|
Use App Passwords to Support Active Clients
|
| bet | 7/8 | | Sana | 22.07.2021 | | Hajmi | 78.77 Kb. | | #15678 |
Task
|
Detailed Steps
|
|
Complete these steps from an internet-connected Windows computer.
|
Enforce MFA for all external users
|
In your host machine Windows 8 or newer machine, navigate to the Start screen and launch the modern Mail app
Note: This application uses ActiveSync to connect to a user’s mailbox and will allow us to conduct some quick and easy tests for the app password feature.
In the Mail app, bring up the charms menu on the right, click Settings and Accounts
Click Add an account and click Exchange
Type JohnF@. in the Email address field and pass@word1 in the Password field
Click Connect
Note: You are unable to authenticate using the on-premises credentials for JohnF; this is because the Exchange ActiveSync protocol does not support multi-factor authentication and consequently cannot allow the user to interact with AD FS to invoke and complete multi-factor authentication.
Click Cancel
|
Generate a new app password
|
In your host machine, start a new Internet Explorer InPrivate browsing session
Navigate to https://myapps.microsoft.com and enter the username JohnF@., you are redirected; sign in to AD FS
Under the Multi-Factor Authentication heading, click Continue and complete the verification
You should now be redirected to the profile page of the Azure Active Directory Access Panel as an authenticated user
Switch to the profile tab
Click Additional security verification
Click app passwords
Click create
Type Windows Laptop in the Name field and click next
Notice that the password generated is 16 characters long, but consists of only letters
Click copy password to clipboard and click close
Note: There is no way to obtain the generated password again. It can only be deleted.
|
Use the app password to set up an Exchange ActiveSync client
|
Switch back to the Windows Mail app on your host machine
In the Mail app, bring up the charms menu on the right, click Settings, and then click Accounts
Click Add an account, and click Exchange
Type JohnF@. in the Email address field
Paste the app password from the clipboard to the Password field
Click Connect - notice that you are able to successfully authenticate via ActiveSync to the Exchange Online mailbox using the app password
If you are prompted to make your PC more secure, click Cancel, and click Close when prompted
Bring up the charms menu on the right, click Settings and click Accounts
Select the account you just added
Scroll down and click Remove account, click All my synchronised PCs
|
Review administrative options for app passwords
|
On DC1 VM navigate to https://manage.windowsazure.com from a new InPrivate Internet Explorer browsing session and sign in as admin2@.onmicrosoft.com
Click Active Directory in the left navigation menu and click Contoso ...
Navigate to the USERS tab and click MANAGE MULTI-FACTOR AUTH in the command bar
Switch to the service settings tab
Note: You can enable or disable app passwords for the entire organization, but cannot disable the feature at a more granular level. While you are here, also notice that you can also now specify IP whitelists (trusted IPs) which force Azure Active Directory to suppress MFA challenges when users are authenticating from well-known IP addresses, such as a private corporate network. Notice that you can also now configure Azure Active Directory to supress MFA for all federated users, which serves as a replacement for the claim rule you created in the previous exercise.
Navigate to the users tab
Select JohnF and click Manage user settings
Select the Delete all existing app passwords generated by the selected users and click save and close
|
|
| |
