Overview

Specops Authentication for O365 is the ideal solution for organizations that require a simple and automated approach to O365 user management, and authentication. Specops Authentication is installed inside your Active Directory. This allows you to use existing Group Policies to configure provisioning, and assign licenses to users as they log-in to O365.

The solution’s powerful multi-factor authentication engine supports a wide range of authentication factors that can help improve your organization’s overall security. With 15+ identity providers available during authentication, users will always have a secure way to access important resources.

Specops Authentication for O365 can be used without extensive expertise from the administrator. No matter where you are in your O365 deployment, Specops Authentication can decrease O365 administration time, and increase security without disrupting the user experience.

Central concepts

Authentication

Authentication is the process of verifying the identity of a user. Typically, this requires the user to make a claim about their identity by entering their username and password.

Enrollment

You are required to enroll with Specops Authentication prior to accessing O365. The enrollment process will vary for each type of identity service. To enroll with an external identity service, such as Google, you will need to follow the link from the Specops Authentication web to the Google web page, and login with the email address and password associated with your Google account.

Identity services

Identity services enable users to securely identify themselves when signing in. Identity services fall into multiple categories, including: username and password, social ( LinkedIn, Tumblr), and higher trust ( Google Authenticator, Microsoft authentic, Duo Security Security).

To use various identity services to authenticate users, the identity service must be configured (enabled) in the administration console, and the user affected by the uReset policy must enroll in the uReset service. Once a user has enrolled, they can reset their password using the uReset Web Application (via a hyperlink on the login screen or on any modern browser). Specops uReset uses data from user objects in Active Directory to read and write information used in the system.

Below is a list of all the identity services available in Specops Authentication.

Standard

  • Specops Fingerprint: Specops Fingerprint enables users to enroll and authenticate using devices with fingerprint scanners, such as smart phones and tablets. Users can press their finger to the fingerprint scanner on their device to instantly identify themselves. Users can also use Face ID to authenticate, if they own an iPhone X and above. In order to use this identity service, users must have the app installed on their mobile device.
  • Specops Authenticator: Users can authenticate using the Specops Authenticator app. Users scan a QR code or enter a secret. Specops Authenticator then provides users with a six-digit one-time password, which must be entered in order to successfully authenticate.
  • Mobile Code (SMS): Users will receive a one-time six-digit password via an SMS message, which must be entered in order to successfully authenticate.
  • Email: the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. Email does not require enrollment, since it references the email address in the email attribute in AD (or any other attribute if it is overridden); it can only be used with domains associated with Specops Authentication .
  • : the user’s email is used as an identity service by sending a code to the registered email address that the user then has to input in the field on screen. has to be registered at enrollment by the user and they may use any email address of their choosing.
  • Trusted Network Locations: Trusted Network Locations is an identity service that allows administrators to designate certain IP ranges as Trusted Network Locations.
  • Manager Identification: When a user authenticates using Manager Identification, an email or SMS message is sent to their manager. Their manager must then approve the authentication request. Administrators can customize the notification that is sent, by adding custom information to the request notification. To make use of Manager Identification, each user must have a manager assigned to them in Active Directory, and manager accounts must have an email address/mobile phone number associated with their profile in order to receive authentication requests from users.
  • Secret Questions: Users can select questions from a predetermined list and specify the answers to them. They must then answer these questions in order to authenticate successfully.

