Multi-Factor Authentication – What do we know so far?

To provide additional layer of security MFA has been recently enforced in many organisation, especially after Microsoft started to offer the administrator to enable by just a flick of a button.

I’ve written an article about a scenario to troubleshoot an issue, i thought it would be nice to know the options available, and troubleshooting issues.  Hence this article.

So, first off, Microsoft offer 3 ways

  1. Office 365 MFA
  2. On-prem Azure MFA
  3. The Network Policy Server (NPS) extension for Azure MFA

In above 3 options, an appropriate license is required to make it work.  Usually, Azure AD premium license or MFA standalone license is sufficient. There are other types of license which also gives MFA feature.

Before we go in troubleshooting issues with each type, we need to understand what type of MFA needed for the organisation.

  1. Office 365 MFA  – This is generally available for all the office 365 users.  MFA can be used with any office 365 services and application which can integrate with Office 365.
  2. On-prem Azure MFA – A on-prem server is required.  This options give more control to the user.  On-prem application can be integrated with Azure MFA server.
  3. The Network Policy Server (NPS) extension for Azure MFA – This options is only for NPS.  This option is a stripped down version of on-prem Azure MFA.  If you have a NPS VPN infrastructure then this is option can be used.

Now that we know the different types, let me go in detail on each options and how you can check the logs to troubleshoot issues in upcoming article.

Good news for Office 365 Hybrid Customer – Delegate Access is now possible for cross-premises Mailboxes

Hybrid customer always complaint about the fact that Office 365 users not being able to delegate access to On-prem (Or) On-prem users not being able delegate to Office 365.

The good news is that Microsoft started allowing this feature from April 2018.

To enable cross premises delegation you first need to configure:

  • For on-prem user to become a delegate of an Cloud user

Set-OrgnizationConfig -ACLableSyncedObjectEnable $True

  • For cloud user to become a delegate of an on-prem user

msExchRecipientDisplayType attribute for the remote mailbox in on-prem AD to be set to -1073741818

       Get-ADUser -Properties msExchRecipientDisplayType |         where {$_.msExchRecipientDisplayType -eq -2147483642} | Set-ADUser -Replace            @{msExchRecipientDisplayType = -1073741818}

Now you can ask the user to use their outlook to allow the delegation.  Send-AS and on-behalf also works as per the below article



Hope this is useful.