Office 365 - Bypass AuthPoint for Deskbound users

Hi,

We are trialing Authpoint for Office365 - We have around 10 users actively using Office 365 but only 5 AuthPoint trial users.(We'll be growing to 200+ users over the next 12 months)

I've implemented "safe locations" for our 5 users and it seems to work well, but unfortunately the safe locations don't apply to the other 5 users who don't have an account in AuthPoint so it continues to prompt for username/password - And now those users cannot access Office 365 as I don't have any spare accounts, and seeing as the federation of the domain on Office 365 is global there is no way to bypass this.

It has also occurred to me that the Safe Locations is only group based, meaning it only works for users that are registered on AuthPoint - Does this mean that every user that I want to use Office 365 needs to have an AuthPoint account even though most are deskbound and will never use MFA as they'll only be connecting from inside a "safe location"?

If so, it seems odd to be forced to pay for accounts that won't be using the service - Shouldn't the "Safe locations" be available to be assigned at the resource level so AuthPoint is bypassed completely? I don't really see the point if you have to essentially log into AuthPoint before the safe locations come into play.

Also, is there anyway to make the logon process seamless? Users have to type in their username/email address into the Watchguard AuthPoint prompt even from a safe location which breaks the Seamless SSO solution implemented with Office 365. I guess this wouldn't be an issue if the Safe Locations were applied at the resource level...?

Cheers,
Ben

Comments

  • Anyone have any thoughts?

  • James_CarsonJames_Carson WatchGuard Representative

    Hi Ben,

    Thanks for writing.

    For Office365, the option is really all or nothing. While Authpoint does support having users set as password only -- those users have to exist in Authpoint for that to work. Setting a safe location still funnels authentication through Authpoint -- it just removes the MFA part and only asks for the password via authpoint.

    Unfortunately, at this time, there's not really a way for Office365 to bypass on a per user basis (and one could argue, if it did, that a malicious user could sit out on the Office365 login page looking for users that redirect to a different portal.

    Basically, think of safe locations as a doorman for a club that knows you -- the doorman might not ask to see your ID, but you still have to walk by him. There's no way to completely bypass the doorman, their check is just more relaxed.

    For services like SSLVPN or Firebox Authentication, where we can specify logon server, there is a way to use a different door to get in (if that's been enabled.) Office365 (and anything SAML) is always going to redirect to the auth portal.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Thanks for the information James.

    My understanding of SAML isn't great but I believe I've got more of a grasp of it now.

    I was incorrectly thinking that the user account was initially being authenticated with Azure AD first then being redirected to the Auth portal - This was because we had already setup SSO with Office 365 so we didn't have to type in passwords so the SAML process appeared the same, but now I understand that the Azure AD is effectively bypassed altogether.

    The problem I'll still have though, is trying to justify charging areas of our business for a product they won't ever really be using (desk bound users) and will actually be hindering their ability to use a product (O365) by adding an additional step - The login with AuthPoint as this part doesn't appear seamless.

    We'll have to look at alternative solutions unfortunately as the per user subscription isn't cost effective for us in this scenario.

    Cheers,
    Ben

  • James_CarsonJames_Carson WatchGuard Representative

    Hi Ben,

    Thanks for the reply.

    No problem at all, and I wish you the best in finding something that fits your needs. If you have any specific changes to the product you'd like to see, I'd be happy to request them from that specific team.

    Thank you,

    -James Carson
    WatchGuard Customer Support

Sign In to comment.