3rd Party

NOTE
In most cases, enrollment with third party identity services needs to be handled by users individually.
  • PingID: With PingID, users can authenticate using the PingID mobile app.
  • Duo Security: With Duo Security, users can authenticate using the Duo Security mobile app.
  • Freja: With Freja, users can authenticate using the Freja mobile app.
  • Okta Users can enroll and authenticate using their Okta account credentials. This can be done through the Okta app and by sending codes via text message.
  • Symantec VIP: Users can authenticate using the Symantec VIP mobile app.
  • Google Authenticator: Google Authenticator is an app that generates one-time passwords. A secret is generated and presented in the form of a QR code that the user scans. Google Authenticator then provides users with a six-to-eight-digit one-time password, which must be entered in order to successfully authenticate.
  • Microsoft Authenticator: Microsoft Authenticator is an app that generates one-time passwords. A secret is generated and presented in the form of a QR code that the user scans. Microsoft Authenticator then provides users with a six-to-eight-digit one-time password, which must be entered in order to successfully authenticate.
  • EFOS/SITHS (Sweden): EFOS/SITHS is a smart card-based authentication service, which enables employees (such as medical professionals) of authorities, municipalities, and county councils in Sweden to electronically identify themselves.
  • Mobile BankID (Sweden): If users have the Mobile BankID app, they can use this to verify their identity.
    NOTE
    Users will have to scan a QR code in the Mobile BankID app in order to authenticate with this identity service.
  • Yubikey: The Yubikey is a hardware authentication device. Users can authenticate by generating One Time Passwords (OTP) with their Yubikey (only if the Yubikey supports Yubico OTP as a security function). For more information on Yubikey, refer to the Yubikey page.

Federated

  • Google: Users can enroll and authenticate using their Google account credentials.
  • Microsoft Live: Users can enroll and authenticate using their Microsoft Live account credentials. Microsoft Live credentials are used to sign in to the Microsoft Cloud, including: Outlook, Office Online, OneDrive, Skype, Xbox Live, and the Microsoft store.
  • Tumblr: Users can enroll and authenticate using their Tumblr account credentials.
  • Flickr: Users can enroll and authenticate using their Flickr account credentials.
  • LinkedIn: Users can enroll and authenticate using their LinkedIn credentials.

Multi-factor authentication

Multi-factor authentication requires more than one method of authentication from independent categories of credentials: something you know (i.e. password), something you have (i.e. Mobile device), and something you are (i.e. Fingerprint).

The Specops multi-factor authentication model is dynamic. Users can choose which identity services they want to combine for enrollment and authentication, as long as they meet the requirements of the policy. Users enrolled with more identity services than required for their authentication will have authentication choice. This guarantees that end-users will always have the ability to satisfy the authentication policy, even if an identity service is unavailable (e.g. not having their mobile phone nearby).

Policy

A policy contains the rules required for enrollment and multi-factor authentication when accessing O365. A policy controls what identity services can be used, and how many must be used to verify the identity of end-users. The system administrator is responsible for configuring the rules in the policies.

Architecture and design

Specops Authentication consists of the following components and does not require any additional resources in your environment. The authentication backend, web, and identity services are hosted in the cloud. You will only need to install the Gatekeeper component.

Alt text for this image

  1. User tries to access their O365
  2. User is redirected to Specops Authentication via Federated Trust
  3. Authentication options are fetched and presented to the user
  4. User selects identity services for authentication
  5. Identity services return user identity to Specops Authentication
  6. User identity is validated against Active Directory
  7. Specops Authentication creates a token for the user to present to O365
  8. Specops Authentication returns the authenticated user to O365 (if the authentication policy is met)

Authentication cloud: The global cloud component of Specops Authentication, the authentication cloud contains the web (front-end for end users) and the backend services.

Authentication Web: Contains the front-end for end-users, as well as for administrators. It enables the creation of Specops Authentication settings as well as the provisioning configuration.

Authentication backend: To read user information from Active Directory, the backend communicates with the Gatekeeper. The web and identity services also communicate with the backend. The authentication backend validates a user’s identity in Specops Authentication, based on the tokens from individual identity services.

Gatekeeper: The Gatekeeper needs to be installed on a server in your domain. The Gatekeeper reads user information from Active Directory, and manages all operations against Active Directory, such as reading/writing enrollment data.

Identity services: An entity that can validate a user’s identity in Specops Authentication. The tokens from individual identity services are used by the backend to validate a user’s Identity.

