Authentication Web

The Specops Authentication Web can be used to view system information and manage various aspects of the product including system-wide configurations, and multi-factor authentication policies for its various resources. Once you have installed and configured the Gatekeeper, users that are members of the Authentication Admin Group can further configure the solution from the Specops Authentication Web:

US datacenter: https://login.specopssoft.com/authentication/admin
EU datacenter: https://eu.login.specopssoft.com/authentication/admin

For more information and general administration, refer to Specops Authentication Web.

The configuration steps that are specific for Specops Authentication for O365 are described below.

From the Office 365 menu, you can configure federation, provisioning and authentication rules. Select the domain you want to use for O365, and click Let's start.

Prepare the Domain > Set Up the Domain

You will be redirected to sign in with your O365 administrator account on Microsoft Entra, and asked to grant permission to Specops Authentication.

Note

Your consent provides Specops Authentication with delegated permissions to complete the setup as an administrator. The Specops Authentication App does not have global administrator permissions in your Office 365 tenant. This is required only during setup.
To set up your domain, you will need to copy the TXT verification record from the Specops Authentication Web page, to your domain host’s DNS records.

Note

If you have already verified your domain, you will not be prompted for this step.

User Provisioning > Configure

If you are already using Microsoft Entra ID connect for provisioning, click Skip.
You will be prompted to edit the default O365 User Rules. The User Rules are used to configure provisioning of User Objects from Active Directory to Microsoft Entra ID.
In O365, the UPN (UserPrincipalName) of the user becomes their username. Some apps may even prompt for an email address, when they actually mean UPN. If the Allow users with non-matching UPN and Email is set to Off, users with values that do not match will not be provisioned, and an error will be displayed during login.
If required, you can disable the optional user and group attributes.
Click Save when you are done.

Office 365 Licenses > Configure

Specops Authentication can help you manage your O365 licenses. When provisioning is enabled, the license settings allow you to assign O365 subscriptions to users that log in to O365 through Specops Authentication.

For licensing purposes, the Usage Location is a required field when creating an Microsoft Entra user. By default, the msExchUsageLocation attribute in Active Directory is used. If the attribute is missing, it defaults to the country of your Microsoft Entra organization.
You can further enable/disable specific plans for the selected O365 subscription. For example, if only Skype for Business is enabled, the user will only get the Skype license. If the user had more plans prior to logging in, it will be removed to exactly match your configuration.
Click Save when you are done.

Authentication Rules > Configure

The authentication settings will prompt all affected users to verify their identity with Specops Authentication when logging in to O365.

Move any of the identity services you want to use from the Unselected Identity Services box to the Selected Identity Services box.
You will need to assign a weight (star value) for each selected identity service. This will allow you to assign a higher value to those identity services you believe provide a higher level of security. For instance, assigning the Specops Authenticator with 2 stars, would be equivalent to two identity services worth 1 star. See Identity Services Weight Assignment for additional guidance.
To require the user to use a specific identity service, select the Required checkbox.
Configure the required weight (stars) for enrollment.
Configure the required weight (stars) for authentication.

Note

The number of stars required for authentication must be equal to, or less than the number of stars required for enrollment.
To complete the enrollment or authentication process, the user will need to fill the star bar with the number of stars set by the policy.
Click Save when you are done.

Note

Configure an SSO only policy

When using the GPO configuration type, you can create an SSO only policy alongside a multi-factor authentication policy. To configure an SSO-only policy, you will select Windows Identity, and no other identity services. You will assign the Windows Identity with 1 star, and set the weight for enrollment and authentication to 1 star.

Turn on Federation > Turn It On

Turn on federation so that all affected users will starting signing in through Specops Authentication. If you want to give the users a chance to enroll first, you can return to this step at a later time. You will see a message that the setup has been completed successfully. Click Continue.

You will see an overview of all your settings.

Provisioning and Configurations

Specify whether you want Specops Authentication to use your tagged GPOs, or the scope selected during the Gatekeeper installation. Select either Group Policy, or Cloud (the selected scope) as the Configuration type, and click Configure.
1. If Group Policy is selected, you will need to configure the user provisioning, licenses, and authentication rules, as explained above.
On the Provisioning setup, click Details to check the service status. This checks if the Exchange administrator account is set up. It can take up to an hour before the account can be used. If the status reads Running, provisioning should start working.

Note

This page must be refreshed manually.

You can continue with other configurations and check back here later.