Karim Elatov

RSA SecurID Access O365 ADAL Rich Client Email and Mobile Setup

Blog Post created by Karim Elatov Employee on Sep 24, 2015

 

After I confirmed that ADAL can be used with RSA Via Access I decided to go a little further and ensure that the Desktop Outlook Client works along with the Mobile Outlook App as well. First make sure you run through the steps described in RSA Via Access O365 ADAL Basic Rich Client Setup to enable ADAL on the O365 tenant side and local machine as well.

Office 365 Configuration

Confirm User has an Exchange Mailbox

If you login as an Admin to the O365 portal and go to Users -> Active Users -> "YOUR USER" and you will see the status of a user's mailbox:

o365-users-mailbox.png

If the user doesn't have a mailbox, you will see the following:

o365-no-exchange-mailbox.png

DNS Configuration

If you login as an Admin to the O365 portal and go to Domains -> "YOUR DOMAIN" ->  Domain Settings it will list all the DNS setting necessary for all specific functionalities:

 

dns-o365-settings.png

First I made sure that worked externally:

~$host -t TXT singlepoint66.com 
singlepoint66.com descriptive text "v=spf1 include:spf.protection.outlook.com -all"
~$host -t MX singlepoint66.com
singlepoint66.com mail is handled by 0 singlepoint66-com.mail.protection.outlook.com.
~$host -t SRV _sip._tls.singlepoint66.com
_sip._tls.singlepoint66.com has SRV record 100 1 443 sipdir.online.lync.com.

Then I did the same thing on the my internal DNS server:

ad-server-o365-dns-entries.png

Lastly ensure the machine that will run the Outlook Desktop client can resolve the above DNS entries:

 

C:\>nslookup -q=mx singlepoint66.com

Server:  UnKnown

Address:  10.210.0.154

 

 

singlepoint66.com       MX preference = 0, mail exchanger = singlepoint66-com.mail.protection.outlook.com

singlepoint66-com.mail.protection.outlook.com   internet address = 207.46.163.138


C:\>nslookup autodiscover.singlepoint66.com

Server:  UnKnown

Address:  10.210.0.154

 

 

Name:    autodiscover-namwest.outlook.com

Addresses:132.245.81.136

          132.245.39.248

Aliases:  autodiscover.singlepoint66.com

          autodiscover.outlook.com

          autodiscover.outlook.com.g.outlook.com


C:\>nslookup -q=srv _sip._tls.singlepoint66.com

Server:  UnKnown

Address:  10.210.0.154

 

 

_sip._tls.singlepoint66.com     SRV service location:

          priority       = 100

          weight         = 1

          port           = 443

          svr hostname   = sipdir.online.lync.com

sipdir.online.lync.com  internet address = 132.245.113.25

Rich Client Testing

Desktop Client Test

Then I launched Outlook and it picked up my email by default and started to autodiscover the mail setup and after it was done, I saw the following:

outlook-rich-client-auto-discovered.png

Since I already authenticated after I launched Word (as seen in the previous post), I didn't even have to enter the password. Just in case, I rebooted my machine and re-launched the Outlook client and I was able to send an email without any issues:

outook-client-with-adal.png

Mobile Testing

My next test was to try out the Android Outlook App. Install the app from Google Play:

down-ms-outlook.png

Launch the App:

outlook-add-account.png

I tried Office 365 and Exchange  (I am using Exchange Online provided with O365 and not an Exchange Server on Premise) and both worked for me. Here is the O366 flow, first enter your username:

outl-enter-username.png

It will figure out your domain is federated and will then forward you to the IdP:

outl-redirect-to-idp.png

And here is the login page you will see:

outl-at-idp.png

Then after you authenticate to the IdP, it will go back to O365 and show you that it's completing the setup:

outl-comp-setup.png

And then you will see your mailbox and you can send messages:

outl-logged-in.png

Supported Clients and Protocols

Microsoft provides links to pages that have the support matrix: Updated Office 365 modern authentication. You will notice under the Legacy Clients section, we see the following:

 

 

Some clients like Office 2010 and 2007 are not supported and clients like Native iOS and Android Mail Apps (which use Active Sync) are not supported either. Similar note seen at Outlook 2016: What Exchange admins need to know:

 

Modern Authentication provides Outlook 2016 with several benefits:

  • Single sign-on (SSO). Outlook now support single sign in with other Office applications.
  • Multi-factor authentication. Outlook will support multi-factor authentication (MFA). MFA secures the user sign-in beyond just a single password. When enabled, users are required to acknowledge a phone call, text message, or app notification on their smartphones after correctly entering their passwords. Sign in is only confirmed after this second authentication factor has been satisfied.
  • No more basic auth: Prior to Modern Authentication, Outlook would connect to Exchange Online using Basic auth over HTTPS. This required the username and password to be provided anytime a connection to Exchange Online is made. Modern Auth flows negate the need for this type of basic authentication. Instead, the Outlook client now communicates directly with the customer’s Identity Provider and no longer needs to share the user’s password with Exchange Online for user authentication.

Definitely something to consider when moving to ADAL/Modern Authentication

Outcomes