Product: Specops Authentication for Office 365
Product Homepage: click here
Free Trial: click here
Specops Software is a Swedish company founded in 2001 with headquarters in Stockholm and offices in the United States, Canada, and the UK. They develop unique password management and desktop management products based on Microsoft technology. In 2017 they launched Specops Authentication for Office 365, a single solution that streamlines and secures Office 365 Active Directory integration and user login with dynamic multifactor authentication (MFA). In this product review, we will take a look at its latest version, 8.0.18318.2.
Specops Authentication for Office 365 offers organizations a simple and automated approach to Office 365 user management and authentication. It consists of one or more domain-joined servers installed on-premises, which allows admins to configure user provisioning and assign licenses to users as they login to Office 365.
The solution’s powerful MFA engine supports a wide range of authentication factors that can help improve an organization’s overall security, and this, in my opinion, is where it shines. With over 15 identity providers available during authentication, users will always have a secure way to access Office 365.
In a nutshell, Specops allows organizations to:
- Secure the Office 365 login with dynamic MFA identity providers:
- Windows integrated identity (AD password);
- Security Questions;
- Mobile Verification Code (SMS code);
- Specops Authenticator (OTP app);
- Google Authenticator (OTP app);
- Microsoft Authenticator (OTP app);
- Duo Security;
- Symantec VIP;
- Specops Fingerprint Authenticator (works with Apple Touch/Face ID & Android fingerprint);
- Mobile Bank ID (Sweden);
- Social and email options: Gmail, Yahoo, Facebook, Twitter, and more;
- Efos/SITHS cards (Sweden).
- Enable self-service password reset that leverages the same MFA engine;
- Automatic provision of users from on-premises Active Directory (AD) to Office 365.
How does it work?
Specops Authentication consists of an authentication backend, web, and identity services all hosted in the cloud, and an on-premises Gatekeeper server(s).
- Authentication backend communicates with the Gatekeeper to read user information from AD and to validate a user’s identity based on the tokens from individual identity services. The web and identity services also communicate with the backend;
- Authentication web contains the front-end for users and administrators. It enables the creation of Specops Authentication settings as well as the provisioning configuration;
- Identity services is an entity that can validate a user’s identity in Specops Authentication. The tokens from these identity services are then used by the backend to validate a user’s Identity;
- The Gatekeeper is installed on a domain-joined server on-premises, so it can read user information from AD, and manage all operations against AD, such as reading/writing enrollment data;
- Authentication policies state how a user should authenticate in order to be able to access a resource. They contain the rules required for enrollment and MFA when accessing Office 365, such as controlling which identity services can be used, and how many must be used to verify the identity of users.
The diagram below, taken directly from Specops’ website, describes how Specops Authentication works:
- User tries to login to Office 365 by going to portal.office.com, for example, and typing their credentials;
- User gets redirected to Specops Authentication via a Federated Trust;
- Authentication options are fetched and presented to the user;
- User selects one or more identity services for authentication;
- Identity services return the user identity to Specops Authentication;
- The user identity is validated against the on-prem AD;
- Specops Authentication creates a token for the user to present to Office 365;
- Specops Authentication returns the authenticated user to Office 365 if the authentication policy is met.
Although at first it might seem that an inbound connection needs to be open through the firewall to the Gatekeeper, this is not the case! All Specops connections are outbound only, which is great from a security perspective.
To install the Gatekeeper, we need a server that meets the following requirements:
- Windows Server 2012 R2 or later;
- .NET Framework 4.7 or later.
For provisioning users in Office 365, we need a valid domain name (the default *.onmicrosoft.com domain cannot be used), and an Office 365 account with global administrator rights on Azure AD. Furthermore, modern authentication needs to be enabled for Exchange Online and Skype for Business Online, which has been the default for some time now, but not for older tenants. If federated identity is being used in Office 365, through ADFS for example, you will need to de-federate the domain as it will need to be federated with Specops Authentication.
Installing Specops is straightforward. All it involves is creating a customer account, downloading a customized setup package, and configuring the Gatekeeper in the organization’s Active Directory environment.
The first step should be configuring Windows Integrated Authentication so users’ AD credentials are passed automatically through their browser to Specops’ web server. This way, users will automatically authenticate with their Windows Identity, and grant the Windows Identity authentication token.
Next, we can create a Specops Authentication GPO. Users targeted by this GPO can have their authentication, provisioning, and license settings configured from the Specops Authentication web. By using GPO, we can use different policies for different groups of users.
The Specops Authentication Web is used to view system information and manage most aspects of the product, including system-wide configurations and MFA policies for its various resources. When administrators login for the first time to the admin page, they are required to enroll in the system. This follows the same process for end-users which will be detailed later.
The first page lists all the Gatekeepers configured in the environment, including their status. As the text suggests, we can install and configure additional ones for redundancy, always a must for any production environment. If a Gatekeeper fails, service will not be disrupted as long as there is another one up and running.
Within this interface, administrators can enable or disable all of the identity services supported by Specops Authentication, and there are a lot!
The ones with a cog are the ones that support additional configuration. For example, under Secret Questions, we can specify how many questions users need to answer, delete existing questions, add new ones, or even add questions in different languages, amongst other options. Specops also supports extensive customization. We can customize its logo, use a style sheet and pretty much change any text in the user interface, including using different languages:
The Web interface also provides access to several useful reports and logs. For example, we can track the number of authentications performed by Specops by hour/day/week/month, or even check the most used identity providers:
There is also an audit log with actions performed by administrators (below we can see I disabled CAPTCHA for example), amongst other event logs:
We can also add multiple domains to our Specops Authentication organization account, and manage CAPTCHA settings:
Configuring Specops for Office 365
Now it’s time to get down to what really brought us here: using Specops Authentication with an Office 365 tenant!
