office 365

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 3
Registered: 2 weeks ago
#1 of 5 165

office 365

Hi,

 

I'm just in the process of setting up Centrify for Office 365 MFA.

 

I'm trying to find out if it is possible to set a different policy for particular users. We We don't want to MFA external support companies accounts, and will have to rely on senisble password policies.

 

Can anyone tell me if it is possible to do this on an application basis?

 

Thanks,

 

Adam

Centrify Guru I
Posts: 2,415
Registered: ‎07-26-2012
#2 of 5 162

Re: office 365

[ Edited ]

@apedder,

 

Welcome to the Centrify forums.

The answer for both is yes.

 

Applying different policies to different user populations.

You can apply policy to different users by leveraging the policy engine.  For example, in one of my environments, I have policy that is applied to 3rd party contractors vs. employees.  For example, a policy for my 3rd party users that may be federated vs. my employees that exist on local LDAP, AD, Centrify or Google Directories.

The policy engine allows you to determine the order of how policy is applied.

 

Here's an example.

 

policymakeup.png

 

Applying Different Policies to Apps

You can also apply, per-app policy.  This is in the Policy tab of each application general template.

You have the flexibility to add several conditions that are built-in or even leverage our behavioral analytics.

For example, the ServiceNow app below has been configured to ask for MFA if the app is being accessed from the outside of the the corporate network, while allowing regular uninterrupted SAML SSO access while inside the corporate network.

apppolicy.PNG

 

Note that conditional access rules can also be applied at the:

- Policy

- App (like here)

- Server Access (via RDP or SSH)

- Password checkout

- Secret reveal, etc.

 

I hope this helps.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 3
Registered: 2 weeks ago
#3 of 5 149

Re: office 365

Hi thanks for the reply.

 

I have used Policies for VPN access, and I've used filters on an application to exclude trusted IP addresses.

 

But what I'm trying to achieve is different O365 users having different MFA policies. There isn't a user filter available in the Office 365 app.

 

So is there a way to have users excluded from MFA in Office 365?

 

Thanks,

 

Adam

Centrify Guru I
Posts: 2,415
Registered: ‎07-26-2012
#4 of 5 137

Re: office 365

@apedder,

 

Thanks for clarifying.   In this forum we are infrastructure SMEs (volunteers), but one of my coworkers pointed me to the same capability that I outlined in my original post.

 

The Office 365 WS-Fed and Provisioning template also supports policies, including custom policies that you can script. 

 

o365custompolicyt.png

 

They even include some started sample policies for O365 that you can modify and use the test widget to validate the results.

 

I have not done these myself, but here's the documetation link:

https://docs.centrify.com/Content/Applications/AppsScriptRef/UseSamplePolScript.htm

 

In addition, the Knowledgebase in the Customer Support Portal should have some additional tips, considerations and limitations.

 

I hope this sends you in the right path.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 3
Registered: 2 weeks ago
#5 of 5 52

Re: office 365

That certainly helps.
Is there any documentation other than the sample scripts?
I've worked out how to filter based on on-prem or AD Groups, and can set policy.Required = 1 or 2 or whatever.
But can't find anything that says what 1 or 2 actually mean.
Thanks,
Adam