Azure Multi-Factor Authentication Methods per Supported Protocol

Multi-Factor Authentication Server Splash Screen

Recently, I’ve been involved in some larger on-premises Azure Multi-Factor Authentication (MFA) Server projects as a senior engineer with a couple of demanding customers. It’s been a lot of fun and quite the roller coaster ride.

One of the things I noticed while consulting on Microsoft’s Azure Multi-Factor Authentication Server, is that its marketing department is doing a really great job on positioning the product as the all-in-one solution for all multi-factor authentication needs a Microsoft technology-oriented organization might have.,

The truth is that the product is not there, yet.

The table below states the authentication methods possible per supported protocol with the on-premises Multi-Factor Authentication Server, based on version

Azure MFA for WS-Federation, WS-Trust, SAML 2.0, OAuth 2.0, LDAP, RADIUS and IIS through Phone Call, Phone Call + PIN, One-way SMS, Two-way SMS, Mobile App and OTPs. (click for larger version)

1 If the RADIUS client supports entering an OTP together with the password in the password field, this authentication method is supported.

Additionally, please note that, currently, the only way to enable multi-factor authentication for Windows-integrated or Forms-based authentication for web apps, is to install the Azure Multi-Factor Authentication Server product onto a server running Internet Information Services (IIS). The IIS Module is not a separately installable module, like the AD FS adapter is. Also, you can enforce multi-factor authentication on other types of web servers (Apache, NGINX, etc.) using ARR on the Server running IIS and the Azure Multi-Factor Authentication Server.

Related blogposts

Azure Multi-Factor Authentication Server version for your convenience 
Choosing the right Azure MFA authentication methods 

Further reading

Azure Multi-Factor Authentication – Part 1: Introduction and licensing
Azure Multi-Factor Authentication – Part 2: Components and traffic flows
Azure Multi-Factor Authentication – Part 3: Configuring the service and server
Azure Multi-Factor Authentication – Part 4: Portals
Azure Multi-Factor Authentication – Part 5: Settings
Azure Multi-Factor Authentication – Part 6: Onboarding
Azure Multi-Factor Authentication – Part 7: Securing AD FS
Azure Multi-Factor Authentication – Part 8: Delegating Administration


I’m an organizer of Ngi-NGN’s Windows 10 and Windows Server 2016 event

Regular readers know I’ve been associated with the Dutch Networking User Group (Ngi-NGN) for almost seven years now. I’ve been speaking at their events, been a regular at their planning meetings and have helped others achieve the same goal as their Speaker Coach in the past.


About Ngi-NGN

Ngi-NGNNgi-NGN is the organization that was created when the Dutch Networking User Group and Ngi merged into the independent Platform for Dutch IT Professionals and IT Managers. It offers its members to keep up with market trends, to deepen knowledge and maintain a professional network.

The last months, a couple of people associated with Ngi-NGN have been planning a Microsoft Windows 10 and Microsoft Windows Server 2016 event for this autumn. Jeff Wouters, Erwin Derksen, Alex Warmerdam, Tom Dalderup, Raymond Comvalius and me were the people involved in these meetings and we’ve come up with a nice approach to the more traditional IT events you might experience in the Netherlands.


Ngi-NGNs Windows-as-a-Service Event

On Thursday October 27 2016, Ngi-NGN organizes an event that will bring its attendees up to date with Microsoft Windows 10 Anniversary Update, Microsoft Windows Server 2016 and Microsoft Azure and how their technologies can help organizations.

The keynote is planned for 10:55 AM, instead of 9 AM, because the first change every event brings to the agenda is to start later to allow for traffic delays. By starting later, we already account for that. Now, I’m sure attendees will love to be there on time, because the keynote features Ancilla van de Leest, talking about the politics of privacy as the front runner of the Dutch Pirate Party, but also a former Playboy model. Knipogende emoticon

After the keynote, attendees can get up to date in three different tracks. This is nothing special, but the sessions in the tracks offer independent technical information from the field, right next to information from Microsoft engineers and information from business consultants.

