ADFS High Availability with Multiple Microsoft 365 Domains Integration with AuthPoint

Deployment Overview

This document describes how to set up AuthPoint multi-factor authentication (MFA) for Active Directory Federation Services (ADFS) with high availability and multiple Microsoft 365 domains. In this configuration, AuthPoint is the identity provider.

ADFS must already be configured and deployed before you set up MFA with AuthPoint.

ADFS High Availability Authentication Data Flow with AuthPoint MFA

AuthPoint communicates with the AuthPoint agent for ADFS for Multi Factor Authentication. This diagram shows the data flow of an MFA transaction for ADFS with high availability and multiple Microsoft 365 domains.

Before You Begin

Before you begin these procedures, make sure that:

• End-users can log in to ADFS
• You have an Microsoft 365 global administrator account
• You have available AuthPoint user licenses for your Active Directory users
• You have an AuthPoint identity provider (IdP) certificate An AuthPoint IdP certificate is required for SAML authentication. (go to Certificate Management)

Configure AuthPoint

1. Log in to WatchGuard Cloud.
2. From the navigation menu, select Configure > AuthPoint.If you have a Service Provider account, you must select an account from Account Manager.
3. You must configure and install a primary and secondary Gateway. For detailed instructions to configure AuthPoint Gateways, see About Gateways.
4. From the AuthPoint navigation menu, select Resources.
5. From the Choose a resource type drop-down list, select ADFS. Click Add.

6. In the Name text box, type a descriptive name for the resource.
7. Click Save.

8. Repeat Steps 4—7 to create another ADFS resource.
9. If you do not have a group, you must add one now.
   1. Go to Configure > Directories and Domain Services.
   2. If you have not added the WatchGuard Cloud Directory authentication domain, click Add Authentication Domain. Select the WatchGuard Cloud Directory and click Next.
   3. On the Directories and Domains page, click the WatchGuard Cloud Directory domain name.
   4. Click Add Group.
      The New Group page appears.
   5. In the Name text box, type a descriptive name for the group.
   6. (Optional) In the Description text box, type a description of the group.
   7. Click Save.
      Your group is added to the WatchGuard Cloud Directory and to AuthPoint.

10.  
11. Go to Configure > Zero Trust.
12. Click Add Policy. If you already have existing authentication policies, you can edit an existing authentication policy to add your ADFS resources to that policy. In our example, we add a new authentication policy.
13. Type a name for this policy.
14. In the Target section, from the Content drop-down list, select which groups this policy applies to. You can make multiple selections to add multiple groups.
15. In the Resources section, select both of your ADFS resources. Both ADFS resources must be added to the same authentication policy.

16. In the Conditions section, select the conditions that apply to this policy. When you add a condition to an authentication policy, the policy applies only to user authentications that match the policy and the policy conditions. For example, if you add a time schedule to a policy, the policy only applies to user authentications that occur within that time schedule. Users who only have a policy that includes a time schedule do not get access to the resource when they authenticate outside of the allowed times (because they do not have a policy that applies, not because authentication is denied). For more information, go to About Zero Trust Conditions.

    If you add conditions to a policy, we recommend that you create a second policy for the same groups and resources without the conditions. Assign a higher priority to the policy with the policy objects. For more information about priority, go to About Zero Trust Policy Precedence.

17. In the Action section, select an option to specify whether to allow or deny authentications for the resources in this policy. In our example, we want to allow authentications.
    • Allow — Allow user groups in this policy access to the resources associated with this policy.
    • Deny — Deny authentications when users in the groups associated with this policy try to authenticate to the resources associated with this policy.
18. If you allow access with this policy, select the check box for each authentication option users can select when they authenticate to resources in this policy with MFA.

    With Fireware v12.7.2 and higher, if you enable the Push and OTP authentication methods for a policy, users can choose which authentication to use.

    QR code authentication is not supported for Firebox resources.

19. Click Save.
    
    Your policy is created and added to the end of the policy list.
20. Review the order of your policies and adjust as necessary. For more information about priority, go to About Zero Trust Policy Precedence.

21. Go to Configure > AuthPoint.
22. From the AuthPoint navigation menu, select Gateway.
23. Click the name of your primary Gateway to edit it.
24. In the ADFS section, from the Select an ADFS resource list, select both of your ADFS resources to add them to the Gateway.
25. Click Save.
26. From the AuthPoint navigation menu, select Downloads.
27. In the ADFS section, click Download Installer and Download Config. You must have an ADFS resource and your installed Gateway must be version 4.0.0 or higher to download the configuration file.

    You must download the configuration file for each ADFS resource.

28. Open the configuration file for each of your ADFS resources and manually add the IP address for your secondary Gateway. The format for this is ,{"ip":"<secondary Gateway IP address>","port":9003}.

