Office 365 Reviews Tech

Specops Authentication for Office 365 Review

SolarWinds Application Performance Monitor

Product: Specops Authentication for Workplace 365

Product Homepage: click on right here

Free Trial: click on right here


Specops Software program is a Swedish firm based in 2001 with headquarters in Stockholm and workplaces in the USA, Canada, and the UK. They develop distinctive password administration and desktop administration merchandise based mostly on Microsoft know-how. In 2017 they launched Specops Authentication for Workplace 365, a single answer that streamlines and secures Workplace 365 Lively Listing integration and consumer login with dynamic multifactor authentication (MFA). On this product evaluation, we’ll check out its newest model,

Specops Authentication for Workplace 365 provides organizations a easy and automatic strategy to Workplace 365 consumer administration and authentication. It consists of a number of domain-joined servers put in on-premises, which permits admins to configure consumer provisioning and assign licenses to customers as they login to Workplace 365.

The answer’s highly effective MFA engine helps a variety of authentication elements that may assist enhance a corporation’s general safety, and this, for my part, is the place it shines. With over 15 id suppliers obtainable throughout authentication, customers will all the time have a safe strategy to entry Workplace 365.

In a nutshell, Specops permits organizations to:

  • Safe the Workplace 365 login with dynamic MFA id suppliers:
    • Home windows built-in id (AD password);
    • Safety Questions;
    • Cellular Verification Code (SMS code);
    • Specops Authenticator (OTP app);
    • Google Authenticator (OTP app);
    • Microsoft Authenticator (OTP app);
    • Duo Safety;
    • Symantec VIP;
    • Specops Fingerprint Authenticator (works with Apple Contact/Face ID & Android fingerprint);
    • Cellular Financial institution ID (Sweden);
    • Social and e mail choices: Gmail, Yahoo, Fb, Twitter, and extra;
    • Efos/SITHS playing cards (Sweden).
  • Allow self-service password reset that leverages the identical MFA engine;
  • Automated provision of customers from on-premises Lively Listing (AD) to Workplace 365.

How does it work?

Specops Authentication consists of an authentication backend, net, and id providers all hosted within the cloud, and an on-premises Gatekeeper server(s).

  • Authentication backend communicates with the Gatekeeper to learn consumer info from AD and to validate a consumer’s id based mostly on the tokens from particular person id providers. The online and id providers additionally talk with the backend;
  • Authentication net incorporates the front-end for customers and directors. It allows the creation of Specops Authentication settings in addition to the provisioning configuration;
  • Id providers is an entity that may validate a consumer’s id in Specops Authentication. The tokens from these id providers are then utilized by the backend to validate a consumer’s Id;
  • The Gatekeeper is put in on a domain-joined server on-premises, so it could learn consumer info from AD, and handle all operations towards AD, akin to studying/writing enrollment knowledge;
  • Authentication insurance policies state how a consumer ought to authenticate so as to have the ability to entry a useful resource. They include the principles required for enrollment and MFA when accessing Workplace 365, comparable to controlling which id providers can be utilized, and what number of have to be used to confirm the id of customers.

The diagram under, taken instantly from Specops’ web site, describes how Specops Authentication works:


  1. Consumer tries to login to Workplace 365 by going to, for instance, and typing their credentials;
  2. Consumer will get redirected to Specops Authentication by way of a Federated Belief;
  3. Authentication choices are fetched and introduced to the consumer;
  4. Consumer selects a number of id providers for authentication;
  5. Id providers return the consumer id to Specops Authentication;
  6. The consumer id is validated towards the on-prem AD;
  7. Specops Authentication creates a token for the consumer to current to Workplace 365;
  8. Specops Authentication returns the authenticated consumer to Workplace 365 if the authentication coverage is met.

Though at first it might sound that an inbound connection must be open by way of the firewall to the Gatekeeper, this isn’t the case! All Specops connections are outbound solely, which is nice from a safety perspective.


To put in the Gatekeeper, we’d like a server that meets the next necessities:

  • Home windows Server 2012 R2 or later;
  • .NET Framework four.7 or later.

For provisioning customers in Workplace 365, we’d like a legitimate area identify (the default * area can’t be used), and an Workplace 365 account with international administrator rights on Azure AD. Moreover, trendy authentication must be enabled for Trade On-line and Skype for Enterprise On-line, which has been the default for a while now, however not for older tenants. If federated id is being utilized in Workplace 365, by means of ADFS for instance, you’ll need to de-federate the area as it’s going to must be federated with Specops Authentication.

