News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Office 365 & Factory Shift use

    Posted on 8string Comment on the AskWoody Lounge

    Home Forums Admin IT Lounge Office 365 & Factory Shift use

    Viewing 10 reply threads
    • Author
      Posts
      • #2276586 Reply
      • #2276601 Reply
        Susan Bradley
        AskWoody MVP

        Add a single Azure P1 to the account (go into subscriptions and you can add it) and you can add whitelisting to the static IP of the office.  Thus for a kiosk computer that is physically located behind a static IP of the firm, it won’t be prompted for two factor.

        BUT the account itself is protected by MFA so thus blocked from external access.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2276642 Reply
        mn–
        AskWoody Lounger

        we have implemented Office 365 and W10 with MFA. However, many of these workers don’t usually carry cell phones, nor do we want to create a login for every single user.

        One thing with this though, check your license compliance… 365 really isn’t very nice for these cases. For shared computers, volume or retail licensed local MS Office is still often relevant.

        Yeah, the P1 add-on is really useful for a lot of “special” usage cases.

      • #2276674 Reply
        8string
        AskWoody Plus

        The catch is in the license of the AD. Unfortunately this client isn’t large enough to justify the enterprise license. sigh. Could this work with a standard Azure license in a different way?

      • #2277059 Reply
        alQamar
        AskWoody_MVP

        this scenario does not fit with the solution below: “many of these workers don’t usually carry cell phones”

        otherwise:

        Enable Modern Authentication (ADAL) in the tenant. Might not be enable by default.

        Consider to provide them with Microsoft Authenticator App, enable MFA enforced on the single account in the tenant

        save the recovery code in a safe central place that needs NOT the same MFA to login / authenticate

        Everyone that needs to access / login can use MFA from Authenticator

        What this means:

        you have a quite high security with MFA for this group of users, Outlook 365 will not require MFA, using single sign on in best case (if configured via GPO / AD Sync etc)

        you do not need application codes for O365 to circumvent MFA.

      • #2277185 Reply
        8string
        AskWoody Plus

        with all due respect, having worked with Authenticator, I prefer getting a text message. Having to open an app has seemed more frustrating than getting a text message. And when I changed phones (but not numbers) the hassle of recreating the Authenticator was frustrating. I swore I would never use it again if I could help it. Almost better to use a USB key.

         

      • #2277187 Reply
        mn–
        AskWoody Lounger

        with all due respect, having worked with Authenticator, I prefer getting a text message. Having to open an app has seemed more frustrating than getting a text message.

        Oh well, YMMV.

        Depending on other factors, SMS may not be sufficiently secure and reliable for all cases – the authenticator app is in theory a bit better.

        Dedicated security device (USB key, smartcard, whatever) done correctly should be better, yes, but budgeting for those is another thing…

      • #2277352 Reply
        alQamar
        AskWoody_MVP

        “Dedicated security device (USB key, smartcard, whatever) done correctly should be better, yes, but budgeting for those is another thing…”

        “I swore I would never use it again if I could help it. Almost better to use a USB key.”

        I personally use Yubikey for passwordless authentication (-if you need more information I can recommend the blog of Michael Mardahl)

        but this has high requirements (Azure Tentants only, does not work with Win 10 that are not azure AD joined. Costs are relative taking the risk of data loss or loss of productivity into account.

        “Having to open an app has seemed more frustrating than getting a text message. ”
        It has options to give you a popup so you don’t have to open it but choose from 3 numbers.

        “And when I changed phones (but not numbers) the hassle of recreating the Authenticator was frustrating.”

        Microsoft Authenticator now offers a cloud based backup to your private / edu / work MS account, I can confirm it works. Have 15+ tokens in there for different services.

        • This reply was modified 1 day, 3 hours ago by alQamar.
        • This reply was modified 1 day, 3 hours ago by alQamar.
      • #2277357 Reply
        8string
        AskWoody Plus

        Add on to my last post. Just did a search and found what I needed about Authenticator backup. Too late for me, but worth knowing next time! Thanks!

         

        1 user thanked author for this post.
      • #2277356 Reply
        anonymous
        Guest

        Thanks I think I have a solution. There is a Yubikey that works without finger recognition. It is used mainly in server environments but might work for ours. We are not leaving AD anytime soon. So we’ll explore this option.

        As to the Authenticator backup, I’ll have to look into that. Is there a link? Or is it a feature of certain versions of AD?

        • #2277446 Reply
          mn–
          AskWoody Lounger

          Confirm that it exists (Yubikey without finger recognition, on-premises AD). I’ve used it.

          Didn’t see the budget or other requirements for it though. Clients I saw were W10 Enterprise.

      • #2277363 Reply
        alQamar
        AskWoody_MVP

        Authenticator backup, I see in options built-in (Android). Cannot vouch for iOS don’t have one.

    Viewing 10 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Office 365 & Factory Shift use

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.