Office 365 & Factory Shift use

[8string]

I am helping a client of mine migrate from W7 to W10. Traditionally, they have had generic logins for groups of workers. (i.e. FooFighters). So the FooFighters could login at a break room and go to OWA and login to their email through there. They might also need to open a spreadsheet or word doc relating to their work. One login for them all.

Now, with the concerns of hacking etc, we have implemented Office 365 and W10 with MFA. However, many of these workers don’t usually carry cell phones, nor do we want to create a login for every single user. We would prefer another single login, “FooFighters” and allow a common desktop for all of them that are in the break room along with a single FooFighters group email for all of them.

Is there any reasonable way I am missing here to accomplish this? Would the MSFT “Guest Account” be the best way to implement this?

Thanks in advance.

AlB in PT

• This topic was modified 3 days, 11 hours ago by 8string.

[Susan Bradley]

Add a single Azure P1 to the account (go into subscriptions and you can add it) and you can add whitelisting to the static IP of the office.  Thus for a kiosk computer that is physically located behind a static IP of the firm, it won’t be prompted for two factor.

BUT the account itself is protected by MFA so thus blocked from external access.

Susan Bradley Patch Lady

1 user thanked author for this post.

8string

[mn–]

8string wrote:

we have implemented Office 365 and W10 with MFA. However, many of these workers don’t usually carry cell phones, nor do we want to create a login for every single user.

One thing with this though, check your license compliance… 365 really isn’t very nice for these cases. For shared computers, volume or retail licensed local MS Office is still often relevant.

Yeah, the P1 add-on is really useful for a lot of “special” usage cases.

[8string]

The catch is in the license of the AD. Unfortunately this client isn’t large enough to justify the enterprise license. sigh. Could this work with a standard Azure license in a different way?

[alQamar]

this scenario does not fit with the solution below: “many of these workers don’t usually carry cell phones”

otherwise:

Enable Modern Authentication (ADAL) in the tenant. Might not be enable by default.

Consider to provide them with Microsoft Authenticator App, enable MFA enforced on the single account in the tenant

save the recovery code in a safe central place that needs NOT the same MFA to login / authenticate

Everyone that needs to access / login can use MFA from Authenticator

What this means:

you have a quite high security with MFA for this group of users, Outlook 365 will not require MFA, using single sign on in best case (if configured via GPO / AD Sync etc)

you do not need application codes for O365 to circumvent MFA.

[8string]

with all due respect, having worked with Authenticator, I prefer getting a text message. Having to open an app has seemed more frustrating than getting a text message. And when I changed phones (but not numbers) the hassle of recreating the Authenticator was frustrating. I swore I would never use it again if I could help it. Almost better to use a USB key.

 

[mn–]

8string wrote:

with all due respect, having worked with Authenticator, I prefer getting a text message. Having to open an app has seemed more frustrating than getting a text message.

Oh well, YMMV.

Depending on other factors, SMS may not be sufficiently secure and reliable for all cases – the authenticator app is in theory a bit better.

Dedicated security device (USB key, smartcard, whatever) done correctly should be better, yes, but budgeting for those is another thing…

[alQamar]

“Dedicated security device (USB key, smartcard, whatever) done correctly should be better, yes, but budgeting for those is another thing…”

“I swore I would never use it again if I could help it. Almost better to use a USB key.”

I personally use Yubikey for passwordless authentication (-if you need more information I can recommend the blog of Michael Mardahl)

but this has high requirements (Azure Tentants only, does not work with Win 10 that are not azure AD joined. Costs are relative taking the risk of data loss or loss of productivity into account.

“Having to open an app has seemed more frustrating than getting a text message. ”
It has options to give you a popup so you don’t have to open it but choose from 3 numbers.

“And when I changed phones (but not numbers) the hassle of recreating the Authenticator was frustrating.”

Microsoft Authenticator now offers a cloud based backup to your private / edu / work MS account, I can confirm it works. Have 15+ tokens in there for different services.

• This reply was modified 1 day, 3 hours ago by alQamar.
• This reply was modified 1 day, 3 hours ago by alQamar.

[8string]

Add on to my last post. Just did a search and found what I needed about Authenticator backup. Too late for me, but worth knowing next time! Thanks!

 

1 user thanked author for this post.

alQamar

[anonymous]

Thanks I think I have a solution. There is a Yubikey that works without finger recognition. It is used mainly in server environments but might work for ours. We are not leaving AD anytime soon. So we’ll explore this option.

As to the Authenticator backup, I’ll have to look into that. Is there a link? Or is it a feature of certain versions of AD?

[mn–]

Confirm that it exists (Yubikey without finger recognition, on-premises AD). I’ve used it.

Didn’t see the budget or other requirements for it though. Clients I saw were W10 Enterprise.

[alQamar]

Authenticator backup, I see in options built-in (Android). Cannot vouch for iOS don’t have one.

[Author]

Posts