The closing keynote features a panel discussion with a new innovative way to get your questions answered. Of course, this method ensures the privacy of the attendees…

After that we’re having dinner. Not just a speakers dinner, like you’d see with other events, but a dinner for every attendee who chooses to join it. Of course, we’re not serving fast food. Since we chose the Postillion Hotel Dutch as our location, we’re getting served good healthy food.

Because of the dinner, attendees will drive home after the usual traffic jams, profiting again from an organization that just gets it.


My presentation

I’ll be delivering a 40-minute session on licensing in the business track.
I’ll specifically focus on recent changes in Microsoft Volume Licensing, the choices Microsoft Volume Licensing has to offer and how these choices enable or disable organizations reaching their day-to-day, but also strategic goals.

Now, you’d might think that I’ll present a session that is out of my comfort zone, but that’s not entirely true. In recent years I have passed Microsoft’s exams on licensing (70-671 and 70-672) and have helped many organizations make choices in licensing that have helped them.


Sign up for the Windows-as-a-Service event! Dutch
When you sign up, you can bring someone along for free.


KnowledgeBase: Active Directory Domain Services Configuration Wizard shows ‘Windows Server Technical Preview’ functional levels

Last week, Microsoft officially released Windows Server 2016, its ‘latest and greatest’ Serer Operating System for use as hypervisor, just enough server, management serer and of course, Azure IaaS-based Virtual Machines (VMs).


The situation

Windows Server 2016 was announced Release to Manufacturers (RTM) during the Keynote of Microsoft’s Ignite event on September 26, 2016, but wasn’t generally available (GA) for large groups of people before Wednesday October 12, 2016.

Before RTM, Microsoft offered Technical Preview versions of Windows Server to anyone who wanted to test the Operating System and/or its features. Technical Preview 5 (TP5) was the last Technical Preview version, released in April 2016.


The issue

When you gained early access to the Windows Server 2016 RTM build (build 6.3.14393), configured the Active Directory Domain Services (AD DS) role (and accompanying features) and, then, run the Active Directory Domain Services Configuration Wizard to make it a Domain Controller, you are confronted with ‘Windows Server Technical Preview’ values for both the Domain Functional Level (DFL) and Forest Functional Level (FFL) when you create a new Active Directory Forest.

The Active Directory Domain Services Configuration Wizard showing 'Windows Server Technical Preview' as values for the Domain Functional Level and Forest Functional Level (click for larger screenshot by Nick van Vuren)


The cause

The mislabeling of the Domain Functional Level (DFL) and Forest Functional Level (FFL) in the Active Directory Domain Services Configuration Wizard is a purely graphical issue in the Wizard, caused by the absence of the first updates for Windows Server 2016.

This issue does not affect any other functionality, since the Get-ADDomain Windows PowerShell cmdlet returns Windows 2016Domain as value for an Active Directory domain configured with the Windows Server Technical Preview Domain Functional Level (DFL).


The solution

To avoid experiencing the issue of encountering ‘Windows Server Technical Preview’ values for Domain Functional Level (DFL) and Forest Functional Level (FFL), install KB3194789, as confirmed by Ned Pyle.

Alternatively, you can ignore the mislabeling of the functional levels in the Active Directory Domain Services Configuration Wizard, but I think we can agree that it is a recommended practice to apply available updates to Windows Server installations before installing a role, and after installing a role.


I’ll be presenting at Microsoft Sinergija 16

I received a message from Microsoft Serbia on an opportunity to speak at its yearly Sinergija event at the Crowne Plaza hotel and conference center in Belgrade on October 17th and October 18th 2016; An event, a Microsoft subsidiary and a country with an extensive legacy and rich heritage.

Readers of my blog in this region will be happy to know that I’ll be able to provide two learning opportunities on Windows, Windows Server, Active Directory and Azure during this event.

Microsoft Sinergija 16: Integrated destination

Azure Active Directory Join for Windows 10 Bring-Your-Own Scenarios

Monday October 17, 2016 4:10PM – 5:10PM Adriatic

Windows 10 brings a huge flow of continuous change to the paradigm of joining devices to a trusted environment. How does the virtualization of the join change the security thoughts that we got so used to over the past decade? What happens to single sign-on and management of the workplace? Where are the new boundaries of the virtualized territory? How did Windows 10 turn the tables?