    Below is an example of our configuration file before and after we IP address of the secondary Gateway has been added. In our example, the IP address of primary Gateway is 192.168.86.39 and the IP address of our secondary Gateway is 192.168.77.15.

    Initial configuration file content

    {"accountId":"<your account id>","resourceId":<your resource id>,"resourceName":"<your resource name>","agentAddresses":[{"ip":"127.0.0.1","port":9003},{"ip":"192.168.86.39","port":9003}]}

    Configuration file after we add the IP address of the secondary Gateway

    {"accountId":"<your account id>","resourceId":<your resource id>,"resourceName":"<your resource name>","agentAddresses":[{"ip":"127.0.0.1","port":9003},{"ip":"192.168.86.39","port":9003},{"ip":"192.168.77.15","port":9003}]}
    

29. Move the ADFS agent installer and one of the configuration files to each of your ADFS servers. Make sure the installer and the configuration file are in the same folder.

    The two ADFS configuration files are unique. Make sure each ADFS server has a different configuration file.

30. Run the installer on the first ADFS server to install the ADFS agent. Do not install the agent on the second ADFS server yet.
31. Once the ADFS agent in installed on the first server, go the secondary ADFS server and run this PowerShell command as an administrator:
    Set-AdfsSyncProperties -Role "PrimaryComputer".

    This command changes the secondary ADFS server the primary ADFS server. You must do this because the AuthPoint agent for ADFS can only be installer on the primary ADFS server.
    

32. Run the installer on the second ADFS server to install the ADFS agent.
33. When the ADFS agent is installed, run this PowerShell command to change the ADFS server role back to secondary.:
    Set-AdfsSyncProperties -Role "SecondaryComputer" -PrimaryComputerName "<FQDN of primary server>".

Configure ADFS

Before we enable AuthPoint MFA for ADFS, we need to integrate ADFS with Microsoft 365. In this guide, we run commands on the ADFS server so that we do not have to run extra commands to connect ADFS. You can also run these commands on your Active Directory server, but that requires additional commands to connect ADFS.

1. Refer to Connect with the Microsoft Azure Activate Directory Module for Windows PowerShell to prepare your environment for identity federation.
2. Launch the Windows Azure Active Directory Module for Windows PowerShell that you configured in the previous step. Type Connect-MsolService to log in with your Microsoft 365 Administrator Credentials.

   The default domain and initial domain in Microsoft 365 cannot be federated. You must register another domain with Microsoft 365 or follow the Microsoft guidelines to connect an existing domain to the Microsoft 365 service. The configured domain can then be used when you configure AuthPoint. In this integration, you need to prepare at least two different domains to be verified on Azure AD.

3. Type Get-msoldomain to return the status of domain. Make sure that the status of your domain is Verified and Managed.
4. Run this PowerShell command for your first domain, then run the command again for your second domain:

   Convert-MsolDomainToFederated -DomainName <your domain name> -SupportMultipleDomain.

5. Now you have a Federated relationship between your ADFS and Azure AD, all users with a federated domain suffix that log in to Microsoft 365 are redirected to ADFS for authentication.
6. Open ADFS Management.
7. Select Service > Authentication Methods.
8. In the Multi-factor Authentication Methods section, click Edit.

9. In the Edit Authentication Methods window, select WatchGuard Multi Factor Authentication. Click OK.

10. Select Relying Party Trusts.
11. Right click on the trust for your Microsoft 365 resource and select Edit Access Control Policy. If this is the first time you have use this portal, you must click Use access control policy in the window that opens.

12. Select Permit everyone and require MFA. Click OK. You can also customize your policy based on your organization requirements.

Synchronize Users from Your Active Directory

You must sync your on-premise AD users (which you will sync to Azure AD) to AuthPoint so that the users can be recognized by ADFS, Microsoft 365, and AuthPoint.

1. To sync users to AuthPoint from Active Directory, you must add an external identity in AuthPoint. External identities connect to user databases to get user account information and validate passwords. For detailed instructions, see Sync Users from Active Directory or LDAP.
2. You also need to sync your on-premise Active Directory users to Azure AD with the Azure Active Directory Connect tool to make sure the users are same in AuthPoint, Azure AD, and your on-premise Active Directory. For detailed instructions, see Sync Users from Active Directory to Azure Active Directory.

Test the Integration

To test AuthPoint MFA for Microsoft 365 and ADFS with high availability, you can authenticate with a mobile token on your mobile device with any method (push, QR code, or one-time password).

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

1. In a web browser, go to the Microsoft 365 URL.
2. Type your email address. Click Next.
   You are redirected to the ADFS SSO page.
3. Type your password.
   When the authentication for the first factor is complete, you are redirected to the AuthPoint authentication page.
4. Click Send Push.
5. Approve the authentication request that is sent to your mobile device.
   You are logged in to Microsoft 365.