Getting Started with Azure MFA Server

Azure MFA Server is a on-premises multi-factor authentication solution that can be integrated with your existing Active Directory infrastructure. It's designed to provide an additional layer of security for your users, beyond just a username and password.

To get started with Azure MFA Server, you'll need to download and install the software on a Windows Server machine. This will give you access to the Azure MFA Server web interface.

The Azure MFA Server requires a connection to the Azure cloud to function properly. This means you'll need to ensure your network has a stable and secure connection to the internet.

Azure MFA Server supports a variety of authentication methods, including SMS, voice calls, and authenticator apps. This gives you flexibility in how you choose to authenticate your users.

Recommended read: Azure Auth Json Website Azure Ad Authentication

The Azure Multi-Factor Authentication Server has three web components that work together to provide secure authentication.

The Web Service SDK is a crucial component that enables communication with the other components and is installed on the Azure Multi-Factor Authentication Server application server.

To install the components, you have two options: you can install all three on the same internet-facing server, or you can break them up and install the Web Service SDK on the Microsoft Entra multifactor authentication application server, while the User portal and Mobile App Web Service are installed on an internet-facing server.

Here are the three web components that make up Azure Multi-Factor Authentication Server:

To install and configure the Azure MFA Server, you'll need to double-click the executable and follow the on-screen instructions. Make sure the server you install it on meets the requirements listed in the planning section.

The installation process involves selecting the installation folder, which you can do by clicking Next after verifying the folder is correct. The server will then install the necessary libraries, including the Simple Mail Transfer Protocol (SMTP) information.

You'll know the installation is complete when you're prompted to select Finish, which will start the configuration wizard. This is where you can enter the activation credentials you generated earlier by clicking the Generate Activation Credentials button on the page where you downloaded the server.

Firewall Requirements are crucial for securing your Azure Multi-Factor Authentication Server. To configure the firewall, you'll need to allow traffic to specific IP ranges.

The IP ranges that need to be allowed are 134.170.116.72/29, 134.170.165.72/29, and 70.37.154.200/29. These ranges correspond to the IP addresses used by the Azure Multi-Factor Authentication Server.

In some cases, the IP ranges can be reduced to just these three. For example, if you're not using Azure Multi-Factor Authentication Event Confirmation features and users are not authenticating with the Multi-Factor Auth mobile apps from devices on the corporate network, you can get away with just allowing traffic to these three IP ranges.

Here are the specific IP ranges that need to be allowed:

By allowing traffic to these specific IP ranges, you'll be able to ensure that your Azure Multi-Factor Authentication Server is properly configured and secured.

To install and configure the MFA Server, start by downloading the server and ensuring the installation server meets the requirements listed in the planning section.

Double-click the executable to begin the installation process. On the Select Installation Folder screen, make sure the folder is correct and click Next.

The following libraries are installed during the process:

Next, generate activation credentials by clicking the Generate Activation Credentials button. Copy this information into the Azure Multi-Factor Authentication Server in the boxes provided and click Activate.

To set up email settings, click the email icon on the left and enter the Simple Mail Transfer Protocol (SMTP) information of your mail server. Check the Send emails to users check box to enable email sending.

On the Email Content tab, you can choose from available email templates. Select the template that best suits your two-step verification configuration.

Upgrading to MFA Server version 8.x or higher is a significant step, and once you've made the switch, it's essential to review your TLS/SSL protocols and cipher suites.

Older and weaker cipher suites should be disabled or removed unless required by your organization.

Information on how to complete this task can be found in the article Managing SSL/TLS Protocols and Cipher Suites for Active Directory Federation Services (AD FS).

It's recommended to only keep cipher suites that are necessary for your organization's operations.

Backup and Maintenance is crucial for any system, and Azure Multi-Factor Authentication Server is no exception. Ensuring you have a good backup is a must.

To back up Azure Multi-Factor Authentication Server, you'll want to copy the C:\Program Files\Multi-Factor Authentication Server\Data folder, including the PhoneFactor.pfdata file.

