Microsoft Authenticator is a software-based authentication technique which can be used to signin to your Access Manager Plus account. You will need to install the Microsoft Authenticator app on your smartphone or tablet device. The app generates a 6 digit number called a token which changes every 30seconds. You will be prompted to enter that 6 digit number(token) in Access Manager Plus while logging in. Since the generated token changes for every 30 seconds, you can signin to Access Manager Plus without the need to wait to receive a text message.
Sequence of Events
- A user tries to access Access Manager Plus web-interface.
- Access Manager Plus authenticates the user through Active Directory or LDAP or locally (first factor).
- Now, Access Manager Plus requests for the second factor credential through Microsoft Authenticator.
- The user has to enter the six-digit token that they see on the Microsoft Authenticator app GUI.
- Access Manager Plus grants the user access to the web-interface.
- Configuring Two-Factor Authentication in Access Manager Plus
- Enforcing Two-Factor Authentication for the Required Users
- Connecting to Access Manager Plus Web Interface when TFA via Microsoft Authenticator is Enabled
1. Configuring Two-Factor Authentication in Access Manager Plus
- Navigate to Admin >> Authentication >> Two-Factor Authentication.
- Choose the option Microsoft Authenticator, and click Save.
- Click Confirm to enforce Microsoft Authenticator as the second factor of authentication.
2. Enforcing Two-Factor Authentication for the Required Users
- Once you confirm Microsoft Authenticator as the second factor of authentication, a new window will prompt you to select the users for whom TFA should be enforced.
- You can enable or disable TFA for a single user or multiple users in bulk from here. To enable TFA for a single user, click on the Enable button beside their respective username. For multiple users, select the required usernames and click on Enable at the top of the user list. Similarly, you can also Disable TFA from here.
- Now, you have sucessfully enabled or disabled TFA for necessary users.
- You can also select the users later by navigating to Users >> More Actions >> Two-Factor Authenitcation.
- In the window that opens, select the users for whom you want to enforce Microsoft's TFA and click Enable/Disable.
3. Connecting to Access Manager Plus Web Interface when TFA via Microsoft Authenticator is Enabled
Note: To use Microsoft Authenticator as the second factor of authentication, you should first install the app in your smart phone or tablet.
The users for whom TFA is enabled will have to authenticate twice successively. The first level of authentication will be through the usual authentication, i.e., the users have to authenticate through Access Manager Plus's local authentication or AD/LDAP authentication, which ever is enabled.
- Launch Access Manager Plus's web interface, enter the Username and Password (local authentication or AD/LDAP), and click Login.
- Associating Microsoft Authenticator with your Access Manager Plus account:
- When you are logging in for the first time after enabling TFA through Microsoft Authenticator, you will be prompted to associate it with your account in Access Manager Plus. After launching the Microsoft Authenticator app in your mobile device or tablet, click Add Account or the + button and choose Other (Google, Facebook, etc.) for the kind of account you're adding, since Access Manager Plus is not a Microsoft extension.
- Here, you can either Scan the QR code displayed in your Access Manager Plus website by scanning the barcode shown in the GUI, or Enter Code Manually.
- If you choose to Enter the Code Manually, the GUI will prompt you to enter an Account Name and a Security Key.
- Supply an Account name for your Access Manager Plus account in the format– AMP:account name (for example. AMP:email@example.com).
- Provide an alphanumeric string as your Secret key, and then click Finish.
- Microsoft Authenticator will now start generating codes periodically, that changes every 30 seconds.
- You can enter this code in the text box provided in the Access Manager Plus login page for the second level of authentication.
As mentioned earlier, the Microsoft Authenticator is associated with your Access Manager Plus account. If you ever lose your mobile device/tablet OR if you accidentally delete the Microsoft Authenticator app on your device, you will still be able to get tokens to log in to Access Manager Plus. In such scenarios, just click the link Have trouble using Microsoft Authenticator? in the Access Manager Plus's login screen. You will be prompted to enter your username and the email address associated with Access Manager Plus. Once done, you will receive instructions to get Microsoft Authenticator again.