Office 365 / Foxpass password delegation

This describes how to set up Foxpass to delegate password verification to Office 365.

Set Office 365 as your Delegated Authentication type

Go to the Foxpass 'Authentication Settings' page. Scroll down to "Password authentication delegation." Choose Office 365 via OAuth from the dropdown menu and click "Save." 2FA must be turned off or Foxpass IP's must be marked as trusted in your MFA configuration. If 2FA needs to be enabled for a specific user or set of users, you can exempt them from delegated authentication and they can use a Foxpass password instead.

If you use Azure Conditional Access Policies, please use the Advanced instructions below.

🚧

Note: Select the Office 365 via OAuth option

Office 365's IMAP endpoint is deprecated. Please see here for more information.

Basic Instructions: Setting Up MFA Trusted IP's

Due to a limitation in Office 365's authentication endpoints, users cannot have Office 365's MFA turned on and enable delegated authentication. We recommend keeping MFA enabled and marking Foxpass IP's as trusted. Marking Foxpass's IP's as trusted allows us to check usernames and passwords while bypassing MFA. To read more about Office 365 trusted IP's, read here:
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips

To mark our IP's as trusted, go to the Azure Active Directory portal at https://aad.portal.azure.com/. Then, go to the Named Locations section. You should see a link to Configure MFA Trusted IP's.

204204

Configure MFA trusted IPs link

You can now enter Foxpass's IP's in the field. If you'd rather have your users use an application specific passwords, you can enable that setting here as well.

524524

MFA settings

Foxpass IP addresses are:
35.168.179.228/32
18.206.75.69/32
52.55.180.22/32
35.153.120.184/32

Advanced Instructions: Azure Conditional Access Policies

If you have Azure Conditional Access policies enabled, make sure that they allow requests from Foxpass's servers. You may need to set up a named location for Foxpass or further configure your policies.

First, go to the Azure Active Directory admin center for your organization. Select All Services from the left hand menu and find Azure AD Named Locations. Create a new IP ranges location named Foxpass with the above listed IP addresses.

410410

Foxpass named location

After you've created the named location, you will need to exclude Foxpass from MFA during sign in requests. You can exclude all trusted locations, or just Foxpass specifically.

310310

Exclude trusted locations

Be sure to save any updated configurations. Afterwards, all delegated authentication requests from Foxpass should bypass MFA and Office 365 will allow the sign in request.

Debugging: Checking Azure's Access Logs

Sometimes, it's unclear why a login is failing. First, check your Foxpass LDAP or RADIUS logs. If users are failing with an error message like "Office 365: LOGIN FAILED," then Office 365 is failing the login for an unspecified reason. You'll need to log into your Azure Active Directory admin center to check the logs to find the specific reason.

In the Azure Active Directory admin center, go to the Users section and select Activity -> Sign-ins. There you will see a list of attempted sign ins for your users.

Go to the User sign-ins (non-interactive) section and select a corresponding failed login from Foxpass. In the Basic Info section, the Failure Reason will explain why the login failed. The Conditional Access section will show which conditional access policies were applied.

Using these logs will help you debug the issue and unblock your users.