Howdy folks,
Today we've got some pretty cool news! We've just released the preview of our new Windows Azure Active Authenticaton service. A few months ago we showed you how to enable multi-factor authentication for your Azure AD Global Admins . With this preview we're giving you the ability to give all your employees, customers and partners a rich set of smartphone based two factor authentication options.
Starting now, companies can use this preview to enable multi-factor authentication for all their Windows Azure Active Directory identities securing access to Office 365, Windows Azure, Windows Intune, Dynamics CRM Online and many of the other applications that are integrated with Windows Azure AD. Additionally Developers can also use the Active Authentication SDK to build multi-factor authentication into their custom applications and directories.
Getting Started
To start using multi-factor authentication with your Windows Azure Active Directory tenant, you’ll first need to add the Active Authentication service. To do that:
Fig 1: Active Auth Provider Tab
Fig 2: Adding a new provider
a. Name – The name of the Active Auth Provider, so you can associate for billing purposes for example, “Messaging DEMO”
b. Usage Model – Select the usage model you prefer - “ Per Enabled User ” or “Per Authentication”. This sets the billing model for this authentication provider as either per user or per authentication.
Note: You can learn more about these usage models and pricing here
c. Directory – Enter the Windows Azure Active Directory tenant that the Active Authentication Provider is going to be used with e.g. Contoso Demo
Fig 3: Completing the Authentication Provider Quick Create form
Now you've got Active Authentication provisioned and ready to use. Time to configure which users will have it enabled.
Turning on multi-factor authentication for specific users
Fig 4: Activating 2 Factor Authentication for a user
Your admin tasks are all done. Pretty easy eh?
Signing in with Windows Azure Active Authentication Service
Once Active Authentication has been enabled for a user the next time that user signs into a service that uses Windows Azure AD, they will be asked to select and configure one of these multi-factor authentication methods:
This auto-enrollment feature , makes deploying multi-factor authentication easy and hassle free for ITPros while providing the end user the flexibility to configure the primary method that suits their needs. Users can add or change methods later.
While all four of these authentication methods work great, my favorite is our Active Authentication app (available for Windows Phone , iOS and Android smartphones and tablets). You can download the free app from the device store and activate it. If you are a gadget geek like me, this is the one you’ll want to use!
Configuring your account to use the Windows Azure Active Authentication smart phone app:
Fig 5: Prompt to configure Multi-Factor Auth when signing in the first time.
Fig 6: Additional Verification Page
Fig 7: Configure App Screen
Fig 8: Active Authentication App Configuration Screen
You are all set!
The next time you sign-in to a cloud application or service protected by Windows Azure AD, the app will activate on your phone and ask you to authenticate or deny the login. You also have the option to report the attempt as being fraudulent.
Of course, the app is my personal favorite but you might like receiving a phone call better and most of the folks on our team prefer the SMS messaging option. The great thing about the service is that your users can choose the method they like best and switch between methods without any additional configuration on your part.
We’ll have a lot more coming in this space in the very near future, so stay tuned. And as always, we would love to hear your feedback. Head over to the Windows Azure Active Authentication forum to let us know what you think.
Best Regards,
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Active Directory
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.