ExecProtect Armored Office AD FS 2012 R2 with O365 Demo Guide

ExecProtect Armored Office How to configure AD FS 2012 R2 with IDC 6.2 on AZURE

All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2014 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.

Contents 1 Preface... 4 1.1 Who Should Read This Book... 4 1.2 Conventions... 4 1.3 Glossary... 5 1.4 Contact Us... 5 1.5 Microsoft AD FS... 6 1.6 Microsoft DirSync... 6 1.7 Microsoft Office 365... 7 2 Use Case Description... 8 3 Configure AD FS... 10 3.5 Introduction... 10 3.6 AD FS Installation... 10 3.7 Install and Configure Web Application Proxy... 20 4 Configure DirSync... 35 4.5 Introduction... 35 4.6 Enable directory synchronization... 35 4.7 Installation... 35 4.8 Configuration... 37 5 Gemalto AD FS MFA Provider... 42 5.5 Installing the AD FS MFA Provider... 43 5.6 Configuring the Gemalto MFA Provider... 45 5.7 Configuring the Authentication Policies... 48 5.8 Configuring IDConfirm 1000... 51 6 User experience... 52

1 Preface As today s workforce becomes more and more mobile, the risks associated with taking data outside the protected perimeters of the corporate office are growing. Privileged users such as corporate executives frequently deal with numerous sensitive documents and their laptops are easy targets for theft. If sensitive information like company business plans, intellectual property, client data, financial reports, etc gets into wrong hands, financial and reputation damages when reported are often immeasurable. With ExecProtect Armored Office, privileged users can be assured that their laptops and data are securely protected by the toughest encryption and access credentials in the world. Even if their laptop is lost or stolen, the sensitive information will remain unavailable to all users who fail the multi-factor authentication and authorization. Armored Office is an end-to-end solution that provides organizations with a comprehensive and scalable offer for security authentication and administration that aims to facilitate the migration to strong authentication, ensuring high security and convenience of use. 1.1 Who Should Read This Book This guide is intended for Gemalto s partners and technical consultants to demonstrate in an easy way the proposed use-cases from a Windows 8 client installed on Azure or with local client connected to Execprotect demo environment using VPN. The ExecProtect demo platform remains Gemalto Intellectual property and cannot be provided to customers without Gemalto explicit agreement. 1.2 Conventions The following conventions are used in this document: In this manual, the following highlighting styles are used: Bold Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values. Italic Variables that you must replace with a value, book titles, news or emphasized terms. In this manual, hyperlinks are marked as described below: Internal Links Displayed in quotation marks. Click an internal link to jump to a different section. External Links Displayed in blue, underlined text. Click an external link and launch your default browser (or Email program). In this manual, notes and cautions are marked like this: Notes: Information that further explains a concept or instruction, tips, and tricks.

Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure. 1.3 Glossary AD CS: Active Directory Certificate Services AD DS: Active Directory Domain Services AD FS: Active Directory Federation Service MFA: Multi Factor Authentication OOB: Out Of Band SSO: Single Sign On OTP: One Time Password DirSync: Directory Synchronize O365: Office 365 1.4 Contact Us If you need more information that is not found in this guide or if you have any questions, please contact your Gemalto Support or send an email to commissioning.support@gemalto.com