This folder contains all the important data, so don't skip it. If you're not sure what's in there, it's always a good idea to double-check.

In case you need to restore the server, follow these steps:

With these steps, your new server will be up and running with the original backed-up configuration and user data.

If you're looking to get the most out of your Azure MFA Server, you'll want to explore the advanced configuration options available.

One such option is setting up the User Portal, which includes deployment and user self-service information.

You can also set up Azure MFA with Active Directory Federation Service, which is a robust authentication method.

A fresh viewpoint: Azure Disable 2fa for User

Additionally, you can configure the Azure MFA Server with RADIUS, IIS, Windows Authentication, LDAP Authentication, or Remote Desktop Gateway using RADIUS.

Here are some of the advanced setup and configuration options available:

Advanced Configurations can be a bit overwhelming, but don't worry, I've got you covered. You can set up the User Portal for deployment and user self-service.

The Azure Multi-Factor Authentication Server can be configured with various authentication methods, including Active Directory Federation Service, which allows for seamless integration with AD FS.

If you're using RADIUS, you can set up the Azure MFA Server to work with it, and even configure it with IIS Authentication for added security.

You can also use Windows Authentication or LDAP Authentication, depending on your organization's needs. And if you're working with Remote Desktop Gateway, you can set up the Azure MFA Server to use RADIUS for authentication.

Syncing with Windows Server Active Directory is also an option, allowing for easy synchronization between Active Directory and the Azure MFA Server. This can be done using the Azure MFA Server Mobile App Web Service.

You might like: Azure Hybrid Benefits for Windows Server Core

Here's a quick rundown of the advanced configuration options:

You have a few options to consider when migrating away from Azure MFA Server. Microsoft is pushing customers to adopt the cloud-based Microsoft Entra Multi-factor Authentication product.

Microsoft Entra MFA lacks several key benefits that organizations relied on with the on-premises Azure MFA Server. This could be a deal-breaker for some organizations.

If you decide to stick with Azure MFA Server, you need to migrate before the September 30 deadline. This will ensure uninterrupted authentications at your organization.

Considering migrating to Microsoft Entra MFA means weighing the pros and cons of this cloud-based solution.

Discover more: Azure Cloud Server

You've successfully set up your Azure MFA Server, and now it's time to take the next steps.

To download the Azure MFA Server, navigate to the Microsoft Azure portal and select your subscription. From there, you can download the installation package for your Azure MFA Server.

Next, follow the installation instructions to set up your Azure MFA Server, which includes configuring the server and setting up authentication methods.

To download the Azure Multi-Factor Authentication server, you have two options.

You can manage the Multi-Factor Auth Provider directly, or via the service settings. The second option requires either a Multi-Factor Auth Provider or an Azure AD Premium license.

Each MFA server must be able to communicate on port 443 outbound to the following.

You can download the Azure Multi-Factor Authentication server from the Azure portal by following these steps:

Now that you've downloaded the necessary tools, it's time to set up the User portal for user self-service. This will allow your users to manage their own accounts and access the resources they need.

To get started, you'll need to set up the Azure Multi-Factor Authentication Server with Active Directory Federation Service, RADIUS Authentication, or Lightweight Directory Access Protocol (LDAP) Authentication. This will add an extra layer of security to your system.

Here are the next steps in more detail:

By following these steps, you'll be able to create a secure and user-friendly system that meets your organization's needs.

Your user data is stored in your on-premises servers, not in the cloud. This means that even when you use the Azure Multi-Factor Authentication Server, your sensitive information remains secure within your own servers.

The Azure Multi-Factor Authentication Server sends data to the Microsoft Entra multifactor authentication cloud service to perform verification, but only the necessary fields are sent. These fields are used for authentication/usage reports and can be enabled or disabled within the Multi-Factor Authentication Server.

Some of the fields sent to the cloud service include the user's unique ID, first and last name, email address, phone number, device token, authentication mode, and authentication result.

Here are the specific fields sent to the cloud service:

In addition to these fields, the verification result and reason for any denials are also stored with the authentication data and available through the authentication/usage reports.