Two-Factor Authentication

To strengthen user logon security, M365 Security Plus supports two-factor authentication for default help desk technicians and AD login help desk technicians. Once enabled, M365 Security Plus will require them to authenticate using one of the authentication mechanisms below whenever they log in. You can select any of the below two-factor authentication methods for the help desk technicians and/or AD login technicians. Once they have been enabled, the technicians will have to configure the chosen TFA during their login process.

Setting up Two-Factor Authentication

  1. Log in to M365 Security Plus as an administrator.
  2. Navigate to Delegation > Other Settings > Logon Settings.
  3. Click the Two-Factor Authentication tab.
  4. Toggle the Two-Factor Authentication switch to Enabled.

    Setting up Two-Factor Authentication

  5. Select the authentication methods of your choice from the list provided.

    Setting up Two-Factor Authentication

    Note:
    • If multiple authentication options are enabled, then the user will be asked to choose one of them at the time of logging in.
    • Make sure you configure the authentication option you’ve chosen by entering all the required details.
  6. Click Save.

Email Verification

When this option is selected, M365 Security Plus sends a verification code via email to the user’s email address. The user has to enter the verification code to successfully log in.

Configuration steps:

  1. Configure your mail server settings if you haven't already.
  2. Enter a Subject for the email.
  3. Enter a Message in the box provided.
  4. Click the exclamation point to set a priority as per your requirements.
  5. Click Macros at the bottom to insert macros in the email message.
  6. Once you are done, click Save.

Email Verification

Once enabled, users will be asked to enroll for two-factor authentication by entering their email address during login.

Microsoft Authenticator

Securely sign into your account using Microsoft Authenticator. Once enabled, users will be required to enter a code generated by Microsoft Authenticator for identity verification.

Configuration steps:

  1. Just click Enable Microsoft Authenticator.

    Microsoft Authenticator

Google Authenticator

Securely sign into your account using Google Authenticator. Once enabled, users will be required to enter a six-digit security code generated by Google Authenticator for identity verification.

Configuration steps:

  1. Just click Enable Google Authenticator.

    Google Authenticator

Note: Once any of the two options above are enabled, the technicians will be asked to enroll themselves for two-factor authentication using either Microsoft Authenticator or Google Authenticator during the login process.

RSA SecurID

RSA SecurID is a mechanism developed for performing two-factor authentication for a user. Users can use the security codes generated by the RSA SecurID mobile app, hardware tokens, or tokens received via email or SMS to log in to M365 Security Plus.

Configuration steps:

  1. Log in to your RSA admin console (e.g., https://RSA machinename.domain DNS name/sc).
  2. Go to the Access tab. Under Authentication Agents, click Add New.
  3. Add the M365 Security Plus server as an authentication agent and click Save.
  4. Go to the Access tab. Under Authentication Agents, click Generate Configuration File.
  5. Download the AM_Config.zip (Authentication Manager configuration) file.
  6. Extract sdconf.rec from the ZIP file.
  7. In M365 Security Plus, under RSA SecurID configuration, click Browse and select the sdconf.rec file.
  8. Ensure that the required authapi.jar file and its Log4j.jar files are present in the <installation_directory>/lib folder. If not, obtain the latest authapi.jar file and its latest Log4j.jar files from RSA SecurID, and add these files in the <installation_directory>/lib folder.
  9. Click Save.

RSA SecurID

Duo Security

Duo Security is a two-step verification service that provides additional security while accessing applications. Users can use the six-digit security codes generated by the Duo mobile app or push notification to log into M365 Security Plus.

Configuration steps:

  1. Log in to your Duo Security account (e.g., https://admin.duosecurity.com/) or Sign up for a new account and log in.
  2. Go to Applications. Click Protect an Application.
  3. Search and select Web SDK. Click Protect this Application.
  4. Copy the Integration key, Secret key, and API hostname, and paste them in M365 Security Plus.
  5. Click Save.