The solution allows provisioning, licensing and Office 365 federation configuration in addition to setting up MFA policies. Before proceeding, it is important to ensure that we have already added a custom domain to Office 365 and validated its ownership.
Once this has been done, we can decide if we want to use a GPO to target which users can use Specops or use the organizational unit specified during the Gatekeeper installation as the scope target for Specops. The next step is to decide which identity services users can use, including the weight (stars) of each one, as well as the requirements for enrollment and authentication. For example, we can state that users need to enroll in different identity services until they have 6 stars (which means at least 3 identity services), but to authenticate they only need 4 stars (at least 2 identity services). This is where a balance between security and user experience comes into play.
For this test, I selected 3 stars for authentication and made four identity services available to users, all with a weight of 2. This means that users will have to use 2 identity services in order to login to Office 365. Because of Windows Integrated Authentication, if users are logged in to a workstation with their credentials, then they will only be asked to confirm their identity using a Mobile Code, Secret Question, or the Specops Authenticator app:
Now that we have configured the authentication requirements for users, we enable Office 365 licensing where users will be assigned licenses automatically whenever they login to Office 365. The solution provides us with user rules that we can use to configure provisioning of user objects from the on-premises AD to Azure AD. By enabling this, we are letting Specops Authentication create user objects in Azure AD as users sign in to Office 365. If left disabled, no users will be created and any users that do not already exist in Azure AD will be unable to log in. We also have the option to specify which attributes are required and which ones aren’t.
The final step is to enable federation. As Specops already has the necessary permissions to our tenant, all we have to do to enable our Office 365 to federate with Specops is to click the turn it on button:
And we are done! Now that we have fully configured Specops Authentication to work with Office 365, it is time to see the authentication experience from a user’s perspective.
From a user’s perspective, Specops Authentication supports the below clients for accessing Office 365:
- Web-based versions of O365 on all modern browsers;
- Office 365 for Windows;
- Office 2016 for Windows;
- Office 2013 for Windows (with additional updates);
- Outlook for iPhone;
- Outlook for Android;
- OneDrive for Business;
- Skype for Business.
Let’s start by looking at the user experience when a user logs in to the Office 365 portal for the first time. When we type our username and change to the password entry box, Office 365 redirects us to the Specops’ sign-in page, just like with any other federation solution:
Because this is the first time this user logs in, we get asked to enroll with Specops:
We start by confirming our password:
And are next presented with the identity services we configured previously as admins. As mentioned before, in this case we only need to enroll with an additional service:
Let’s first try Secret Question. Once we select this identity service, we are taken to a list of pre-defined questions we can use:
We simply select the question we want to use, answer it, and click OK:
Selecting Specops Authenticator will require us to download and install Specops’ own authenticator app (similar to Microsoft’s own authenticator app). The logon page provides us with a QR code which we need to scan, once we install the app, in order to configure it:
So, simply go to the app store, download the app:
Open it, and click on Scan QR Code:
Once that’s done, type the displayed code in the Code box on the website and click Verify.
Once we fill up all the required stars, we are ok to proceed:
Because this is the first time this user signs in to Office 365, Specops needs to create the account and assign it a license:
In my case it took around 15 seconds for the user account to be provisioned and for me to be redirected to the Office 365 portal:
If we check the user license, we can confirm that, as we configured, all services were enabled except for Teams:
And that’s it! Simple.
Users will be prompted for credentials in periodic intervals, they will not need to authenticate with Specops every single time. Once the user completes the authentication process, a refresh token is issued by Azure AD for that client. By default, the maximum age of that token is 90 days. Once the token has expired, or if it is revoked by an administrator, the client will have to re-authenticate via Specops Authentication in order to get a new token. The token management is handled by Azure, meaning administrators cannot configure or manage those directly in Specops Authentication.
As with Microsoft’s own MFA implementation, certain older applications that do not support modern authentication will require an App Password to authenticate to Office 365, which allows them to bypass MFA/Specops.
When I was first asked to review Specops Authentication, my initial thought was “why would an organization need this product when Microsoft’s own MFA works great with Office 365”? After having used Specops for a while, I can see its appeal to some organizations.
In one hand, Specops Authentication has a few drawbacks to it:
- Its online manual is not the best, and it might make installing and configuring Specops for the first time a bit confusing, but I know Specops is working on improving it;
- The Specops Authenticator and the Specops Fingerprint mobile apps should be combined into one. It is much easier to click on a notification (Specops Fingerprint), then it is to open the app (Specops Authenticator), read the code, type the code, and press OK. Combining both apps into one would give users the options to choose their preferred method, without having to install different apps. Having said that, I guess we always have the options to use Microsoft’s authenticator app together with Specops;
- At this stage, Specops is missing some of the more advanced and powerful features of Azure Conditional Access. For example, we cannot bypass MFA when inside a company’s network and only enforce MFA when users are working remotely, or enforce MFA just for a particular service like Exchange Online and OneDrive.
On the other hand, Specops provides MFA options that are not available with Azure MFA. All of Microsoft’s MFA options rely on users having either a landline number where they can receive a phone call or a mobile phone. I have been involved in several projects where the business wanted to offer users other options, like receiving a code by email (instead of SMS) like many other products do, or answering one or more secret questions, for example. Microsoft already provides these options with its Azure self-service password reset feature, so why not offer these with MFA? This is where Specops fills the gap: it offers MFA options that do not require users to rely on a mobile phone, and at the same time provides other features that Azure AD Connect does, like user provisioning, all in one. Another feature that will be covered in a separate review is Specops uReset, a self-service password reset solution that leverages the same authentication engine as Specops Authentication, and allows users to reset their password in the same secure way as login into Office 365.
TechGenix.com Rating 4.6/5