1.5 Microsoft AD FS AD FS is an identity access solution that provides browser-based clients (internal or external to your network) with seamless, "one prompt" access to one or more protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations. When an application is in one network and user accounts are in another network, it is typical for users to encounter prompts for secondary credentials when they attempt to access the application. These secondary credentials represent the identity of the users in the realm where the application resides. The Web server that hosts the application usually requires these credentials so that it can make the most appropriate authorization decision. AD FS makes secondary accounts and their credentials unnecessary by providing trust relationships that you can use to project a user's digital identity and access rights to trusted partners. In a federated environment, each organization continues to manage its own identities, but each organization can also securely project and accept identities from other organizations. Furthermore, you can deploy federation servers in multiple organizations to facilitate business-tobusiness (B2B) transactions between trusted partner organizations. Federated B2B partnerships identify business partners as one of the following types of organization: Resource organization: Organizations that own and manage resources that are accessible from the Internet can deploy AD FS federation servers and AD FS-enabled Web servers that manage access to protected resources for trusted partners. These trusted partners can include external third parties or other departments or subsidiaries in the same organization. Account organization: Organizations that own and manage user accounts can deploy AD FS federation servers that authenticate local users and create security tokens that federation servers in the resource organization use later to make authorization decisions. The process of authenticating multiple domains without the burden of repeated logon actions by users is known as single sign-on (SSO). AD FS provides a Web-based, SSO solution that authenticates users to multiple Web applications over the life of a single browser session. 1.6 Microsoft DirSync Active Directory Synchronization, or DirSync, synchronizes the local Active Directory with the Microsoft Online Services Directory. DirSync lets you control and manage user accounts in the traditional way through Active Directory Users and Computers. In addition, the Global Address List (GAL) can be synchronized between the Local Active Directory and the online environment. The DirSync tool can be downloaded from the Microsoft Online Portal. After DirSync configuration, any user accounts created in the on-premise Active Directory synchronize to the Microsoft Office 365 directory. If a user account update is required, the local Active Directory must perform the update except for the Online Services activation for the account. If an account is created in the cloud, the account does not synchronize to the on-premise environment. Synchronization from online to the on-premise environment does not occur. If a user object is modified in the cloud, the administrator runs the risk of DirSync overwriting that change. DirSync is intended to keep on-premise data synchronized with Microsoft Exchange Online. A three-hour synchronization delay may occur, because by default DirSync runs at three-hour intervals. Synchronization may be manually initiated if required

1.7 Microsoft Office 365 Microsoft Office 365 delivers the power of cloud productivity to businesses of all sizes, helping to save time, money and free up valued resources. Office 365 combines the familiar Office desktop suite with cloud-based versions of Microsoft s next-generation communications and collaboration services: Exchange Online, SharePoint Online and Lync Online. Office 365 is simple to use and easy to administer all backed by the robust security and guaranteed reliability you expect from a world-class service provider. Key Microsoft Office 365 Benefits: Anywhere-access to email, documents, contacts, and calendars on nearly any device Work seamlessly with Microsoft Office and the other programs your users already count on everyday Business-class features including IT-level phone support, guaranteed 99.9% uptime, georedundancy, and disaster recovery Pay-as-you-go pricing options which give you predictability and flexibility for all or part of your organization Latest version of Business Productivity Online Suite (BPOS), which has millions of business users today

2 Use Case Description This infrastructure is designed to meet the need of implementing strong authentication when accessing the Office 365 Web Interface. When setting up the messaging system on Office 365 it is necessary to establish a system of identity federation between your Active Directory domain and Office 365 platform in the cloud. This federation is ensured by the AD FS technology. In a standard installation, when accessing the Web Office 365 portal, it is necessary to authenticate to the AD FS server's domain by entering the login and password of the domain. In the enhanced version, the goal is to add a layer of security by setting up a 2-factor authentication when accessing the Office 365 Web Interface. Prerequisites for Azure Demo Environment The prerequisites are: You need a Microsoft Office 365 Plan E3 Free 30 day trial account; you can register an account here: http://office.microsoft.com/en-us/business/redir/xt103040305.aspx Demo environment hosted on Microsoft Azure, 30 days trial subscription available on: http://azure.microsoft.com/en-us/pricing/free-trial/ You will need a public Domain (Registered at Go Daddy or other domain name provider) https://uk.godaddy.com/domains/domain-name-search.aspx Also you will need public certificate (in our case provided by gandi.net) https://www.gandi.net/ssl/standard#single

Servers description execprotectdns: O.S: Windows Server 2012 R2 Standard Domain: execprotect.info Services: AD DS, AD CS, DNS, AD FS, DirSync oob: O.S: Windows Server 2008 R2 Standard Domain: execprotect.info Services: IDConfirm 6.2 execproproxy: O.S: Windows Server 2012 R2 Standard Domain: execprotect.info Services: AD FS Proxy

3 Configure AD FS 3.5 Introduction This section explains the configuration of the AD FS server within the platform; AD FS server is used to implement identity federation with Office 365 servers. Without this configuration, the single sign-on on Microsoft's online platform is not available. 3.6 AD FS Installation 3.6.1 Installation of Active Directory Federation Services Start server manager, click add roles and features wizard, select Active Directory Federation Services, then click next.

