This topic includes recommendations and best practices to help you configure and deploy AuthPoint multi-factor authentication (MFA). Each section describes some of the requirements and commonly missed steps required to set up AuthPoint.
This is not a comprehensive guide. For complete and detailed steps to configure AuthPoint, see the help topics for each integration.
Sync Users from an Active Directory
When you configure an external identity:
If your Active Directory instance does not use LDAPS, you must disable the LDAPS toggle for the external identity. When you do this, the default port changes from 636 to 389.
- We recommend that you use the group sync feature to sync your users because it is easier to configure than an advanced query.
- If you create a new Office 365 user account and immediately sync the user from Active Directory, the mailbox for that user account might not be active when AuthPoint sends the token activation email to the user. In this scenario, the token activation email is not delivered and the email address is added to a block list in AuthPoint. We recommend that the user activates their token from the IdP portal (see Activate a Software Token).
For more information about external identities, see About External Identities. For detailed instructions to configure an external identity and sync users from Active Directory or an LDAP database, see Sync Users from Active Directory or LDAP.
MFA for Computers and Servers
The Logon app enables you to require MFA when users log in to a computer or server. This includes protection for RDP and RD Gateway.
Before you install the Logon app, make sure that:
- Users can log in to the computer or server you will install the Logon app on.
- Users have an AuthPoint user account and an active AuthPoint token.
When you set up and deploy the Logon app:
- The computer you install the Logon app on must be connected to the Internet when you log in for the first time.
- You can use a Windows command prompt to install the Logon app remotely on multiple computers through an Active Directory Group Policy Object (GPO).
- When you install the Logon app, MFA is required for local and remote access.
- If you use RD Gateway for remote connections, to require MFA you must install the Logon app on the computers that users connect to. To allow users to log in locally without MFA, configure your company network as a safe location.
For detailed instructions to configure and install the Logon app, see Configure MFA for a Computer or Server.
MFA for RD Web
The AuthPoint agent for RD Web adds the protection of MFA to RD Web Access. When you configure the agent for RD Web, users must authenticate to access the RD Web page.
- After you install or upgrade the agent for RD Web, we recommend that you reboot the server.
- When the user selects an application on the RD Web Access page, the behavior is different based on the web browser:
- Internet Explorer — When the user selects an application it opens directly in the browser.
- Other browsers — When the user selects an application, an .rdp file downloads. The user must run the .rdp file and type their login credentials to access the application.
Connections through an .rdp file are not protected by MFA. To require MFA for direct access to these applications, we recommend that you install the Logon app on servers that host the applications.
For detailed instructions to configure and install the AuthPoint agent for RD Web, see About the AuthPoint Agent for RD Web.
MFA for Office 365
When you configure AuthPoint MFA for Office 365, be aware of these recommendations and requirements:
- To use AuthPoint MFA (SAML), your Office 365 domain must be federated. When your Office 365 domain is federated, Office 365 forwards user logins for that domain to the identity provider (AuthPoint) for authentication.
- To use Office 365, each user must have an AuthPoint license and an AuthPoint user account.
- If you have older client applications (for example, applications based on SMTP, POP, or IMAP) or if you have devices that are part of the Office 365 domain but do not have a UI (such as a printer), you must enable the Basic Authentication toggle when you configure an access policy for your Office 365 resource.
- To stagger the implementation of AuthPoint MFA for Office 365, you can add users to different groups in AuthPoint and configure the access policies to require only a password for one group and MFA for another group. As you roll out AuthPoint, move users from the first group (password only) to the second group (MFA with push, OTP, or QR code).
We recommend that you create a comprehensive communication plan to explain to your users how to use MFA and what steps they must complete. To introduce AuthPoint to end users, see AuthPoint for End-Users
For detailed steps to configure AuthPoint MFA for Office 365, see Office 365 Integration with AuthPoint.
MFA for ADFS
The AuthPoint ADFS agent adds MFA to ADFS for additional protection.
- If you use ADFS, we recommend that you install the AuthPoint ADFS agent to add the additional protection of MFA.
- If you do not already use ADFS, it might not make sense to deploy ADFS to use only with AuthPoint MFA. ADFS requires servers, licenses, and maintenance.
ADFS provides more flexibility for you to add MFA to on-premise applications and configure different rules for different groups of users. For example, with ADFS you can add MFA to Office 365 for specific Active Directory groups. Unlike the SAML integration, you do not have to purchase licenses for users that belong to other groups.
For detailed instructions to configure AuthPoint MFA for ADFS, see Configure MFA for ADFS.
Sync Users from Azure Active Directory
When you sync users from Azure AD, be aware of these recommendations and requirements:
- Azure AD users must log in to an Azure application to update their password before they can authenticate to AuthPoint resources (the applications and services that require MFA).
- Azure AD users can only use the Logon app if the Windows computer is part of the Azure domain.
- You do not need to install the AuthPoint Gateway to sync users from Azure AD.
- Because of a Microsoft limitation, Office 365 only supports AuthPoint MFA for Azure AD users if they are synced with a local AD server. Office 365 does not support MFA for users that only exist in Azure AD. For more information, see this Knowledge Base article.
For detailed instructions to sync users from Azure AD, see Sync Users from Azure Active Directory.