I have enabled the modules Two Factor Authentication and TFA Basic Plugins. I am using TOTP as my validation plugin. I had downloaded the Google Authentication app on my mobile device.
I have successfully done TOTP Authentication on my admin account. However, I have several authenticate user accounts I need to make. How can I set there accounts so that they can do TOTP Authentication?
Currently if I create a user/password for them then go to security, I see the TOTP Authentication screen where I can scan. However, how do I give the user the ability ?
If I provide them user/password but want them to have TOTP setup to there mobile device how do I do that?
Thanks in advance,
Mike
You may have come across this by now, but there is a permission "Set up TFA for account" provided by TFA Basic, which you'll want to ensure you set for relevant roles (which may well be simply "authenticated user").
In case you were looking to use the "require TFA" for a role, then any user with that role will be unable to log in all by themselves, and will get an error "Login disallowed. You are required to set up two-factor authentication. Please contact a site administrator".
Therefore, if you wish to enforce TFA, you'll need to do some custom implementation unless you're in a position to walk each user through initial setup (I suspect not). https://www.drupal.org/node/2622030 should provide some pointers for this.
You could consider https://www.drupal.org/project/tfa_rules instead of enforcing TFA: at the least it offers a default rule which encourages those who have not enabled TFA to do so.
Related
I have a React Application that uses Microsoft AD to authenticate users.
As a first step, and according to Microsoft Documentation, we need to register the application with the Microsoft identity platform.
This is inline with Microsoft Identity Platform Documentation, in this diagram we can see that for ALL types of applications (SPA, Web App, etc), we always need to configure an application in AzureAD:
This process is "cumbersome", and i'm trying to remove it by having the application installed automatically.
Several third-parties do this, such as Zapier, SpecFlow, etc.
Basically, they have a process where:
User logs in on Zapier
User is redirected to Azure AD sign-in page
User is authenticated and authorized
AzureAD shows the Consent Page
User consents
Application is installed on user's AzureAD
I've been reading and searching in Microsoft's Documentation, and i cannot find a single document that shows or even mentions this type of flow.
BUT, i know that this is possible, as there are several third parties that are doing exactly this, as Zapier, for example.
Can anyone point me in the right direction, there must exist some Microsoft document that explains how this process is done!
Apologies if this should be a comment, not an answer. I do not have enough SO reputation to write comments.
Zapier is published to the Azure Active Directory application gallery (1c76d9b0-0826-4b19-8706-29572657af1e). You can do this as well:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/v2-howto-app-gallery-listing
If an application already exists in the gallery, it does not need to be "registered" in the user's tenant, as the registration definition is defined in the gallery.
Once an app is in the gallery, users can use it only if their tenant's administrators allow this, per the settings on this page:
Enterprise applications | User settings
https://entra.microsoft.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/UserSettings
From the user's end, there are other governance controls that may impact the user's ability to use your app, but I think "register your app in the gallery" is probably what you're asking for.
My organization is taking a look at the security of registered applications within Azure Active Directory (AAD) and have concerns around the ability of individuals to add client secrets and certificates for applications that are using the "application permissions" model. I'm working to help narrow the roles of individuals within the organization to restrict this, but this investigation begged the question of what a malicious insider could do if he or she could add a client secret to this application.
I've looked through the 30 Days of Microsoft Graph blog series, which is excellent, but wanted to clarify what else can be done to prevent an insider from gaining access to the permissions this application would allow.
Does the redirect URL itself protect against this kind of scenario, provided the organization retains control of all registered URLs (meaning, for example, that https://localhost isn't registered)? Based on this post under Step 3, I assume the answer is yes but wanted to make sure this is the case.
Is it technically correct to say that without the redirect URL being secured/owned by the organization, a malicious insider who could add client secrets could exploit the permissions granted by the application?
If you are able to add a client secret to an app that already has been granted application permissions to something, then this user can use the new secret to get tokens and access those resources as the app.
Redirect URL is not used with application permissions, only delegated permissions.
This is because there are no redirects in the client credentials grant flow, which is used when acquiring a token with app permissions.
It's just an HTTP request.
So you are correct in your assumption that being able to add a new secret to an app that already has permissions can be a security issue.
There are audit logs though, and I believe adding a secret/certificate is logged.
According to this page, admin consent should not be required for a native app using Directory.AccessAsUser.All
As a side note, for native applications, this permission behaves like a User permission instead. A native app does not have an identity per se, and it is already doing the direct user’s bidding anyway. It stands to reason that the app should be able to do what the user is able to do, just as happens on-premises when a classic native client (say Word or Excel) can or cannot open a document from a network share depending on whether the user has the correct permissions on that folder.
I'm not seeing this in practice. The "API Permissions" page in Azure portal warns me that admin consent will be required, and users attempting to sign in using my app also get told that admin consent is required.
I haven't provided a Web redirect URL, just checked https://login.microsoftonline.com/common/oauth2/nativeclient under the Public Clients section - i'd expect this to be enough for admin consent not to be required, but it doesn't seem to be the case.
Is the doc above wrong, or am I missing something?
That page is wrong, consent framework doesn't allow a permission to be Admin/User.
If it is marked Admin, it requires admin consent.
That may have been right in the past though.
I'm using Azure Authentication in a mobile app, using the azure-activedirectory-library-for-cordova plugin.
Recently some user have trouble logging in. Some are even receiving SMS to confirm their mobile number, still without actually being able to complete the login.
They can still log in like normal on other services (such as their computer at work) - but when using this login for our app is causing problems.
It's not consistent - some users are having troubles and receiving SMS, while others are not.
Any suggestions what may cause this, and how to prevent it?
It appears like some users that are trying to sign into your application have Multi-Factor Authentication set up.
Please take a look at the following Article: Multi-Factor Authentication
I am not an expert in the MFA scenarios, but it appears that there are custom SDKs that you might need to integrate with your application to fully support signing in those users: Multi-Factor Authentication SDK
Let me know if this helps, or if you have a more specific question, let me know and I can try and find the right person to help you.
I am writing a MVC 4 web app and want to use the new WIF and ADFS to Authenticate users. I also want to provide a profile page for users to "self serve" changes like phone number or maiden name.
I am looking for resources/tutorials (a good book) to show me how to wire it all up.
Users will be stored in active directory so I'm guessing that I should use the ADMembershipProvider for some of this. I believe there is a profile store attached to ADFS (or I can set one up) and I want to know if its good practice to interact with it directly or is the an API that with let me add claims etc.
Finally, how does all this fit into the new WebSecurity stuff?
You asked for books on the subject of ADFS. You could try the patterns and practices book A Guide to Claims-Based Identity and Access Control.
In terms of the ADMembershipProvider, you don't need it.
ADFS under the hood handles the AD integration, You configure claims rules which determine which attributes ADFS extracts out of AD.
Update
In terms of editing the user in AD, this is an Identity Manager scenario. ADFS is a STS so it doesn't handle this. You need to do this directly e.g. Howto: (Almost) Everything In Active Directory via C#. Be aware that you need an AD login that enables write access to do this. This is a different credential set to the set that allows you to login to ADFS.
ADFS just provides the login screen. Out the box you don't get any self-service functionality. You need to customise the ADFS screen yourself e.g. AD FS 2.0 Sign-In Pages Customization Overview.