>Next >Next

Select Active Directory Federation Services and click Next.Net Framework 4.5 will be installed, next >next

> Install After several minutes AD FS role will be installed, now you have to configure it. Open drop down menu with exclamation mark

> Next Use Enterprise Admin account or Account you create for this purpose (Current if logged with admin account)

Select SSL certificate and name Federation service (write this name, you will need it latter) > Next

> Next Specify database

> Next > Configure 1. Once the installation is finished, click Finish to exit the installation wizard.

3.6.2 Create DNS A Record Now you have to create DNS record for the AD FS instance. In this example we use GO Daddy as public DNS resolver. Once the DNS record has been created and propagated ensure that it resolves correctly. To do so log in to GoDaddy, click on launch Domains Click on your domain: Click DNS Zone files and then EDIT: Click on Quick Add and enter your aliases for sts: Note: In real life scenario whole our infrastructure including AD FS should be located behind Firewall. DNS record should point to Proxy server which reside in DMZ zone. For simplicity, our demo AD FS are exposed to internet, that s why DNS can point direct to AD FS server.

To test you settings try to access AD FS login page (In our case https://sts.execprotect.info/ad FS/ls/idpinitiatedsignon.htm)

3.7 Install and Configure Web Application Proxy 3.7.1 Installation > Next > Next

>Next > Select Remote Access

>Next >Next

Select Web Application Proxy > Install

Check if wizard ends successfully. 3.7.2 Configuration Now you have to configure Web Application Proxy > Next

Type Federation service name and user name and password > Next

> Next > Configure

After successful configuration please check status in remote Access Management Console

3.7.3 Domain association 1. Authenticate to your trial version of Office 365 2. Click Domains. 3. Under domains, click Manage your website and email domains. 4. Click Add a domain and follow the steps

Log in to GoDaddy (in case you bought a domain from them)

In case you will not be able to verify your domain, please log in to your domain dns management and delete all the TXT records with value similar to v=verifydomain MS=8816167 (only if the domain was previously associated with a different O365 account) Then you ll be able to complete the verification 3.7.4 Prepare Active Directory Add UPN suffix To enable identity federation domains to be registered, Office 365 should be added as UPN suffixes in the local Active Directory. Users must also have a UPN corresponding to their primary email address in Exchange Online. 1. In Administrative Tools, choose Active Directory Domains and Trusts.

2. In the console tree right-click on Active Directory Domains and Trusts and then click Properties. 3. Under UPN Suffixes tab, enter yourdomain.com suffix then click add. 4. Click OK when you are finished.

3.7.5 SSL Certificate For best results purchase wild card SSL certificate from first level certificate authority like Go Daddy. For this demo, certificate is purchased from Gandi. In this case it s necessary to download intermediate server and install it. 3.7.6 Configure Internet Information Services (IIS) 1. Open the Internet Services Manager console (IIS). Click Default Web Site. 2. In the right pane click Bindings...

3. Click Add... in the new window choose the type https and select your SSL Certificate and click OK. 4. Confirm clicking OK. 3.7.7 Configure the federation trust with Office 365 1. Open Microsoft Online Services Module for Windows PowerShell as an administrator. 2.

