Supporting Microsoft Entra multi-factor authentication to enroll users into MaaS360
Information about Microsoft Entra multi-factor authentication (MFA) to enroll users of all device platforms (iOS, Android, Windows) into MaaS360®.
Overview
Previously, MaaS360 supported only a single type of enrollment workflow where MaaS360 automatically authenticated users by utilizing their username and password credentials. This allowed for seamless enrollment into the MaaS360 Portal without user intervention.
Effective 10.76 and later releases, MaaS360 also
supports Microsoft
Entra
multi-factor authentication for the enrollment workflow. Users are directed to an external Microsoft login page to enter their username and password
credentials, where the authentication is validated by Microsoft
Entra. Upon successful
authentication, users are redirected back to MaaS360
Portal to continue the enrollment process.
- To enable this feature for your MaaS360 account, contact IBM Support.
- MaaS360 does not support both types of enrollment workflows for authentication simultaneously. If the Microsoft Entra multi-factor authentication feature is not enabled for your account, existing customers continue to enroll devices using the MaaS360 enrollment pages.
Setting up Microsoft Entra multi-factor authentication during the enrollment process
To enroll users into the MaaS360 Portal by using
Microsoft
Entra
multi-factor authentication:
- Open Microsoft Edge, and navigate to the MaaS360 enrollment request URL (https://m.dm/corporateID or https://m.dm/corporateID/random###). The MaaS360 Authenticate page is displayed.
- Enter the username/domain credentials for the user that you want to enroll, and then click
Continue. (The domain name is automatically populated if the domain was
previously configured in the Deployment Settings.)
You are redirected to an external Microsoft Login page.
- Enter the user's password and click Sign in. If multi-factor
authentication is enabled, an Approve sign in request message is displayed
and a confirmation request is sent to the user's device. When the user accepts the requests,
Microsoft
Entra
authentication is successful, and the enrollment continues on the MaaS360 enrollment pages. Note: Multi-factor authentication is supported for enrollment with all iOS, Android, and Windows devices.
Enrollment scenarios
User authentication type | Existing enrollment workflow | New enrollment workflow |
---|---|---|
Active Directory | Enter the username, domain, and password on the same MaaS360 enrollment page. | Enter the username and domain on the same MaaS360 enrollment page, but enter the password on the next MaaS360 enrollment page. |
Microsoft Entra ID | Enter the username, domain, and password on the same MaaS360 enrollment page. | Enter the username, domain, and password on the Microsoft Login page. |
Default authentication settings
Default authentication setting | Existing setting | New setting |
---|---|---|
None | Authentication fails | Authentication fails |
Corporate (Active Directory) | Authentication against Active Directory | Authentication against Active Directory |
Corporate (Microsoft Entra ID) | Authentication against Microsoft Entra ID | Authentication against Microsoft Entra ID |
Both | Authentication against Microsoft Entra ID. If authentication fails, then authentication against Active Directory is used. | Authentication against Microsoft Entra ID. If authentication fails, then authentication fails. |
Number of factors that validate Microsoft Entra ID user
Setting in MaaS360 and Microsoft Entra | Existing setting | New setting |
---|---|---|
MaaS360 single-factor and Microsoft Entra single-factor | 1 | 1 |
MaaS360 single-factor and Microsoft Entra multi-factor | 1 | 1 |
MaaS360 two-factor and Microsoft Entra single-factor | 2 | 2 |
MaaS360 two-factor and Microsoft Entra multi-factor | 2 | 3 |
Note:
- If MaaS360 two-factor and Microsoft Entra multi-factor are both enabled, Microsoft Entra multi-factor is used first for validation, then MaaS360 two-factor is used for validation.
- The validation code for Microsoft
Entra multi-factor is
sent to a user's device in a text message. Based on the how the user has set up verification, the
user must either enter the code that is sent in the text message to enroll their device or answer
the call from Microsoft.
The validation code for MaaS360 two-factor is sent to the user in an email message. The user then enters the code that is sent from that email message to enroll their device.