Putting in Specops is simple. All it includes is making a buyer account, downloading a custom-made setup package deal, and configuring the Gatekeeper within the group’s Lively Listing surroundings.

Preliminary Configuration

Step one ought to be configuring Home windows Built-in Authentication so customers’ AD credentials are handed mechanically via their browser to Specops’ net server. This manner, customers will mechanically authenticate with their Home windows Id, and grant the Home windows Id authentication token.

Subsequent, we will create a Specops Authentication GPO. Customers focused by this GPO can have their authentication, provisioning, and license settings configured from the Specops Authentication net. Through the use of GPO, we will use totally different insurance policies for various teams of customers.


The Specops Authentication Net is used to view system info and handle most features of the product, together with system-wide configurations and MFA insurance policies for its numerous assets. When directors login for the primary time to the admin web page, they’re required to enroll within the system. This follows the identical course of for end-users which can be detailed later.

The primary web page lists all of the Gatekeepers configured within the surroundings, together with their standing. Because the textual content suggests, we will set up and configure further ones for redundancy, all the time a should for any manufacturing setting. If a Gatekeeper fails, service won’t be disrupted so long as there’s one other one up and operating.


Inside this interface, directors can allow or disable all the id providers supported by Specops Authentication, and there are quite a bit!


Those with a cog are those that help further configuration. For instance, beneath Secret Questions, we will specify what number of questions customers have to reply, delete present questions, add new ones, and even add questions in several languages, amongst different choices. Specops additionally helps in depth customization. We will customise its emblem, use a method sheet and just about change any textual content within the consumer interface, together with utilizing totally different languages:


The Net interface additionally offers entry to a number of helpful studies and logs. For instance, we will monitor the variety of authentications carried out by Specops by hour/day/week/month, and even verify probably the most used id suppliers:


There’s additionally an audit log with actions carried out by directors (under we will see I disabled CAPTCHA for instance), amongst different occasion logs:


We will additionally add a number of domains to our Specops Authentication group account, and handle CAPTCHA settings:


Configuring Specops for Workplace 365

Now it’s time to get right down to what actually introduced us right here: utilizing Specops Authentication with an Workplace 365 tenant!

The answer permits provisioning, licensing and Workplace 365 federation configuration along with establishing MFA insurance policies. Earlier than continuing, it is very important be sure that we have now already added a customized area to Workplace 365 and validated its possession.

As soon as this has been finished, we will determine if we need to use a GPO to focus on which customers can use Specops or use the organizational unit specified through the Gatekeeper set up because the scope goal for Specops. The subsequent step is to determine which id providers customers can use, together with the load (stars) of every one, in addition to the necessities for enrollment and authentication. For instance, we will state that customers have to enroll in several id providers till they’ve 6 stars (which suggests at the very least three id providers), however to authenticate they solely want four stars (no less than 2 id providers). That is the place a stability between safety and consumer expertise comes into play.


For this check, I chosen three stars for authentication and made 4 id providers out there to customers, all with a weight of two. Which means customers should use 2 id providers to be able to login to Workplace 365. Due to Home windows Built-in Authentication, if customers are logged in to a workstation with their credentials, then they’ll solely be requested to verify their id utilizing a Cellular Code, Secret Query, or the Specops Authenticator app:


Now that we’ve got configured the authentication necessities for customers, we allow Workplace 365 licensing the place customers will probably be assigned licenses mechanically every time they login to Workplace 365. The answer supplies us with consumer guidelines that we will use to configure provisioning of consumer objects from the on-premises AD to Azure AD. By enabling this, we’re letting Specops Authentication create consumer objects in Azure AD as customers check in to Workplace 365. If left disabled, no customers might be created and any customers that don’t exist already in Azure AD might be unable to log in. We even have the choice to specify which attributes are required and which of them aren’t.

The ultimate step is to allow federation. As Specops already has the required permissions to our tenant, all we have now to do to allow our Workplace 365 to federate with Specops is to click on the flip it on button:


And we’re achieved! Now that we now have absolutely configured Specops Authentication to work with Workplace 365, it’s time to see the authentication expertise from a consumer’s perspective.

Consumer Expertise

From a consumer’s perspective, Specops Authentication helps the under shoppers for accessing Workplace 365:

  • Net-based variations of O365 on all trendy browsers;
  • Workplace 365 for Home windows;
  • Workplace 2016 for Home windows;
  • Workplace 2013 for Home windows (with further updates);
  • Outlook for iPhone;
  • Outlook for Android;
  • OneDrive for Enterprise;
  • Skype for Enterprise.