You’ll be surprised by the new opportunities!

Join this session to learn about the new features that Windows 10 and Azure bring to your Bring-Your-Own, Choose-Your-Own, yet Manage-all processes.

Virtualizing Highly-Sensitive Domain Controllers on Hyper-V and Azure

Tuesday October 18, 2016 1:40PM – 2:40PM Aegean

Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization?

This session shares the best practices for hardening, backing up, restoring and managing virtualized Domain Controllers on both Hyper-V, Azure Stack and in Azure Infrastructure-as-a-Service VMs, from the field.

The information in this session is based on the latest version of Azure and Windows Server 2016, but I will also show how the functionality of Windows Server 2012 and Windows Server 2012 R2 already allow for risk mitigation and availability, too, so you don’t have to upgrade everything immediately, if you can’t.


Register for Microsoft Sinergija 2016.


See you there? Glimlach


Pictures of TechDays Netherlands 2016

TechDays logo

Previously, I was invited by Microsoft Netherlands as a Subject Matter Expert (SME) at the Dutch TechDays event. To this purpose, I traveled to the Amsterdam RAI and enjoyed a full day with fellow Microsoft Most Valuable Professionals (MVPs), attendees and former colleagues.

I arrived early, but not as early as Jurgen van den Broek, who shot the below picture featuring Amsterdam RAI Entrance G with TechDays’ Welcome Banner:

Amsterdam RAI Entrance G (Picture by Jurgen v d Broek, click for larger version)

As I made my way to the Expert Lounge, I was greeted by several people, welcoming me to the event. Upstairs, I met with James van den Berg, Robert Smit and Marnix Wolf, who gave it theirs bests as expert for another day of TechDays.

TechDays Expert Lounge (picture by James vs Berg, click for larger version)

While I was there, Roland Guijt came up to me with the wonderful news that he joined the MVP program as a Visual Studio MVP! We answered questions from attendees, and even found some time to sneak into a session by fellow Enterprise Mobility MVP John Craddock, filling in for Paula Januszkiewicz:

Slide from John's deck for people expecting Paula (click for larger version)In John's session (Picture by Marnix Wolf, click for larger version)

After that session I enjoyed the wrap up drinks and waited outside for the crew to have dinner with.

Techdays Wrap Up Party (picture by Joost v Schaik, click for larger version)
A cloudy day at the Amsterdam RAI (click for larger version)
Amsterdam RAI in all its glory (click for larger version)

We sat down at Buffalo Grill to have some wonderful steaks, accompanied by great conversations.

Having dinner with John Craddock and former OGD colleagues (click for larger version)

Great fun! Glimlach


Security Thoughts: Azure Active Directory Passport Library for Node.js is vulnerable for authentication bypass (CVE-2016-7191)

js-logoYesterday night, we received a notification that a vulnerability in some older versions of the Azure Active Directory Passport Library for Node.js (Passport-Azure-AD) is vulnerable for authentication bypassing, because the ValidateIssuer setting wasn’t recognized, resulting in incorrectly validating tokens.

An attacker who successfully exploits this vulnerability could bypass Azure Active Directory authentication to a targeted host web application. To exploit this vulnerability, an attacker would have to send a specially crafted token to the target web application that contains a valid user’s identity claims. This update addresses the vulnerability by correcting how identity tokens are validated when Passport strategies take advantage of Azure Active Directory.


About the Azure Active Directory Passport Library for Node.js

Passport-Azure-AD for Node.js is a collection of Passport strategies , provided on GitHub by (mostly) Microsoft employees, that help organizations integrate node applications with Azure Active Directory. It includes OpenID Connect, WS-Federation, and SAML-P authentication and authorization.

These providers let you use the many features of Passport-Azure-AD for Node.js, including web single sign-on (WebSSO), Endpoint Protection with OAuth, and JWT token issuance and validation.


