Using Microsoft Azure Multi-Factor Authentication with Liquit Workspace

Blog > Using Microsoft Azure Multi-Factor Authentication with Liquit Workspace

Many customers use Microsoft for their cloud services. One of the most used cloud services is Microsoft Azure Active Directory in combination with conditional access, the so-called Multi-Factor Authentication.

How to manage customer access to Azure, Intune and Office 365? | Marius  Sandbu

Most of our customers already know that Liquit fully supports this scenario. In the real-world you setup Liquit to authenticate against Azure Active Directory, being Azure AD the Identity Provider (IdP).

For information how to setup Liquit & Azure AD, please have a look at SSO with Azure Active Directory in the Liquit Workspace documentation.

Here is what happens: a user will go to the Liquit Portal (or external portal) to logon. Liquit redirects the user to the Microsoft Authentication point, where the user authenticates. Liquit receives an OAuth2.0 token which is used to authenticate and let the user logon and start their applications.

Now, in a lot of cases the Microsoft environment is configured to ask the user for a multi-factor authentication. This then results in a multi-factor request being generated on a Liquit Workspace Agent on the user’s device. That is not ‘ IT like water from the tap’ as we try to deliver to our customers.

Overzicht van Azure Multi-Factor Authentication | Microsoft Docs

The Liquit Agent has several configuration options. One example is to have the Liquit Agent authenticate itself against the Liquit Workspace Server as a user. This is only if you want to work from the Agent instead of the Workspace Portal. More info about the options of the Liquit Agent in Agent Configuration in the Liquit Workspace documentation.

In the agent.xml there is part called Login. Change the parameter <Enabled>True</Enabled> to False (camel case!) and restart the Liquit Workspace service to enable the changes.

  <Login>
    <Enabled>False</Enabled>
    <SSO>True</SSO>
	<IdentitySource>LIQUIT</IdentitySource>
	<Timeout>4</Timeout>
  </Login>  

The Liquit Agent is now configured to ‘ not authenticate’ against the Liquit workspace server. The Liquit Agent will only show itself as a tray icon instead of the full interface. The user now has to go to the Liquit Workspace portal for logging on and receives the Multi Factor Authentication only once.

Important: If you configure Liquit not to authenticate against Liquit Workspace, use at least one time the ‘register’ function of the Liquit Agent. Otherwise Liquit Workspace can’t communicate against the Agent and applications will not work.

Home - Liquit.com

These settings will allow the device to register itself with Liquit Workspace without requiring a user login. This allows you to manage the device without a user signed in. The user account used to register the Agent only requires “Register device” privileges. When using this option, the user doesn’t need the “Register device” privilege, while they can still use the Agent when installed with this option.

<Register>
	<Type>1</Type>
	<Username><![CDATA[LOCAL\wksimport]]></Username>
	<Password>wksimport</Password>
</Register>

About the author