Let’s begin by wanting on the consumer expertise when a consumer logs in to the Workplace 365 portal for the primary time. Once we sort our username and alter to the password entry field, Workplace 365 redirects us to the Specops’ sign-in web page, identical to with another federation answer:


As a result of that is the primary time this consumer logs in, we get requested to enroll with Specops:


We begin by confirming our password:


And are subsequent introduced with the id providers we configured beforehand as admins. As talked about earlier than, on this case we solely have to enroll with a further service:


Let’s first attempt Secret Query. As soon as we choose this id service, we’re taken to an inventory of pre-defined questions we will use:


We merely choose the query we need to use, reply it, and click on OK:


Choosing Specops Authenticator would require us to obtain and set up Specops’ personal authenticator app (just like Microsoft’s personal authenticator app). The logon web page supplies us with a QR code which we have to scan, as soon as we set up the app, with a purpose to configure it:


So, merely go to the app retailer, obtain the app:


Open it, and click on on Scan QR Code:


As soon as that’s executed, sort the displayed code within the Code field on the web site and click on Confirm.


As soon as we refill all of the required stars, we’re okay to proceed:


As a result of that is the primary time this consumer indicators in to Workplace 365, Specops must create the account and assign it a license:


In my case it took round 15 seconds for the consumer account to be provisioned and for me to be redirected to the Workplace 365 portal:


If we examine the consumer license, we will affirm that, as we configured, all providers have been enabled apart from Groups:


And that’s it! Easy.

Customers shall be prompted for credentials in periodic intervals, they won’t have to authenticate with Specops each single time. As soon as the consumer completes the authentication course of, a refresh token is issued by Azure AD for that shopper. By default, the utmost age of that token is 90 days. As soon as the token has expired, or whether it is revoked by an administrator, the shopper should re-authenticate by way of Specops Authentication so as to get a brand new token. The token administration is dealt with by Azure, which means directors can’t configure or handle these immediately in Specops Authentication.

As with Microsoft’s personal MFA implementation, sure older purposes that don’t help trendy authentication would require an App Password to authenticate to Workplace 365, which permits them to bypass MFA/Specops.


Once I was first requested to assessment Specops Authentication, my preliminary thought was “why would a corporation want this product when Microsoft’s personal MFA works nice with Workplace 365”? After having used Specops for some time, I can see its attraction to some organizations.

In a single hand, Specops Authentication has a number of drawbacks to it:

  • Its on-line guide is just not the perfect, and it’d make putting in and configuring Specops for the primary time a bit complicated, however I do know Specops is engaged on enhancing it;
  • The Specops Authenticator and the Specops Fingerprint cellular apps must be mixed into one. It’s a lot simpler to click on on a notification (Specops Fingerprint), then it’s to open the app (Specops Authenticator), learn the code, sort the code, and press OK. Combining each apps into one would give customers the choices to decide on their most popular technique, with out having to put in totally different apps. Having stated that, I assume we all the time have the choices to make use of Microsoft’s authenticator app along with Specops;
  • At this stage, Specops is lacking a few of the extra superior and highly effective options of Azure Conditional Entry. For instance, we can’t bypass MFA when inside an organization’s community and solely implement MFA when customers are working remotely, or implement MFA only for a specific service like Trade On-line and OneDrive.

Then again, Specops supplies MFA choices that aren’t obtainable with Azure MFA. All of Microsoft’s MFA choices depend on customers having both a landline quantity the place they will obtain a telephone name or a cell phone. I’ve been concerned in a number of tasks the place the enterprise needed to supply customers different choices, like receiving a code by e-mail (as an alternative of SMS) like many different merchandise do, or answering a number of secret questions, for instance. Microsoft already supplies these choices with its Azure self-service password reset function, so why not supply these with MFA? That is the place Specops fills the hole: it provides MFA choices that don’t require customers to depend on a cell phone, and on the similar time offers different options that Azure AD Join does, like consumer provisioning, multi functional. One other function that will probably be coated in a separate assessment is Specops uReset, a self-service password reset answer that leverages the identical authentication engine as Specops Authentication, and permits customers to reset their password in the identical safe means as login into Workplace 365. Score four.6/5


Submit Views:

report this advert

Learn Subsequent