AuthPoint - Office 365 integration

I understand the limitation from Microsoft, but is there anyway we can add the ability to whitelist accounts from MFA on the SAML on the cloud portal just like logon app? Especially while Microsoft does not have a date as to when they will allow Authpoint as either a Conditional Access tool or something else.... I understand Microsoft is pushing you to the wall but there has to be something done about this stiff limitation of "all or nothing" when it comes to Authpoint's current 365 integration and it completely undoes the simplicity of the DUO setup.

There are certain things like Teams Rooms that don't support MFA at all that need to be whitelisted in order to work... I understand we could use ADFS to filter by groups but that doesn't work very well when your internal Domain is different from the public one....

https://docs.microsoft.com/en-us/microsoftteams/rooms/rooms-authentication

"MFA isn't supported regardless of the topology you have."

This is becoming a drag and makes it really hard to sell AuthPoint when there are flexible MFA solutions like DUO or Microsoft MFA...

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Tristan --
    You should be able to make an authpoint group that only requires password -- it's just that it will still go through the whole "microsoft modern authentication" process. e.g., the user still sees the authpoint logo, they still go through those windows, they just don't have to do a push.

    Are you trying to skip that all together, or just not to have to do an MFA/token/push?

    -James Carson
    WatchGuard Customer Support

  • I am trying to skip that all together.
  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Tristan_Colo
    Since the SAML provider is acting as the authentication provider at that point, and it's an all or nothing type option, there isn't really a way to do it here. Office365 uses an all or nothing approach. They point everyone at the SAML provider or nobody.

    If Microsoft allows a way to (for example) push a specific group or list of users to SAML, this could potentially be possible -- at this time it's not.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson I figured out how to do this.... I ended up just changing the Teams Rooms to .onmicrosoft.com accounts and setting up the domains as aliases so they can still be emailed....

    It is annoying that we have to do it this way... it'd be nice if there was a feature similar to Logon App that whitelisted accounts....

    Or it'd be nice to see what/if WatchGuard is doing to push Microsoft on giving them a simple integration option similar to Duo....

    That said I am aware of the announcement explaining Why this isn't an option but we have heard nothing from Microsoft and have also seen nothing on WatchGuard's end on how/if they are pressing on Microsoft to get this functionality out as soon as possible.

  • @James_Carson said:
    Hi Tristan --
    You should be able to make an authpoint group that only requires password -- it's just that it will still go through the whole "microsoft modern authentication" process. e.g., the user still sees the authpoint logo, they still go through those windows, they just don't have to do a push.

    Are you trying to skip that all together, or just not to have to do an MFA/token/push?

    Thanks for your response. I was able to find the fix earlier.... now onto Fixing Azure Domain Joining.

  • On 5/3/24 Microsoft announced the public preview of External Authentication Methods - Preview which will enable providers of MFA (WatchGuard) and MSPs (You) to add a MFA provider to your customers EntraID tenant. The preview is open now and we will announce our beta later this year. Learn more before the beta https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage

Sign In to comment.