Office 365 - Bypass AuthPoint for Deskbound users

Hi,

We are trialing Authpoint for Office365 - We have around 10 users actively using Office 365 but only 5 AuthPoint trial users.(We'll be growing to 200+ users over the next 12 months)

I've implemented "safe locations" for our 5 users and it seems to work well, but unfortunately the safe locations don't apply to the other 5 users who don't have an account in AuthPoint so it continues to prompt for username/password - And now those users cannot access Office 365 as I don't have any spare accounts, and seeing as the federation of the domain on Office 365 is global there is no way to bypass this.

It has also occurred to me that the Safe Locations is only group based, meaning it only works for users that are registered on AuthPoint - Does this mean that every user that I want to use Office 365 needs to have an AuthPoint account even though most are deskbound and will never use MFA as they'll only be connecting from inside a "safe location"?

If so, it seems odd to be forced to pay for accounts that won't be using the service - Shouldn't the "Safe locations" be available to be assigned at the resource level so AuthPoint is bypassed completely? I don't really see the point if you have to essentially log into AuthPoint before the safe locations come into play.

Also, is there anyway to make the logon process seamless? Users have to type in their username/email address into the Watchguard AuthPoint prompt even from a safe location which breaks the Seamless SSO solution implemented with Office 365. I guess this wouldn't be an issue if the Safe Locations were applied at the resource level...?

Cheers,
Ben

Comments

  • Anyone have any thoughts?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Ben,

    Thanks for writing.

    For Office365, the option is really all or nothing. While Authpoint does support having users set as password only -- those users have to exist in Authpoint for that to work. Setting a safe location still funnels authentication through Authpoint -- it just removes the MFA part and only asks for the password via authpoint.

    Unfortunately, at this time, there's not really a way for Office365 to bypass on a per user basis (and one could argue, if it did, that a malicious user could sit out on the Office365 login page looking for users that redirect to a different portal.

    Basically, think of safe locations as a doorman for a club that knows you -- the doorman might not ask to see your ID, but you still have to walk by him. There's no way to completely bypass the doorman, their check is just more relaxed.

    For services like SSLVPN or Firebox Authentication, where we can specify logon server, there is a way to use a different door to get in (if that's been enabled.) Office365 (and anything SAML) is always going to redirect to the auth portal.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Thanks for the information James.

    My understanding of SAML isn't great but I believe I've got more of a grasp of it now.

    I was incorrectly thinking that the user account was initially being authenticated with Azure AD first then being redirected to the Auth portal - This was because we had already setup SSO with Office 365 so we didn't have to type in passwords so the SAML process appeared the same, but now I understand that the Azure AD is effectively bypassed altogether.

    The problem I'll still have though, is trying to justify charging areas of our business for a product they won't ever really be using (desk bound users) and will actually be hindering their ability to use a product (O365) by adding an additional step - The login with AuthPoint as this part doesn't appear seamless.

    We'll have to look at alternative solutions unfortunately as the per user subscription isn't cost effective for us in this scenario.

    Cheers,
    Ben

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Ben,

    Thanks for the reply.

    No problem at all, and I wish you the best in finding something that fits your needs. If you have any specific changes to the product you'd like to see, I'd be happy to request them from that specific team.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • @Ben_G said:
    Thanks for the information James.

    My understanding of SAML isn't great but I believe I've got more of a grasp of it now.

    I was incorrectly thinking that the user account was initially being authenticated with Azure AD first then being redirected to the Auth portal - This was because we had already setup SSO with Office 365 so we didn't have to type in passwords so the SAML process appeared the same, but now I understand that the Azure AD is effectively bypassed altogether.

    The problem I'll still have though, is trying to justify charging areas of our business for a product they won't ever really be using (desk bound users) and will actually be hindering their ability to use a product (O365) by adding an additional step - The login with AuthPoint as this part doesn't appear seamless.

    We'll have to look at alternative solutions unfortunately as the per user subscription isn't cost effective for us in this scenario.

    Cheers,
    Ben

    I thought the "Safe locations" could be used to whitelist geolocations (like an office).... tho the only issue with this of course is any security risk that comes with IP Spoofing...

  • I have got a question about this.

    I was thinking to perhaps sync a group from AD to Authpoint called "No MFA". Do users really need to have an authpoint license and do users really need to register their MFA app ?

    I was thinking to just sync this group to Authpoint, then have a top policy allowing this group to o365 SAML with the only option 'password' required.

    Then below that a policy for the group "MFA" with all options (token, OTP, QR and password) selected.

    Would that work ? Anyone knows ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JM333

    O365 just effectively points at whatever SAML provider you give it, so there's not really a way to direct non-MFA users somewhere else. If you point at a SAML provider (like AuthPoint) all users will authenticate to it.

    AuthPoint does allow the "basic auth" option for users/applications that can't log in using MFA, but the user still needs to exist in AuthPoint, and would therefore require a license.

    -James Carson
    WatchGuard Customer Support

  • edited November 2021

    James, thanks for your clarification.

    The company has 200 employees of which 100 are working on the manufacturing department. They use shared computers and do not own any company mobile phone.

    So if i am introducing authpoint there i would need the full 200 licences.
    What can i do for those manufacturing users ? Can i perhaps sell physicall USB tokens that have to be connected to their workstation ?

    And will it be possible to have like 10 accounts working on one computer (in different shifts) - so effectly 10 accounts using the same USB token ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JM333
    We do sell a hardware token, but it has a display (it does not plug into the user's PC, so there's no USB port.)

    We also support some 3rd party tokens, you can find more info here:
    https://www.watchguard.com/wgrd-products/authpoint/hardware-tokens

    and here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/tokens_hardware.html

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited November 2021

    If you have 200 users, you will need 200 licenses for those users.

    -James Carson
    WatchGuard Customer Support

  • Yeah we ran into this too. The idea is that SAML tells the application (IE 365) to use AuthPoint for the main Authentication Server. If AuthPoint doesn't have the user listed (IE If you don't at least have a user there using a license) AuthPoint will fail the authentication attempt.

    That said, once the license is there you should be able to use the Locations feature in AuthPoint to have users bypass MFA while in the office for Microsoft 365. You could even have a ByPass group that will only remove MFA for the users if they are in the office.

    See below for how locations work:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/policy-objects_network-location.html

Sign In to comment.