Authentication in Office 365
The purpose of cloud-based authentication is to protect companies from hackers trying to steal confidential information. Cloud authentication allows authorized users across networks and continents to securely access information stored in the cloud with authentication provided through cloud-based services.
What Is Cloud Authentication and Why Is It Important for My Business?
Global IT and data-driven operations are largely in the cloud. That’s not surprising, considering that infrastructure provides a type of flexibility, resiliency, and scalability that most organizations aren’t going to find in traditional on-premise solutions.
Many of the same security and compliance issues that were challenges for on-premise technology persist in the cloud, and many of those challenges are amplified. That’s because infrastructure—storage, applications, analytics, and tools—must have a connection to users that is secure and compliant without sacrificing usability. Furthermore, these environments are heterogeneous and global. Security is a real issue with different components and tools working together to provide real value to users everywhere.
Types of Authentication in Office 365
Basic authentication works by prompting a Web site visitor for a username and password. This method is widely used because most browsers and Web servers support it. The benefits are:
It works through proxy servers.
It is compatible with nearly every Internet browser.
It allows users to access resources that are not located on the IIS server.
Basic authentication also has some drawbacks :
Information is sent over the network as cleartext. The information is encoded with base64 encoding, but it is sent in an unencrypted format. Any password sent using basic authentication can easily be decoded.
By default, users must have the Log On Locally right to use basic authentication.
Basic authentication is vulnerable to replay attacks.
Timeline for disabling basic authentication in Office 365
Initially, basic authentication’s demise was scheduled for October 2022. In April 2020, the date was postponed. There was more than one reason for the delay.
One of the reasons was Covid-19 and its impact on businesses. Another important factor was that many organizations still actively used basic authentication in their tenants.
Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session. A user authenticating with basic authentication must provide a valid username and password. The user account can be a local account or a domain account. If the user account is in a domain other than the local domain, the user must specify the domain name during logon.
The syntax for this process is domain name\username, where domain name is the name of the user's domain. Basic authentication can also be configured to use user principal names (UPNs) when you use accounts stored in Active Directory.
Modern Authentication is not a single authentication method, but instead a category of several different protocols that aim to enhance the security posture of cloud-based resources. Some examples of Modern Authentication protocols are SAML, WS-Federation, and OAuth.
While each are different in their execution, they all aim to move away from the classic username\password method and instead rely on token-based claims. So, while the user may still provide a username and password (for now; see more below), it is used to authenticate with an identity provider to generate a token for access.
This token has more specific information (in the form of a claim) that specifies what the requestor does and does not have access to. Tokens also expire and can be revoked, so there is more ability to govern access.
Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server, as well as some security measures that rely on access policies that you may already be familiar with. It includes:
Authentication methods (authentication = how something/somebody logs in to a system)
Authorization methods (authorization = mechanisms that make sure you do not have full access to something by default)'
Conditional access policies (policies which define the conditions under which certain additional steps have to be taken in order to log into a system)
What’s the Advantage of Modern Authentication?
One of the biggest benefits for administrators is that all these policies are just configured at one central location which is at the identity provider. This means that the more applications are connected to the identity provider, for example the Microsoft Azure Active Directory and the identity services provided by Microsoft, the more convenient it is to configure conditional access policies for all these applications.
This way, the administrator does not have to configure individual login policies and security settings for each application
What is Office 365 Multi-Factor Authentication (MFA)?
Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for users. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods.
You can choose from several MFA options and can use different options in different situations, depending on what is most convenient for you. The type of handshake, or knock, you choose can have an impact on how and where your account can be used. So we want you to be well informed before you decide which method is best for you.
Option 1: Authentication Phone – (Call or text a phone number)
Call me If you select the Phone Call method, you are setting up your MFA authentication to call you when you want to authenticate.
Send me a code by text message If you select the text message method, you are setting up your MFA authentication to send you a text message with a 6-digit code to use when you authenticate. It is recommended to use a mobile phone that you always have with you, so you can authenticate no matter where you are located.
Option 2: Call My Office Phone – (Call my desk phone)
Your BSU/NTC office phone number will be pre-populated in the additional security verification page. This option does require that you are near your office phone during authentication into Office 365. Your office phone will receive a phone call and you will be prompted to accept or deny your login.