Supporting Microsoft Entra multi-factor authentication to enroll users into MaaS360

Information about Microsoft Entra multi-factor authentication (MFA) to enroll users of all device platforms (iOS, Android, Windows) into MaaS360®.

Overview

Previously, MaaS360 supported only a single type of enrollment workflow where MaaS360 automatically authenticated users by utilizing their username and password credentials. This allowed for seamless enrollment into the MaaS360 Portal without user intervention.

Effective 10.76 and later releases, MaaS360 also supports Microsoft Entra multi-factor authentication for the enrollment workflow. Users are directed to an external Microsoft login page to enter their username and password credentials, where the authentication is validated by Microsoft Entra. Upon successful authentication, users are redirected back to MaaS360 Portal to continue the enrollment process.
  • To enable this feature for your MaaS360 account, contact IBM Support.
  • MaaS360 does not support both types of enrollment workflows for authentication simultaneously. If the Microsoft Entra multi-factor authentication feature is not enabled for your account, existing customers continue to enroll devices using the MaaS360 enrollment pages.

Setting up Microsoft Entra multi-factor authentication during the enrollment process

To enroll users into the MaaS360 Portal by using Microsoft Entra multi-factor authentication:
  1. Open Microsoft Edge, and navigate to the MaaS360 enrollment request URL (https://m.dm/corporateID or https://m.dm/corporateID/random###). The MaaS360 Authenticate page is displayed.
  2. Enter the username/domain credentials for the user that you want to enroll, and then click Continue. (The domain name is automatically populated if the domain was previously configured in the Deployment Settings.)

    You are redirected to an external Microsoft Login page.

  3. Enter the user's password and click Sign in. If multi-factor authentication is enabled, an Approve sign in request message is displayed and a confirmation request is sent to the user's device. When the user accepts the requests, Microsoft Entra authentication is successful, and the enrollment continues on the MaaS360 enrollment pages.
    Note: Multi-factor authentication is supported for enrollment with all iOS, Android, and Windows devices.

Enrollment scenarios

User authentication type Existing enrollment workflow New enrollment workflow
Active Directory Enter the username, domain, and password on the same MaaS360 enrollment page. Enter the username and domain on the same MaaS360 enrollment page, but enter the password on the next MaaS360 enrollment page.
Microsoft Entra ID Enter the username, domain, and password on the same MaaS360 enrollment page. Enter the username, domain, and password on the Microsoft Login page.

Default authentication settings

Default authentication setting Existing setting New setting
None Authentication fails Authentication fails
Corporate (Active Directory) Authentication against Active Directory Authentication against Active Directory
Corporate (Microsoft Entra ID) Authentication against Microsoft Entra ID Authentication against Microsoft Entra ID
Both Authentication against Microsoft Entra ID. If authentication fails, then authentication against Active Directory is used. Authentication against Microsoft Entra ID. If authentication fails, then authentication fails.

Number of factors that validate Microsoft Entra ID user

Setting in MaaS360 and Microsoft Entra Existing setting New setting
MaaS360 single-factor and Microsoft Entra single-factor 1 1
MaaS360 single-factor and Microsoft Entra multi-factor 1 1
MaaS360 two-factor and Microsoft Entra single-factor 2 2
MaaS360 two-factor and Microsoft Entra multi-factor 2 3
Note:
  1. If MaaS360 two-factor and Microsoft Entra multi-factor are both enabled, Microsoft Entra multi-factor is used first for validation, then MaaS360 two-factor is used for validation.
  2. The validation code for Microsoft Entra multi-factor is sent to a user's device in a text message. Based on the how the user has set up verification, the user must either enter the code that is sent in the text message to enroll their device or answer the call from Microsoft.

    The validation code for MaaS360 two-factor is sent to the user in an email message. The user then enters the code that is sent from that email message to enroll their device.