01-09-2019 09:54 AM
I'm just in the process of setting up Centrify for Office 365 MFA.
I'm trying to find out if it is possible to set a different policy for particular users. We We don't want to MFA external support companies accounts, and will have to rely on senisble password policies.
Can anyone tell me if it is possible to do this on an application basis?
01-09-2019 10:32 AM
Welcome to the Centrify forums.
The answer for both is yes.
Applying different policies to different user populations.
You can apply policy to different users by leveraging the policy engine. For example, in one of my environments, I have policy that is applied to 3rd party contractors vs. employees. For example, a policy for my 3rd party users that may be federated vs. my employees that exist on local LDAP, AD, Centrify or Google Directories.
The policy engine allows you to determine the order of how policy is applied.
Here's an example.
Applying Different Policies to Apps
You can also apply, per-app policy. This is in the Policy tab of each application general template.
You have the flexibility to add several conditions that are built-in or even leverage our behavioral analytics.
For example, the ServiceNow app below has been configured to ask for MFA if the app is being accessed from the outside of the the corporate network, while allowing regular uninterrupted SAML SSO access while inside the corporate network.
Note that conditional access rules can also be applied at the:
- App (like here)
- Server Access (via RDP or SSH)
- Password checkout
- Secret reveal, etc.
I hope this helps.
01-10-2019 03:40 AM
Hi thanks for the reply.
I have used Policies for VPN access, and I've used filters on an application to exclude trusted IP addresses.
But what I'm trying to achieve is different O365 users having different MFA policies. There isn't a user filter available in the Office 365 app.
So is there a way to have users excluded from MFA in Office 365?
01-10-2019 10:45 AM
Thanks for clarifying. In this forum we are infrastructure SMEs (volunteers), but one of my coworkers pointed me to the same capability that I outlined in my original post.
The Office 365 WS-Fed and Provisioning template also supports policies, including custom policies that you can script.
They even include some started sample policies for O365 that you can modify and use the test widget to validate the results.
I have not done these myself, but here's the documetation link:
In addition, the Knowledgebase in the Customer Support Portal should have some additional tips, considerations and limitations.
I hope this sends you in the right path.
01-17-2019 07:28 AM
Is there any documentation other than the sample scripts?
I've worked out how to filter based on on-prem or AD Groups, and can set policy.Required = 1 or 2 or whatever.
But can't find anything that says what 1 or 2 actually mean.