Affected versions

The vulnerability exists in web applications that use outdated versions of the Passport-Azure-AD for Node.js library. The following versions of the Azure Active Directory Passport Library for Node.js (Passport-Azure-AD) are vulnerable:

  • Passport-Azure-AD v1.0
  • Passport-Azure-AD v1.4.5
  • Passport-Azure-AD v2.0

This vulnerability only affects web applications that use the Passport-Azure-AD for Node.js library to take advantage of Azure Active Directory for authentication.

Standard Azure AD authentication that does not use the Passport-Azure-AD for Node.js library is not vulnerable.


Call to Action

You are strongly advised to update the Azure Active Directory Passport Library in your Node.js project(s) to one of the following versions:

  • Passport-Azure-AD v1.4.6
  • Passport-Azure-AD v2.0.1

You can download these libraries here.


Related knowledgebase articles

3187742 Security update for the Passport-Azure-AD for Node.js library 

Further Reading

Security vulnerability details for passport-azure-ad <1.4.6, 2.0.0 
Microsoft Azure Active Directory Passport CVE-2016-7191 Authentication Bypass Vulnerability


Why Lifecycle Management can’t be a mere afterthought anymore

The world we live in has changed significantly over the past few years. We can no longer afford to use our traditional approach to IT. We need to adopt a new way of thinking. In my opinion, this way of thinking doesn’t end with maintenance, but starts with lifecycle management.


The traditional approach

Old ToolboxEnterprises and companies of all sizes, that I have worked with, have traditionally thought in projects. Projects that serve a goal, are planned and have a clear beginning and end. This was all fun and games in a world where IT meant we had to buy physical server capacity, purchase licenses, implement the stuff and then write everything off over a period of, traditionally, four to seven years.

After this period of time, the solution would have served its goal (whether it be supporting some process or making loads of money in return) an would then be decommissioned, migrated or replaced. In the mean time it needed some maintenance; updates and upgrades to the Operating System or other software, monitoring, auditing, back-ups, etc.


The world has changed

When I first started in the industry, I choose to accept the challenge to design stuff for a long(er) period of time, and keep maintenance as small as possible, Former colleagues will tell me I managed the challenge pretty well. I actually replaced several iterations of functionality at some customers over the years.

However, the world has changed…

Virtualization has made it easier to allocate compute, storage and networking. Upfront capacity planning is fast becoming a thing of the past, Need more? allocate more. Need even more? Add a host to the virtualization platform and place the resource hogs on the newest hosts. High Availability is easily achieved through the hypervisor for any resource you’d want. P2V is a process to get resources onto the virtualization platform without downtime, in most cases.

SCRUM, DevOps and other agile development techniques (use by both IT developers and IT Pros) have propagated the Minimum Viable Product and Minimum Viable Service. Getting functionality displayed fast and iterating to gain a more solid solution, also has its downside. Technical Debt is just around the corner and I see cloud providers changing the tables on their customers by eliminating serious debt by completely changing the API(s). The virtue of starting over?

The more recent cloud initiatives offer even more flexibility through its Pay as you Go mantra and turnkey magic. The cloud has also made it clear to many organizations adopting it, that there is a distinction between making a solution available and getting the most out of a solution. Departments responsible for the first, have seen their responsibilities dwindle. Departments responsible for the latter, have seen their work expand from on-premises to the cloud.

… and the world is changing ever faster.


Where are we now?

Many organizations are adopting clouds. Many of them are implementing a hybrid scenario where on-premises resources, systems, platforms, applications and services interact with cloud-based resources, applications and services, in tandem.

In the ‘trust, but verify’ way of thinking, displayed with choosing this scenario (over completely cloud-based), some typical IT processes are discarded from the responsibility set of the organization, like Vulnerability Management (VM) of the cloud components, and others are becoming essential responsibilities, like Security Incident and Event Management (SIEM) and Technical State Compliance Monitoring (TSCM).


The irony

While the cloud gives organizations flexibility and agility, in these hybrid constellations organizations have to keep up with the cloud provider(s).

I feel Microsoft deserves a compliment for the way they allow their customers to postpone upgrades to their cloud resources (like the year organizations could defer the upgrade from BPOS to Office 365) and provide support for on-premises technology that is considered ‘old’ in cloud years (I believe cloud years are like dog and cat years) to give organizations the ability to plan for upgrades, like DirSync with its support ending in April 2017.