Duo Security

Note: Please make sure you select the exact username pattern you use in Duo Security.

Also, if you are using older versions of Internet Explorer, then add the API hostname (e.g., https://api-325d33c0.duosecurity.com) and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted or intranet site.

RADIUS Authentication

Remote Authentication Dial-In User Service (RADIUS) is an industry standard client/server authentication protocol that enhances security by protecting networks from unauthorized access.

RADIUS-based two-factor authentication for M365 Security Plus can be configured in just two simple steps.

Configuration steps

Step 1: Integrate RADIUS with M365 Security Plus

  1. Log into the RADIUS server.
  2. Navigate to the clients.conf file (/etc/raddb/clients.conf).
  3. Add the following snippet in the clients.conf file:
    client ProductServerName
    {
    ipaddr = xxx.xx.x.xxx
    secret = <secretCode>
    nastype = other
    }
  4. Restart the RADIUS server.

Step 2: Configure M365 Security Plus for RADIUS

  1. Select RADIUS Authentication.
  2. Enter the IP address or the name of the RADIUS server.
  3. Enter the Server Port number for RADIUS authentication.
  4. Select the protocol used for RADIUS authentication from the drop-down list.
  5. Provide the Secret Key that was added to the clients.conf file in the RADIUS server.
  6. Set the Username Pattern.
  7. Set a duration for authentication Request Time Out duration.
  8. Click Save.

RADIUS Authentication

Note: The Username Pattern is case-sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.

Backup verification codes

Backup verification codes allow users to log in when they don’t have access to their phone or face issues with one of the second-factor authentication methods. When enabled, a total of five codes will be generated. A code, once used, will become obsolete and cannot be used again. Users also have the option to generate new codes.

Enabling the Backup Verification Code option

  • To enable backup verification codes, check the Backup Verification Code box.

Enabling the Backup Verification Code option

Registering for backup verification codes

  • Users need to click the Manage Backup Verification Codes link to view the codes.

    Registering for backup verification codes

  • Users can also download the codes as a text file, print them, and get them delivered to their personal email address; they can also generate new codes.
  • Users need to click the Manage Backup Verification Codes link to view the codes.

    Registering for backup verification codes

Using the backup verification code to log in

  • To use backup verification codes during login, users need to click the Don't have verification code? link in the second-factor authentication page.

    Registering for backup verification codes

  • On the backup verification code page, they need to enter one of their backup verification codes and click Verify Code to log in.

    Registering for backup verification codes

Managing users for two-factor authentication

As an admin, you can view which authentication method users have opted for and disable their two-factor authentication using the Manage Users option.

To do this:

  • Under the Two-Factor Authentication tab, click Enrolled Users.
  • In the Enrolled Users pop-up, you can view the list of users enrolled for two-factor authentication and the authentication method they have chosen.
  • To remove a user, select the user and click the Delete icon.

Personalize two-factor authentication method for users

The users enrolled in two-factor authentication can modify their preferred authentication method and manage trusted browsers by following the steps below:

  • Go to the My Account profile icon in the top-right corner of M365 Security Plus.
  • Select the Two-Factor Authentication option.
  • To modify the authentication mode, click Modify Authentication mode.
  • To manage a trusted browser, click Manage Trusted Browsers.

Custom TOTP Authenticator

The Custom TOTP Authenticator feature helps you secure your accounts with two-factor authentication. It can now be easily configured in M365 Security Plus. Securely sign into your account using any authenticator like Google, Microsoft, or another custom authenticator app. Once enabled, users will be required to enter a code generated by the authenticator for identity verification.

  • Select Custom TOTP Authenticator.
  • Check the box for Enable Custom TOTP Authenticator.
  • Enter the Authenticator Name, Passcode Length, Passcode Expiration Time, and Passcode Hashing Algorithm.
  • Configure the Account Name Format and upload the Authenticator Logo.
  • Click Save.

Custom TOTP Authenticator

Get download link