Privileged Access Management (PAM)

Microsoft has for some time now been on a path of improving the privileged access in O365.  Recently they introduced PAM, which is an O365 feature that allows you to add an approval workflow on top of your RBAC controls for various Office 365 admin tasks.

I found a great article called explaining Privileged Access Management in Office 365 very well.  I then found another great article that walks you through implementing it called Exchange Online Introduces Office 365 Privileged Access Management.

 

External Users trying to accept the invitation get an error message “That Didn’t Work”

There are many reasons why O365 external invitations could fail, but most are obvious reasons…expiry, using non-Microsoft registered emails, etc.

However there is a scenario where the sender and receiver both have done everything right and security settings are set correctly and yet invitation fails.

If this happened to me, I would loose my mind trying to figure out what the problem is!!!

Fortunately someone else has run into this problem and took the time to document the issue and possible resolutions…

Inconvenient no-script sites and SharePoint Framework

By disabling custom script on their sites, organizations using Office 365 can increase the security of their data and improve the governance of their portal. But how reliable is it actually?

The only way to tell, if a solution that states that it doesn’t require custom scripts to work, truly doesn’t allow users to embed them, is to review its code. This is tedious and inconvenient but required, if you don’t want to expose your organizational information to risks.

Multi-Factor Authentication & SharePoint

WHY MULTI-FACTOR AUTHENTICATION

Multi-Factor authentication is an idea that has long been overdue for most internet facing sites as most of them today are in-secure in their implementations utilizing single factor authentication.  Bad actors have long found ways to intercept identities and passwords (due to lax password rules and policies, identity breaches, spyware, and social engineering) making single factor authentication insufficient security for most organizations in today’s world.

Most internet facing SharePoint sites never had to worry too much about this as most traditional on premise internet facing SharePoint site implementations are extranet sites using reverse proxy solutions utilizing AD identities.  These identities most often had stronger passwords, policies, and encryption…buffering them from most bad actor efforts.  They however still vulnerable to identity breaches, spyware, and social engineering attacks.

However, things are changing…

Going forward, most SharePoint sites will be public facing in some form or another.  Take for example that Claims authentication could be delegated to Facebook or LinkedIn or (as of SharePoint 2013 SP1) on premise users can have access to OneDrive.  Or that they may be using Provider hosted SharePoint Apps that are hosted in the cloud, or that these SharePoint farms might be a hybrid implementation utilizing Office 365 or they may even exist entirely in a cloud infrastructure such as Azure.  Sure, Microsoft has built security using standards that are effective and secure for single factor authentication, but this doesn’t stop bad actors from breaking security using identity breaches, spyware, and social engineering.  This is where the multi-factor authentication shines.

By forcing users to not only enter identity information, but to also validate them using another communications method such as SMS, email, or even voice calls (among others), it prevents most identity breaches, spyware, and social engineering type attacks.  This is becoming more and more important as more of our information (including personally identifiable information [PII]) continues to move to the cloud, including information in SharePoint.

 

IMPLEMENTATION OPTIONS FOR ON PREMISE MULTI-FACTOR AUTHENTICATION

So the next step is to figure out how to implement Multi-Factor authentication for an on premise SharePoint site.  Currently I can only see four options (if you know of others, please notify me):

 

Option 1: Use simple Azure Multi-Factor authentication

This will require that you store your user identities in AD on Azure. This is usually a non-starter for most organizations as they typically store their identities in on premise AD.  There are ways to perform AD synching in order to replicate on premise identities in the cloud, but this is neither simple, nor is it without governance issues in most cases.

This would be the approach I would use if it was ok to store user identities in Azure AD such as typical Office 365 scenarios.

See Multi-Factor Authentication documentation for details: http://azure.microsoft.com/en-us/documentation/services/multi-factor-authentication/

 

Option 2: Use ADFS

ADFS will authenticate based on user certificates from the local certificate store or claims providers. This will however require extensive configuration of ADFS and implementation of trusted identity provider inside SharePoint.  This may get simpler in the next version of Windows Server.

As it stands today, this should only be chosen in scenarios for non-cloud based Single Sign On applications, and not for simpler scenario such as typical Multi-Factor authentication due to the complexity of the implementation.  If however you want to implement the secondary authentication method via a 3rd party secure provider (such as RSA SecurID), this is likely the approach you should take.

See Under the hood tour on Multi-Factor Authentication in ADFS for details: http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

 

Option 3: Implement forms authentication and customize the login page to implement Multi-Factor authentication

First you can authenticate the user using your favorite identity store (such as AD or Asp.Net membership provider) and then you would use custom logic for SMS, email, or voice calls authentication.  A team of skilled developers could be able to implement this, however you will need a provider service to send and receive the secondary authentication communications.

This should be the solution if you want to implement Multi-Factor authentication in-house only.

 

Option 4: Implement an Azure Multi-Factor Authentication Server in your on premise environment and use the Azure Multi-Factor Authentication Service

This is really a combination of options 1 and 3.  It uses Azure for the Multi-Factor Authentication Service (in Azure) and it uses the Azure Multi-Factor Authentication Server (on premise install on a server with internet access).  The benefit here is that you don’t have to do custom development or maintain any code.  Rather you perform a server installation and configuration only.

This should be the solution if you want to implement Multi-Factor authentication with no development involved using user identities in your on premise AD store.  This is also the solution if you are considering cloud based Single Sign On applications.

Below shows the overview video of how the process would work:

Azure.MultiFactorAuthentication.OnPremise.929x493

 

See Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server for details: http://technet.microsoft.com/en-au/library/dn249467.aspx

 

In most on premise SharePoint use cases, Option 4 will be the best solution…

SharePoint and the Web Application Proxy Role

A brand new feature introduced with Windows Server 2012 R2, we started seeing the future replacement of Threat Management Gateway and Unified Access Gateway. UAG was announced as a discontinued product in December of 2013, while removed from the price lists mid-2014. TMG was discontinued way back in 2012. While WAP in 2012 R2 doesn’t function correctly with SharePoint Apps due to the operating system limitations, this has been corrected in the preview of Windows Server 10.

http://thesharepointfarm.com/2014/02/sharepoint-and-the-web-application-proxy-role/