Some of the identity services that are used during authentication, such as Google are external. When an external identity service is used, the user is sent to the identity service, and asked to give Specops Authentication consent to access their personal information, such as their username. The information from the consent allows the creation of the token that is used for authentication.

Authentication policy: A policy that states how a user should authenticate in order to be able to access a resource.

Token: A token or a security token is a carrier of information about a user and about the issuer of the token. The information about a user is a set of statements. The claims about a user can for example be the name of the user, ID of the customer it belongs to and what roles a user has in its organization.

Note: No personally identifiable data or passwords are included in the tokens.

Features and capabilities

Console support features

Federated Windows Identity

When a user attempts to sign-in to O365, Specops Authentication can grant SSO access with existing Windows Integrated Authentication credentials, unless additional authentication requirements are specified in the policy.

Identity service trust assignment

Specops Authentication allows the administrator to assign a trust value/weight for each identity service, ultimately deciding that one identity service is worth twice as much as another during authentication. In the user interfaces, for both the end-users and administrator, the weights are represented by stars.

Customizations

The web application application contains several customization features which give you control over the Specops Authentication end user interface. You can customize various graphical elements including main logo, and main style (allowing you to set your own styles by using a custom bootstrap CSS).

Multi-factor authentication for administrators

Users that are a part of the Specops Authentication Admin Group can use multifactor authentication to verify their identity when accessing the administrator pages on the web application.

Mobile Applications

Specops Authenticator

The Specops Authenticator app is a high trust identity service, which turns the mobile device into a secure token device. The app generates a secret code that users must provide in addition to their username during authentication. The codes generated are based on industry standard Time-Based One-Time Password Algorithm security tokens. As such Specops Authenticator can work with both Google and Microsoft Authenticators.

Specops Fingerprint Authenticator

The Specops Fingerprint Authenticator app allows you to authenticate to O365 using either the Touch ID fingerprint recognition feature integrated into your iOS, or the Fingerprint API scan feature integrated into your Android 6.0 or newer operating system.

Supported clients

Specops Authentication supports the below clients for accessing O365.

  • Web based versions of O365 on all modern browsers e.g. https://portal.office.com
  • Office 365 for Windows
  • Office 2016 for Windows
  • Office 2013 for Windows (Requires additional settings rolled out in the organization).
  • Outlook for iPhone
  • Outlook for Android
  • OneDrive for Business
  • Skype for Business

Common configuration scenarios

Below are three common configuration scenarios for Specops Authentication with O365.

Not using O365 and your primary domain is not registered in Azure AD

  1. You can purchase an O365 account, or register for an Enterprise Free trial account from: https://www.microsoft.com/en-ca/microsoft-365/business/office-365-enterprise-e3-business-software
  2. Create your Specops Authentication customer account from: https://login.specopssoft.com/Authentication/Account/Signup
  3. Follow the steps in the Specops AuthenticationInstallation and Administration Guide.

Using O365 with your production tenant/Active Directory for testing on secondary domain name

Your primary domain name is in use, and you want to set up a secondary domain name for testing.

  1. Create a new public DNS Domain (For example: test.contoso.com). You will be asked to verify your domain by adding a TXT record to your domain host’s DNS record during the setup.
  2. Ensure you have test users with UPN suffixes that are under the new domain, user@test.contoso.com.
  3. Create your Specops Authentication customer account with the secondary domain, test.contoso.com.
  4. Install the Gatekeeper component. Refer to the Specops AuthenticationInstallation Guide.
  5. Set up federation with the domain (test.contoso.com), and O365. Refer to the Administration Guide > Office 365.
    • If you are already using Azure AD Connect for provisioning, you can skip User provisioning > Configure. If the remaining steps are configured, users will be able to log into O365 with single sign-on, or multi-factor authentication, using their UPNs, for example: Jane.Doe@test.contoso.com.
    • If you are already using Azure AD Connect, and want to test Specops Authentication for provisioning, make sure Azure AD Connect is not synchronizing your test users. Set the scope for Azure AD Connect to exclude the OU where your test users are.
    • If these users have been provisioned by Azure AD Connect before, they will be removed from your Azure AD tenant by Microsoft on the next sync cycle. Once they are removed, Specops Authentication cannot recreate them. To restore deleted users, go to “Deleted users” in the O365 admin portal. This can also be done using PowerShell.
  6. Tag a GPO that affects these users in the Gatekeeper Admin Tool, and enable user provisioning for the GPO on the Specops Authentication web. These users can now log in with single sign-on and will be provisioned.

