Optimized MFA and SSPR using E-Visor Teams app and AADP
New E-Visor Teams App Basic and AADP MFA / SSPR capabilities
Hello folks!
As part of the #ZeroTrust expansion process of our E-Visor Teams App, we have great news for everyone in your organization to help you protect one of your most fundamental services: user identities.
Multi-factor Authentication [MFA]
- Organizations looking to expand the use of security controls, such as Multi-factor authentication, face many different challenges and change management activities; user, support, and administrator education play a critical role beyond the diversity of authentication methods available to users, including more robust mechanisms that mitigate friction that, if deployed effectively, will reduce support calls.
- Another consideration is that many of our end users are adopting a new remote work paradigm which provides flexibility, but makes it even more important than ever to secure access to corporate resources, no matter where they are.
Self-Service Password Reset [SSPR]
- Another challenge that many organizations have is how to facilitate password change lifecycle for end users while continuing to enable the use of devices that are not part of the corporate network in a secure manner without depending on support calls to provide the self-service experience.
If you are looking to start using these key services or optimize what you have done as much as possible, THIS ARTICLE IS FOR YOU!
E-Visor + Microsoft AADP to the rescue!
As a Microsoft Elite Identity partner, we have assisted hundreds of organizations of all sizes, with hundreds of thousands of users, with their identity protection needs. No matter what kind of security controls the organization has deployed, if an identity is compromised, everything from encryption to ACLs and beyond just falls into the cracks.
Yes, attackers want your data, but sometimes the easiest path to get there is a vulnerable account! Instead of trying to break vulnerabilities on devices and applications, attackers can target user credentials and then impersonate and escalate/elevate privileges as they go. We are in total sync with Microsoft that MFA can significantly prevent compromised user access attempts.
Great News! from Microsoft Azure AD
Recently, Microsoft shared improved identity capabilities for the end-user in a NEW registration experience that combines and simplifies user enrollment for both MFA and SSPR, incorporating physical authentication keys (Fast Identity Online FIDO2 standard) helping us go beyond traditional two-factor authentication to passwordless authentication!!!
Great News!Great News! from E-Visor Teams A
pp
At Synergy Advisors, we are committed to providing the best end user experience that can maximize your investment in Microsoft solutions such as Azure Active Directory Premium [AADP] to provide the following:
- Centralized MFA & SSPR user identity configuration information in our E-Visor Teams App
- Incorporate best practices recommendations to effectively leverage and configure those two services
- User configuration status and potential next steps to improve users’ security configuration
- Simplify administrator and support diagnostics around these services, based on those recommendations
To make this easier than ever, we use something we all are familiar with: a COLOR SCALE! As we consider both administrator and end user configuration, we go beyond semaphore colors (green, yellow, red), to incorporate the universal pain assessment colors, and yes, it is a pain dealing every day, every week with end users who cannot manage their most basic identity lifecycle capabilities: how to prove that they are really the ones trying to access your corporate assets!
But don’t you worry! We got you! Let us show you how to get the best experience possible!
Note that the following capabilities require:
- Customer to have AADP or sign-up for a trial (instructions come later)
- Customer to have E-Visor Teams app Basic (or higher!) deployed and configured (instructions at the end of the post)
Let’s get into the details so you can see what we can offer!
Improved Multi-Factor Experience [My personal information]
Empower your users through a simplified self-service configuration and simplify your IT support assistance to the end user
Let us show you how easy it is for the end user and admins to understand their current situation + BONUS POINTS we tell you how to improve whatever configuration you have according to our years of consulting and the latest best practices.
