Office 365 Reviews Tech

Specops Authentication for Office 365 Review

SolarWinds Application Performance Monitor

Product: Specops Authentication for Office 365

Product Homepage: click on right here

Free Trial: click on right here



Specops Software program is a Swedish firm based in 2001 with headquarters in Stockholm and workplaces in the USA, Canada, and the UK. They develop distinctive password administration and desktop administration merchandise based mostly on Microsoft know-how. In 2017 they launched Specops Authentication for Office 365, a single answer that streamlines and secures Office 365 Lively Listing integration and consumer login with dynamic multifactor authentication (MFA). On this product assessment, we’ll check out its newest model,

Specops Authentication for Office 365 presents organizations a easy and automatic strategy to Office 365 consumer administration and authentication. It consists of a number of domain-joined servers put in on-premises, which permits admins to configure consumer provisioning and assign licenses to customers as they login to Office 365.

The answer’s highly effective MFA engine helps a variety of authentication elements that may assist enhance a corporation’s general safety, and this, for my part, is the place it shines. With over 15 id suppliers obtainable throughout authentication, customers will all the time have a safe option to entry Office 365.

In a nutshell, Specops permits organizations to:

  • Safe the Office 365 login with dynamic MFA id suppliers:
    • Home windows built-in id (AD password);
    • Safety Questions;
    • Cellular Verification Code (SMS code);
    • Specops Authenticator (OTP app);
    • Google Authenticator (OTP app);
    • Microsoft Authenticator (OTP app);
    • Duo Safety;
    • Symantec VIP;
    • Specops Fingerprint Authenticator (works with Apple Contact/Face ID & Android fingerprint);
    • Cellular Financial institution ID (Sweden);
    • Social and e mail choices: Gmail, Yahoo, Fb, Twitter, and extra;
    • Efos/SITHS playing cards (Sweden).
  • Allow self-service password reset that leverages the identical MFA engine;
  • Automated provision of customers from on-premises Lively Listing (AD) to Office 365.

How does it work?

Specops Authentication consists of an authentication backend, net, and id providers all hosted within the cloud, and an on-premises Gatekeeper server(s).

  • Authentication backend communicates with the Gatekeeper to learn consumer info from AD and to validate a consumer’s id based mostly on the tokens from particular person id providers. The online and id providers additionally talk with the backend;
  • Authentication net incorporates the front-end for customers and directors. It allows the creation of Specops Authentication settings in addition to the provisioning configuration;
  • Id providers is an entity that may validate a consumer’s id in Specops Authentication. The tokens from these id providers are then utilized by the backend to validate a consumer’s Id;
  • The Gatekeeper is put in on a domain-joined server on-premises, so it may learn consumer info from AD, and handle all operations towards AD, akin to studying/writing enrollment knowledge;
  • Authentication insurance policies state how a consumer ought to authenticate so as to have the ability to entry a useful resource. They include the principles required for enrollment and MFA when accessing Office 365, corresponding to controlling which id providers can be utilized, and what number of have to be used to confirm the id of customers.

The diagram under, taken immediately from Specops’ web site, describes how Specops Authentication works:


  1. Consumer tries to login to Office 365 by going to, for instance, and typing their credentials;
  2. Consumer will get redirected to Specops Authentication by way of a Federated Belief;
  3. Authentication choices are fetched and introduced to the consumer;
  4. Consumer selects a number of id providers for authentication;
  5. Id providers return the consumer id to Specops Authentication;
  6. The consumer id is validated towards the on-prem AD;
  7. Specops Authentication creates a token for the consumer to current to Office 365;
  8. Specops Authentication returns the authenticated consumer to Office 365 if the authentication coverage is met.

Though at first it might sound that an inbound connection must be open by means of the firewall to the Gatekeeper, this isn’t the case! All Specops connections are outbound solely, which is nice from a safety perspective.


To put in the Gatekeeper, we’d like a server that meets the next necessities:

  • Home windows Server 2012 R2 or later;
  • .NET Framework four.7 or later.

For provisioning customers in Office 365, we’d like a legitimate area identify (the default * area can’t be used), and an Office 365 account with international administrator rights on Azure AD. Moreover, trendy authentication must be enabled for Change On-line and Skype for Enterprise On-line, which has been the default for a while now, however not for older tenants. If federated id is being utilized in Office 365, by way of ADFS for instance, you will have to de-federate the area as it’ll have to be federated with Specops Authentication.