3. Enter the following command: $cred = Get-Credential 4. At the request of identifiers, enter user name and password corresponding to the Office 365 admin user 5. Enter the following command to connect to Office 365: Connect-MsolService -Credential $cred 6. Enter the following command to add the federated domain: Convert-MsolDomainToFederated -DomainName [AD FS DOMAIN] SupportMultipleDomain 7. Make sure that the identity federation has been configured correctly by entering the following command: Get-MsolFederationProperty -DomainName [AD FS DOMAIN] 8. Check the value of fields ActiveClientSignInUrl and PassiveClientSignInUrl they must point to the URL of Public STS: sts.exec-protect.com

4 Configure DirSync 4.5 Introduction This section shows the configuration of the DirSync which will synchronize your local Active Directory with Office 365. With this service each user created in Active Directory will automatically be created in Office 365. DirSync requirement: Previously DirSync require to be installed on machine which is not domain controller. That is no longer the case! 4.6 Enable directory synchronization When you set up directory synchronization, you enable this feature for your Office 365 subscription, you must enable it before installing the Directory Synchronization tool, and we recommend that you leave it enabled all the time. 1. Connect to the server with an administrator account. 2. Open Windows Azure Active Directory Module for Windows PowerShell as an administrator. 3. Enter the following command: Set-MsolDirSyncEnabled EnableDirSync $true 4.7 Installation 4.7.1 Download of Windows Azure Active Directory Sync Tool 1. Connect to http://go.microsoft.com/fwlink/?linkid=278924. 2. Save the file DirSync.exe. 4.7.2 Installation of Windows Azure Active Directory Sync Tool 1. Run DirSync.exe previously downloaded. 2. On the Welcome page, click Next.

3. Select I accept the terms of the license agreement and click Next. 4. On the Select the installation folder, click Next. 5. Once the installation is complete, click Next.

6. On the Finished page, select Start Configuration Wizard now and click Finish. 4.8 Configuration 4.8.1 Configure Directory Synchronization Note: Active Directory must be prepared to Office 365 before performing the synchronization of directories 1. Open Directory Sync Configuration Wizard. 2. On the Welcome page, click Next.

3. On the Microsoft Online Services Credentials page, enter the name and password of the O365 admin user, then click Next. 4. On the Active Directory Credentials page, provide Active Directory credentials (your users must be member of the enterprise admins to perform this task) 5. Select to synchronize the passwords 6. Click Next.

7. Select Enable Password Sync and click Next. 8. Wait the setup ends and click Next. 9. Make sure Synchronize directories now is checked and click the Finish button. The first synchronization will start.

4.8.2 Force synchronization directory If you do not want to wait for synchronization recurring, you can force directory synchronization at any time. 1. Navigate to the installation folder of the directory synchronization. (%programfiles%\ Microsoft Azure Active Directory Sync default). 2. Double click to open a DirSyncConfigShell.psc1 Windows PowerShell. 3. In the Windows PowerShell window, type the following command: Start-OnlineCoexistenceSync then press the Enter key. 4.

4.8.3 Verify Directory Synchronization The initial synchronization makes a copy of each user and group in the Office 365 directory. After that, the directory synchronization updates the directory with Office 365 changes that you make in your local Active Directory. You can verify the directory synchronization updates of your Office 365 directory using the following methods: Compare directories after synchronization: Check to see if changes to users and groups in the local Active Directory are updated in Office 365 after synchronization. The local Active Directory is the master of all changes on synchronized objects in Office 365. Keep track of event log: The Microsoft Online Services Directory Synchronization writes entries to the event log of the computer directory synchronization, including the beginning and end of a session timing and directory synchronization errors. In the event log, look for entries whose source is the directory synchronization. 1. Connect to Office 365 via the portal 2. Note the properties of the address of a user or group that will be synchronized from the local Active Directory. 3. Connect to the local Active Directory with rights to modify users and groups. 4. In the local Active Directory, make simple but obvious changes in the properties of the address of the user or group that you noted in the Office 365 directory. 5. Force directory synchronization. 6. Check the event log entry The export has completed, then look at the address properties of the user or group in the Office 365 directory. 7. Verify that the changes in AD have been passed in the directory Office 365.