Let us walk you through the potential configuration stages:
| Color | Box Message | What it means | Our recommendation to you |
White | Loading in progress | The application is gathering the data from your Microsoft 365 subscription | If the data does not refresh, use the refresh option, located at the top right of the section to refresh this specific app area. If none of the app areas are refreshing, go to the top area with the title BASIC and select reload data |
Dark Gray | Not Available (Organization not licensed) | Your organization does not have AADP, which is needed for premium MFA capabilities | Sign up for a trial and see how you can get your identity and access management for cloud and on-premises to the next level HERE |
Gray | Not Available (Organization licensed but user does not have a license) | Your organization has AADP but your user has not been assigned a subscription license | Here is a great opportunity for you to request your organization assign you a license! |
Red | Not Registered | Organization and licenses are assigned but you have not registered for the service yet | Go for it!!! Click the MFA box, located on the right side of the E-Visor app, which will take you to the web site to start your MFA Configuration!!! Then see the next two colors / stages to optimize your MFA configuration |
Orange | Registration incomplete / non-optimal configuration | You may have registered; however, you could still optimize your settings! Note that Microsoft MFA does NOT force you to register additional MFA methods | Configure 1-2 authentication methods as a minimum. Note that we strongly recommend using Authenticator as it provides a more secure and interactive confirmation from the user, compared to other mechanisms. Also, you may have noticed we have a security key icon which corresponds to FIDO2 compatible devices, which also provides stronger protection beyond just phone calls/text messages |
Green | Registered with Optimal Configuration | You are good to go!! | This means you either:
This provides redundancy in case one method is not available |
Improved Self-Service Experience [My personal information]
E-Visor provides a simplified user view of the existing options and configuration so the user can review and edit their SSPR configuration at any point of time
Let’s walk you through the following stages:
| Color | Box Message | What it means | Our recommendation to you |
White | Loading in progress | The application is gathering the data from your Microsoft 365 subscription | If the data does not refresh, use the refresh option, located at the top right of the section to refresh this specific app area. If none of the app areas are refreshing, go to the top area with the title BASIC and select reload data |
Dark Gray
| Not Available (Organization not licensed) | Your organization does not have AADP which is needed for premium SSPR capabilities | Sign up for a trial and see how you can get your identity and access management for cloud and on-premises to the next level HERE Note that there are some settings that have to be configured to allow password write-back to obtain full capabilities |
Gray | Not Available (Organization licensed but SSPR is not enabled) | Your organization has AADP but your user has not been assigned a subscription license | Here is a great opportunity to leverage this capability that you already paid for! Give it a try and see how easy it is to control/limit who can use it in the next rows |
Light Gray | Not Available (Organization licensed but user is not enabled) | Organization and licenses are assigned but user has not been enabled to use this feature | Well, it seems like some of your teammates are using this amazing feature. It would be fantastic for you to have it as well! This will depend on licensing availability and your organization’s internal decisions. Believe me when I say it is very secure + I guarantee the feature will save your organization time and money |
Red | Not Available (Organization licensed but user is not registered) | Organization and licenses are assigned but user has not registered for the service yet | Go for it!!! Click the right side of the E-Visor Self-Service Password Reset box, which will take you to the web site to start your SSPR Configuration!!! Then see the next three colors/stages to optimize your SSPR configuration |
Orange | Registration incomplete / non-optimal configuration | You may have configured one authentication method; however you can still optimize your settings. Note that Microsoft SSPR may require you to register to additional SSPR methods | We recommend configuring at least 2 authentication methods as a minimum and we strongly recommend using Authenticator as it provides a more secure and interactive confirmation from the user, compared to other mechanisms |
Yellow | Registration incomplete / non-optimal configuration | You have registered two SSPR methods; however, Authenticator is not one of them | This means you have two mechanisms registered; however, the most secure and reliable method, based on our experience, is Authenticator. We recommend registering the authenticator and then adding another method for redundancy |
Green | Registered with optimal configuration | You are good to go!! | This means you either:
This provides redundancy in case one method is not available |
Summary
In this blog, we presented how powerful the E-Visor Teams App and AADP are in providing the best of both worlds:
Microsoft simplified/best in class diverse ecosystem of authentication and security controls for users
- Strong authentication
- Self-service password reset
Simplified end user view with recommendations and actionable tasks immediately available from their daily collaboration tool using E-Visor Teams App
- Color-based status
- Best practices recommendations
- Quick links to places to go to configure the services
Go ahead and download the E-Visor Teams Apps HERE and follow the steps to get the app configured HERE:
- NOTE: the E-Visor Teams App Entry does NOT have the AADP capabilities; please contact us HERE to see how we can potentially facilitate E-Visor to a subset of your users, leveraging the Microsoft FastTrack Ready Program (LINK).
SNEAK PEAK:
Before letting you go, do not miss our next blog post around #passwordless leveraging Windows Hello and FIDO2 Tokens, and how your organization can move up to the next level