Putting in Specops is simple. All it includes is making a buyer account, downloading a custom-made setup package deal, and configuring the Gatekeeper within the group’s Lively Listing setting.

Preliminary Configuration

Step one ought to be configuring Home windows Built-in Authentication so customers’ AD credentials are handed mechanically by means of their browser to Specops’ net server. This manner, customers will mechanically authenticate with their Home windows Id, and grant the Home windows Id authentication token.

Subsequent, we will create a Specops Authentication GPO. Customers focused by this GPO can have their authentication, provisioning, and license settings configured from the Specops Authentication net. Through the use of GPO, we will use totally different insurance policies for totally different teams of customers.


The Specops Authentication Net is used to view system info and handle most points of the product, together with system-wide configurations and MFA insurance policies for its numerous assets. When directors login for the primary time to the admin web page, they’re required to enroll within the system. This follows the identical course of for end-users which might be detailed later.

The primary web page lists all of the Gatekeepers configured within the surroundings, together with their standing. Because the textual content suggests, we will set up and configure further ones for redundancy, all the time a should for any manufacturing setting. If a Gatekeeper fails, service won’t be disrupted so long as there’s one other one up and operating.


Inside this interface, directors can allow or disable all the id providers supported by Specops Authentication, and there are lots!


Those with a cog are those that help further configuration. For instance, beneath Secret Questions, we will specify what number of questions customers have to reply, delete present questions, add new ones, and even add questions in several languages, amongst different choices. Specops additionally helps in depth customization. We will customise its emblem, use a method sheet and just about change any textual content within the consumer interface, together with utilizing totally different languages:


The Net interface additionally offers entry to a number of helpful studies and logs. For instance, we will monitor the variety of authentications carried out by Specops by hour/day/week/month, and even verify probably the most used id suppliers:


There’s additionally an audit log with actions carried out by directors (under we will see I disabled CAPTCHA for instance), amongst different occasion logs:


We will additionally add a number of domains to our Specops Authentication group account, and handle CAPTCHA settings:


Configuring Specops for Office 365

Now it’s time to get right down to what actually introduced us right here: utilizing Specops Authentication with an Office 365 tenant!

The answer permits provisioning, licensing and Office 365 federation configuration along with establishing MFA insurance policies. Earlier than continuing, it is very important be sure that we’ve already added a customized area to Office 365 and validated its possession.

As soon as this has been completed, we will determine if we need to use a GPO to focus on which customers can use Specops or use the organizational unit specified through the Gatekeeper set up because the scope goal for Specops. The subsequent step is to determine which id providers customers can use, together with the load (stars) of every one, in addition to the necessities for enrollment and authentication. For instance, we will state that customers have to enroll in several id providers till they’ve 6 stars (which suggests at the least three id providers), however to authenticate they solely want four stars (no less than 2 id providers). That is the place a stability between safety and consumer expertise comes into play.


For this check, I chosen three stars for authentication and made 4 id providers out there to customers, all with a weight of two. Because of this customers should use 2 id providers with a purpose to login to Office 365. Due to Home windows Built-in Authentication, if customers are logged in to a workstation with their credentials, then they may solely be requested to verify their id utilizing a Cellular Code, Secret Query, or the Specops Authenticator app:


Now that we’ve configured the authentication necessities for customers, we allow Office 365 licensing the place customers shall be assigned licenses mechanically each time they login to Office 365. The answer supplies us with consumer guidelines that we will use to configure provisioning of consumer objects from the on-premises AD to Azure AD. By enabling this, we’re letting Specops Authentication create consumer objects in Azure AD as customers sign up to Office 365. If left disabled, no customers might be created and any customers that don’t exist already in Azure AD might be unable to log in. We even have the choice to specify which attributes are required and which of them aren’t.

The ultimate step is to allow federation. As Specops already has the required permissions to our tenant, all we now have to do to allow our Office 365 to federate with Specops is to click on the flip it on button:


And we’re executed! Now that we’ve absolutely configured Specops Authentication to work with Office 365, it’s time to see the authentication expertise from a consumer’s perspective.

Consumer Expertise

From a consumer’s perspective, Specops Authentication helps the under shoppers for accessing Office 365:

  • Net-based variations of O365 on all trendy browsers;
  • Office 365 for Home windows;
  • Office 2016 for Home windows;
  • Office 2013 for Home windows (with further updates);
  • Outlook for iPhone;
  • Outlook for Android;
  • OneDrive for Enterprise;
  • Skype for Enterprise.