5 Gemalto AD FS MFA Provider The Gemalto AD FS MFA Provider enables you to register IDConfirm 1000 as an auxiliary authentication provider in AD FS, thus adding strong authentication to AD FS. Supported IDConfirm 1000 Versions The AD FS MFA Provider can be used with versions 6.2 and 6.3 of IDConfirm 1000. System Architecture The Gemalto AD FS MFA Provider is deployed in the company s premises. The IDConfirm 1000 authentication server can be either deployed in the company s premises or in the cloud. The following figure shows the architecture: Authentication Steps When the provided external authentication plug-in is installed, authentication to the AD FS server is performed in two steps, primary and secondary authentication.

Primary Authentication Primary authentication uses the standard Windows Logon credentials of the user. The Gemalto AD FS MFA Provider configures internal and external users separately, so that for example it is possible to prompt external users for their Windows Active Directory credentials (User ID and Password), but not internal users. Secondary Authentication The secondary authentication is authentication to the IDConfirm 1000 server using a one-time password (OTP). This can be one of the following options: One-Time Password Device OTP is generated by the device and entered manually by the user. One-Time Password SMS OTP is sent to a mobile phone via an SMS message and then entered manually by the user. IDProve 300 Mobile Passcode This is used for out of band (OOB) authentication. The passcode (OTP) is generated by the IDProve 300 app on a mobile phone. The passcode can be sent by IDProve 300 or entered manually by the user. 5.5 Installing the AD FS MFA Provider System Requirements The following sections describe the operating systems and role pre-requirements you need to use the AD FS MFA provider. You must have administrator rights to the computer on which you are installing the Library. Operating Systems This version of the AD FS MFA provider runs only under Windows Server 2012 R2. Role Pre-requirements Active Directory Federation Services. To install an IDConfirm 1000 AD FS Agent on a Windows Server 2012 R2 x64 system, follow these steps: Locate and double-click IDConfirm_1000_AD FS_AuthenticationServer.msi to start the Gemalto AD FS MFA Provider installation program. The installation program starts, and the Welcome window appears, as shown in Figure below.

> Next. The license window appears. Accept the license agreement and click Next. The Destination Folder window appears, Accept the default location shown in the window or click Change to select another location for the installation. When ready, click Next.

When ready, click Install. When the installation program is finished, the final window appears Installation Complete Check the Configure IDConfirm 1000 AD FS MFA Provider box and click Finish. 5.6 Configuring the Gemalto MFA Provider You configure the Gemalto AD FS MFA Provider in the dialog box that appears at the end of the installation - as long as you checked the Configure IDConfirm 1000 AD FS MFA Provider box. If you did not check the box, use the configuration Wizard

Check the Enable Provider box if you want Gemalto AD FS MFA Provider to be selected as an additional authentication method. In IDConfirm URL enter the URL for the IDConfirm 1000 authentication server. The URL must include the tenant id of the tenant to connect to <idc-tenant>, or <master> if the IDConfirm 1000 authentication server is single tenancy. You can use the Test Connection button to make test that the IDConfirm 1000 server can be reached. In MFA Modes, check the modes that you want to enable as follows: One-Time Password Device for a hardware OTP device to generate the OTP and manually enter the OTP. One-Time Password SMS to send the OTP to a mobile phone via an SMS Message IDProve 300 Mobile Passcode to generate the passcode (OTP) by the IDProve 300 mobile app. In each case, check (or not) the Password Enabled box. Checking the box means that the user will have to enter his or her password during the multi-factor authentication. This option is only relevant if IDConfirm is configured in mixed mode with the database password option. This means that IDConfirm 1000 manages the user s password internally in its database, instead of using user s Active Directory password. Check the Enable IDProve 300 Mobile self registration box if you want the AD FS to include a link that allows the user to register his or her mobile phone. This link will appear if the user chooses Authenticate Using my Mobile Phone in the AD FS window. The link itself appears as Mobile Phone Registration when the user is prompted for the passcode (OTP) Note: The IDConfirm 1000 AD FS MFA Adapter is able to detect if a user does not have a mobile phone registered and will then ask the user if he or she wants to continue with a registration. To trigger this prompt to the user, the IDConfirm 1000 authentication server must be configured to not hide authentication errors.

