one is about the Custom Permission. As you know in AIP Tool, we have a option where we can allow users to select Custom Permissions when sharing documents. In case if you don’t want your users to have this option in AIP Tool, you can basically remove it from the AIP Tool menu.

image

Results of the OFF Mode will remove the following Highlighted option;

image

Set Up Self Service Password Reset in Office 365 (Cloud Identities)

Microsoft’s Enterprise Mobility + Security (EMS) is a combination of products under Microsoft’s portfolio. At first glance, it is basically can relate to modern work space. Right now, when we talk about Modern work space, the first thing which come to our mind is all about how secure we are and is this work space is really comfortable for our users. Considering all these, Microsoft has bundle below five components to Microsoft EMS+S.

  • Azure Active Directory Premium
  • Microsoft Intune
  • Azure Rights Management
  • Microsoft Advanced Threat Analytics (ATA)
  • Cloud App Security (CAS)

All in all, you can think of Microsoft EMS+S as a device-management and virtual-identity-management suite. However, in a cloud-based world where employees want to work from all of their devices, Microsoft EMS+S allows your IT team to gain the maximum security and control.

Azure Active Directory Premium edition is a paid offering of Azure Active Directory and it includes the following features:

  • Self-service password reset
  • Company branding
  • Group-based application access
  • Self-service group management
  • Advanced security reports and alerts
  • Multi-Factor Authentication
  • Forefront Identity Manager (FIM)

As a Part one of the EMS+S, today, I am going to enable one feature which is falling under Azure Active Directory Premium (AAD) which is Password Reset.

So lets see how we enable the Password reset for you users.

    Set Up Self Service Password Reset in Office 365 (Cloud Identities)

    Set up SSPR

    1. Sign in to Azure Portal https://portal.azure.com/
    2. Choose More Services -> Azure Active Directory

    image

        3. Select Password reset

    image

       4. From Properties, select All for Self service password reset enabled.

    image

     5. [OPTIONAL] Selecting Selected for Self service password reset enable helps you control the set of users who can reset their passwords. Users’ group membership controls this restriction. (If you chose to restrict access to    password reset, Please move to step 6. Otherwise, skip to step 7.)

    image

        6.[OPTIONAL] From the Select groups, pick the security or distribution groups that contain users who will have access to SSPR

        7.Next, from Authentication Methods, select the alternate identity verification methods available to users.

    image

    8.Number of methods required to reset, will configures the minimum number of alternative identity verification methods a user must have in order to reset the password.

    9.Next in the Registration, Select Yes or No for Require users to register when signing in? (Selecting the option Yes will force users to register alternative identity verification methods when they sign in. Otherwise the administrator will have to set identity verification options for users manually or will have to direct users to https://account.activedirectory.windowsazure.com/PasswordReset/Register.aspx to set this information. If you choose Yes for this, then move to step 10 or otherwise skip to step 11.)

    image

    10. Enter a value for Number of days before users are asked to re-confirm their authentication information. (This value controls the number of days before the service prompts users to verify/update their alternative identity verification information. You can specify a number between 1-730. Setting 0 here will not ask users to verify/update their alternate identity verification methods.)

   11. From the Notification, you can enable notifications to be sent to users when they reset their own passwords through SSPR.

    image

     12. Selecting Yes to Customize helpdesk link will allow you to set a custom email address or a URL for Contact your administrator link in password reset wizard.

    image

     13. Enter the desired URL or the email address for the help desk if you select Yes to above option.

    Users Registering for SSPR

   14. If you enabled registration while sign in, users will be asked to setup the alternate identity verification methods. (This will be the same screen users see when they access the self service password reset registration URL manually as well.)

    image

   15. To setup the authentication phone, click on Set it up now. Select the country and enter the phone number and select either text me or call me.

    clip_image010

16. If you choose to have Microsoft called you, you will need to answer the call and press # key to verify the number. If you choose to receive a text message, as seen below, you will have to enter the verification code that it sends.

    clip_image011

17. To set up the authentication email address, click on set it up now. Enter the email address and click email me. Once you receive the email with the verification code in the mail, enter it and verify.

18. Once you have set up the minimum number of authentication methods required by the administrator or more, you can click Finish.

    clip_image012