Let’s begin by wanting on the consumer expertise when a consumer logs in to the Office 365 portal for the primary time. Once we sort our username and alter to the password entry field, Office 365 redirects us to the Specops’ sign-in web page, identical to with some other federation answer:


As a result of that is the primary time this consumer logs in, we get requested to enroll with Specops:


We begin by confirming our password:


And are subsequent introduced with the id providers we configured beforehand as admins. As talked about earlier than, on this case we solely have to enroll with a further service:


Let’s first attempt Secret Query. As soon as we choose this id service, we’re taken to an inventory of pre-defined questions we will use:


We merely choose the query we need to use, reply it, and click on OK:


Choosing Specops Authenticator would require us to obtain and set up Specops’ personal authenticator app (just like Microsoft’s personal authenticator app). The logon web page supplies us with a QR code which we have to scan, as soon as we set up the app, so as to configure it:


So, merely go to the app retailer, obtain the app:


Open it, and click on on Scan QR Code:


As soon as that’s completed, sort the displayed code within the Code field on the web site and click on Confirm.


As soon as we refill all of the required stars, we’re okay to proceed:


As a result of that is the primary time this consumer indicators in to Office 365, Specops must create the account and assign it a license:


In my case it took round 15 seconds for the consumer account to be provisioned and for me to be redirected to the Office 365 portal:


If we verify the consumer license, we will affirm that, as we configured, all providers have been enabled besides for Groups:


And that’s it! Easy.

Customers might be prompted for credentials in periodic intervals, they won’t have to authenticate with Specops each single time. As soon as the consumer completes the authentication course of, a refresh token is issued by Azure AD for that shopper. By default, the utmost age of that token is 90 days. As soon as the token has expired, or whether it is revoked by an administrator, the shopper should re-authenticate by way of Specops Authentication in an effort to get a brand new token. The token administration is dealt with by Azure, which means directors can’t configure or handle these immediately in Specops Authentication.

As with Microsoft’s personal MFA implementation, sure older purposes that don’t help trendy authentication would require an App Password to authenticate to Office 365, which permits them to bypass MFA/Specops.


Once I was first requested to assessment Specops Authentication, my preliminary thought was “why would an organization need this product when Microsoft’s own MFA works great with Office 365”? After having used Specops for some time, I can see its attraction to some organizations.

In a single hand, Specops Authentication has a number of drawbacks to it:

  • Its on-line guide shouldn’t be one of the best, and it’d make putting in and configuring Specops for the primary time a bit complicated, however I do know Specops is engaged on enhancing it;
  • The Specops Authenticator and the Specops Fingerprint cellular apps ought to be mixed into one. It’s a lot simpler to click on on a notification (Specops Fingerprint), then it’s to open the app (Specops Authenticator), learn the code, sort the code, and press OK. Combining each apps into one would give customers the choices to decide on their most popular technique, with out having to put in totally different apps. Having stated that, I assume we all the time have the choices to make use of Microsoft’s authenticator app along with Specops;
  • At this stage, Specops is lacking a few of the extra superior and highly effective options of Azure Conditional Entry. For instance, we can’t bypass MFA when inside an organization’s community and solely implement MFA when customers are working remotely, or implement MFA simply for a specific service like Trade On-line and OneDrive.

Then again, Specops supplies MFA choices that aren’t out there with Azure MFA. All of Microsoft’s MFA choices depend on customers having both a landline quantity the place they will obtain a telephone name or a cell phone. I’ve been concerned in a number of tasks the place the enterprise needed to supply customers different choices, like receiving a code by e mail (as an alternative of SMS) like many different merchandise do, or answering a number of secret questions, for instance. Microsoft already supplies these choices with its Azure self-service password reset function, so why not supply these with MFA? That is the place Specops fills the hole: it provides MFA choices that don’t require customers to depend on a cell phone, and on the similar time offers different options that Azure AD Join does, like consumer provisioning, multi functional. One other function that might be coated in a separate assessment is Specops uReset, a self-service password reset answer that leverages the identical authentication engine as Specops Authentication, and permits customers to reset their password in the identical safe approach as login into Office 365. Score four.6/5


Publish Views:

report this advert

Learn Subsequent