This is done in the authserver.config file by setting the authserver.auth.failure.response.hide property to zero. The Text Resources button, allows you to configure the text labels that appear in the AD FS GUI. It displays the Configure Text Resources window shown in the following figure. Edit the values and click Save. The Restore Defaults button allows you to return to the original settings. Click the Advanced button in the configuration window to display more configuration options in the Advanced Configuration window as shown: Check the Display IDConfirm User Portal URL box if you want the AD FS to include a link to the IDConfirm 1000 User Portal. You can also edit the URL itself.

You can optionally modify the authentication timeout for IDProve 300 by changing the value in milliseconds. If you do not want the user to see any error messages generated by IDConfirm 1000, check the box Hide IDConfirm error messages from user. In Event Logging, choose the level of error messages from the Gemalto AD FS MFA provider that you want to display: Error Warning Information Verbose If you want the log to be written to a file, check the box Log to file. The log file is located at c:\users\service_account$\appdata\local\idconfirmad FSv3Provider\IDConfirmAD FSv3Provider.log Where: service_account$ is the name of the account under which the AD FS server is running. When you have finished your advanced configuration, click OK to return to the first Gemalto AD FS MFA Provider Configuration box When you have finished your configuration, click Apply. This applies your configuration and you will be prompted to restart the server and any other AD FS servers in the same farm. The configuration dialog box remains displayed, so you can still make further changes if you wish. When you have completely finished, click OK. The configuration dialog box disappears. 5.7 Configuring the Authentication Policies You also need to configure the authentication policies in the Server Manager. To configure the authentication policies: Start the Server Manager. It is in the task bar From the Tools menu, choose AD FS Management. This opens the AD FS window as shown in the following figure: Under AD FS, choose Authentication Policies. This displays the following:

In Primary Authentication, click Edit in the Authentication Methods for Global Settings. These are the settings for the Primary Authentication mentioned earlier In the example shown in the following figure, Forms Authentication is specified for Extranet users, and Windows Authentication is specified for Intranet users. Forms authentication means the user is prompted for the username and password. Windows authentication is transparent to the user the user s windows identity is transferred in the background and is sufficient to authenticate the user.

If you change the default settings, click Apply. Otherwise click OK. Go to Multi-factor Authentication, either by clicking the Multi-factor tab or clicking Edit in the Authentication Methods for Global Settings. In the example shown in the following figure, Gemalto AD FS MFA Provider is specified for Extranet and Intranet users. In the lower panel you must check the box Gemalto IDConfirm 1000 MFA Provider. Note: If you checked the Enable Provider box in the configuration wizard, this box is already checked for you.

5.8 Configuring IDConfirm 1000 User and mobile policies have to be properly configured on the IDConfirm 1000 authentication server side to allow users to register their mobile devices successfully. You will also need to make sure that the users for AD FS must have the necessary privileges assigned to their roles. For information about managing roles and configuring policies, please refer to the IDConfirm 1000 Customer Care Portal Guide. The IDConfirm 1000 Mobile Authentication Configuration Guide provides additional guidance, particularly for configuring mobile policies.

6 User experience Users can Sign In to Office 365 by entering username and password in portal https://login.microsoftonline.com or https://portal.office.com (redirected to address above) Without implemented AD FS users are authenticated by O365, users need to be created in office 365 portal for each subscription. In our demo with AD FS 2012 R2 and DirSync implemented, users are authenticated by our domain controller.

In reality, when user enters username in UPN form <user_name>@<domain_name.com> before entering password, it will be redirected to custom AD FS page where authentication will be done.. If you already have your phone registered you can type password and send OTP from your mobile. If not, please click on Mobile Phone Registration Prerequisite: You have to download and install the IDProveOTP app on your mobile phone before registration (available on App Store, Google Play and WindowsPhone)

Once you have installed the application, use it to scan the QR code. When the registration completes, please Click on the Start Over button below To send OTP from your phone, simply click on Send Passcode (or appropriate icon) button on your phone, and you are logged in to Office365.

Send Passcode You are logged in.