Multi-Factor Authentication with Azure Active Directory and Azure Access Control Services

Recently Microsoft launched the “Multi Factor Authentication” mechanism into the Azure cloud. This brings the idea of using your phone as the second authentication mechanism for logging in. SharePoint 2013 can utilize authentication services from the Azure cloud which in turn brings the multi factor authentication with it. The following steps will help you setup your Azure Active Directory and Azure Access Control Services and a .NET MVC Web Application and enable it for “Multi-Factor Authentication“. In the next post we connect it all to SharePoint 2013.

Firstly I have provisioned the following:

  1. Azure Access Control Namespace
  2. Azure Active Directory

To provision the ACS, access Azure Services, select “Active Directory” and choose “New“.

Once it is created, click the “New” button again and this time select directory. I completed mine as shown below.

Now we need to tie the two components together. The idea here is that SharePoint already trusts my ACS as an authentication mechanism, and we want the Azure Active Directory Service to be listed as an option for logging in.

Click on the newly created Azure Active Directory, so it goes to the management page and select the “Applications” link at the top.

Select the “Add an App” link and follow into the wizard.

When prompted enter the namespace URL of the Azure Access Control Services you created earlier.

Now we need to set the access that we want for this provider.

Now with that done our Azure Access Control Service and Azure Active Directory Service are now connected. The Azure Active Directory tenant can now issue tokens through Azure Access Control Services.

Now we have everything connected one way we need to complete the task the other way round. So if we go back to the control panel and select “Directory” from the top navigation. We should see our application we just configured and then at the bottom should be a “View Endpoints” option.

When we click the link for the end points we get the following:

We need to copy the “Federation Metadata Document” link and we can then add that into our Azure Access Control” management screen.

Now we head over to the Azure Access Control Services management portal.

No we need to add a new “Identity Provider“, select the “Identity Providers” link from the left navigation, and click “Add“. Select the “WS-Federation Identity Provider” option and choose “Next“.

Complete the screen as shown below, using your copied federation link and whatever name you want to use for it.

Now we have this we need to create some user accounts (if you don’t already have any). You can create them from the directory we created by using the “Users” navigation and selecting “Add User” from the bottom navigation.

So now we have our user account in Azure Active Directory and that is connected to Azure Access Control Services. Now we need to tie our claims aware application to this for Authentication if you haven’t already got this done. For now we will first setup an MVC web application and test it.

Open up Visual Studio using the “Run as Administrator“, and create a new “MVC 4 Web Application“.

Once it is loaded right click the project and choose “Identity and Access” and complete the following steps.

Click the “Configure” link that appears.

You will need to supply your namespace for the Azure Access Control Services and the Management key both of which can be found in the management portal for the access control service.

In the older portal you can get the namespace form the top banner and then the key can be found under “Management Service“, “Management Client“.

 

Once completed, after verification your providers will be displayed.

I am going to select both so I can test with both later on. Clicking “OK” will update the web project to use that Authentication mechanism. To test simply press “F5” to run the web site. It should redirect you to the Azure Access Control Services realm picker.

I am going to pick my “yournamegoeshere AD” option. This will take us to the login screen for our Azure Active Directory Service.

Once sign is complete you should gain access to the web site.

 

So now we can login we need to enable all of this for “Multi-Factor” Authentication. Access the “Active Directory” section in the Azure Management Portal, and select the “Multi-Factor Auth Providers” link in the navigation.

Click the “New” button and complete as shown below:

Now that we have the provider created we can now enable it on a per user basis. To do this go back to the management portal, select “Active Directory“, then click the Directory you wish to use and then select “Users” from the top navigation.

Now at the bottom of the page there is a button that you need clicked labeled “Manage Multi-Factor Auth“. When you click this you may get this error:

If this is the case then you need to login with an Organization ID who is a global administrator. I did this by browsing to the following URL and logging in as my newly created account (which I changed to a global administrator).

https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx

Once logged in it should render the options for multi-authentication.

If we not check our account we created, we can now choose the enable link that appears.

Press the “Enable Multi-Factor Auth” button to complete the steps.

Now we can repeat the login process for our user using the MVC Web Site we have configured. This time after we pass our credentials we get stopped and are asked to setup the extra security.

Follow the wizard to complete the steps.

 

Click the “Verify Now” button and a text will be sent to you.

Complete the next step by typing the code and pressing “Verify“, if successful it should so the following message.

Now the login redirect prompts you for a code.

After you receive the text you should be able to enter it and validation should be successful and you gain access to the site.

As you can see it may take a lot of configuration but it is worth it to get this level of authentication. In the next post we will look configuring SharePoint to use the same mechanism.

 

 

 

 

 

 

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...

  • Alan

    Hi, I did send a mail also, I am looking for the follow up article linking it to SharePoint 2013? Any help appreciated.

    • helloitsliam

      Hey Alan, sorry about that, I have yet to complete the 2nd Post. This is on my list to complete shortly.

      • Alan

        Hi Liam, many thanks, I am looking to use it for a customer, so please keep me updated. Great site. Alan