Using O365 with your production tenant/Active Directory for testing in production (not recommended)

Your primary domain is in use, and you don’t want to set up a secondary domain. This will set up Specops Authentication for all users in production.

  1. Create your Specops Authentication customer account with your primary domain, contoso.com.
  2. Install the Gatekeeper component. Refer to the Specops AuthenticationInstallation Guide.
  3. Create and tag a GPO that affects all users that need to sign in to O365, or use an existing GPO.
  4. Create and tag a GPO that affects the test users that you want testing Specops Authentication, or use an existing GPO.
  5. Set up federation with the domain (contoso.com), and O365. Refer to the Administration Guide > Office 365.
    NOTE
    Complete the configuration steps, but skip the user provisioning and licensing configuration.
  6. On the Specops Authentication web, configure the policy affecting all users to only require Windows Identity during authentication. You will also need to configure integrated authentication.
  7. On the Specops Authentication web, configure the policy affecting the test users.
  8. Users will be able to log into O365 with single sign-on or multi-factor authentication using their UPNs, for example: Jane.Doe@contoso.com.

FAQ

Can Specops Authentication policies be configured to only apply to specific groups?

Yes. You can create policies for desired Group Policy Objects, or the selected scope.

Does Specops Authentication support multiple domain names?

Yes, as long as the domains of all email addresses are registered with Azure AD/O365.

Does Specops Authentication support redundancy?

Yes, you can setup and configure additional Gatekeepers for redundancy.

Does Specops Authentication store any personal or confidential business data?

Authentication related data including enrollment data is stored directly in sub-objects of the user account in Active Directory. Specops Authentication does not store a copy of your directory. Users are provisioned directly from your on-premises Active Directory to Azure AD.

How are users authenticated with Specops Authentication?

Specops Authentication uses Security Tokens to authenticate users. When a user enrolls with Specops Authentication, their enrollment data is stored on a sub object of their user account. When a user attempts to sign-in to O365, Specops Authentication will either grant single sign-on access via the Windows Integrated Authentication token, or prompt the user to authentication with additional identity services from their enrollment. This will depend on the authentication policy configured by the Administrator.

Can Specops Authentication be used with Azure AD Connect?

Yes. You can use Azure AD Connect for provisioning; and Specops Authentication for license management, single-sign on, and multi-factor authentication.

How is Specops Authentication hosted?

Specops Authentication is delivered as a hosted cloud service, running on Amazon Web Services, with the datacenter located in Eastern US.

Is data encryption used for data in transit from the Gatekeeper to the Specops Authentication Cloud?

Yes, dual layer encryption between the Gatekeeper and Specops Authentication Cloud. All data sent from end-users or Gatekeeper is cryptographically verified, both signed and sealed.

What identity services/authentication factors does our product support?

  • Specops Authentication supports the following identity services:
  • Windows Identity
  • Questions
  • Mobile Code (SMS)
  • Specops Authenticator
  • Manager Identification
  • Specops Fingerprint
  • Google Authenticator
  • Microsoft Authenticator
  • Symantec VIP
  • Duo Security
  • Mobile Bank ID (Sweden)
  • Social and email options: Gmail, Yahoo, Twitter, Flickr, Live