Azure AD Connect Lifecycle Management on a typical Agile Backlog

It’s not always easy to convey this message to organizations using ‘the traditional approach’, but most of them get it, eventually.


A new approach

Taking Security Incident and Event Management (SIEM) and Technical State Compliance Monitoring (TSCM) as perfect examples, the split between traditional thinking and cloud thinking becomes even more evident. Development of solutions using agile technologies, without starting with the end in sight, inherently provide technical debt. Without sufficient development velocity, the cloud component of the solution changes faster than the on-premises component is able to align, never taking off beyond minimum viable. Terms like continuous integration come to mind.

New ToolboxWe have to face, that we can’t create solutions for years to come, anymore. With Technical State Compliance Monitoring (TSCM) in mind, every change in the Technical State (whether it’s in a cloud or on-premises component) needs to trigger a design reevaluation, change management processes, an n state and n+1 state and the automation scripts to actually make the change, audited using SIEM.

Yes, that means I think we need to go back to the drawing board for every large change. And yes, I think this is something that is more intricate then mere maintenance, because the world is changing faster. Maintenance is something organizations do to keep things working in a world that doesn’t change (much).

I feel we can only achieve this when we begin with Lifecycle Management (LCM) as the first step of everything we do as IT Pros.


I’m an expert at the Dutch 2016 TechDays

TechDays 2016

Ever since I delivered a session at the Dutch 2011 TechDays with Marien de Gelder, I’ve been a regular at the Dutch TechDays events, hosted by Microsoft Netherlands’ DX team. Some TechDays editions I was invited as a speaker, other years I was asked to deliver hands-on advice to attendees as a subject matter expert (SME) or sit in on Ask the Experts sessions.


About TechDays Netherlands

TechDays is an international series of Microsoft events, hosted by Microsoft subsidiaries around the world. Microsoft Netherlands, just like last year, has decided to make the event a 2-day event, filled with both IT Professionals and Developers content. However, the focus has become more developer-oriented this year.

Microsoft Netherlands has arranged for several highly rated national and international speakers, like John Craddock, Paula Januszkiewicz, David Chappell and Corey Sanders,


Ask the Experts

Just like many of the Dutch Microsoft Most Valuable Professionals (MVPs), you’ll find me at the Ask the Experts booth at TechDays on October 5th.

If you have any questions on integrating modern authentication in your app, want to discuss Agile, SCRUM and/or DevOps or would just like to hang out with me, please don’t hesitate to approach me.

I won’t bite. Knipogende emoticon



Unlike Microsoft Ignite, the Dutch TechDays still have tickets available.
Register here to be part of this event and learn to achieve more.


Further reading

I’ll be hosting three ‘Ask me Anything’ sessions at TechDays Netherlands 2015 
I’m speaking at the Dutch 2014 TechDays


Azure AD Connect version has been released

Last week, Microsoft released a new version of Azure AD Connect for all your on-premises Active Directory Domain Services and LDAP v3 to Azure Active Directory, and thus Office 365, synchronization needs.

Version of Azure AD Connect, dubbed the August 2016 release, adds fixes and improvements.

Fixed issues

This version introduces fixes for the following issues:

  • Changes to the synchronization interval do not take place until after the next synchronization cycle completes.
  • The Azure AD Connect wizard does not accept an Azure AD account whose username starts with an underscore (_).
  • The Azure AD Connect wizard fails to authenticate the Azure AD account provided, if the account’s password contains too many special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is returned in this case.
  • Uninstalling a Staging Mode server disables password synchronization in the Azure AD tenant and causes password synchronization to fail with the active server.
  • Password synchronization fails in uncommon cases when there is no password hash stored on the user.
  • When an Azure AD Connect server is enabled for Staging Mode, the Password Write-back functionality is not temporarily disabled.
  • The Azure AD Connect wizard does not show the actual password synchronization and password write-back configuration, when the server is in Staging Mode. It always shows them as disabled.
  • Configuration changes to password synchronization and password write-back are not persisted by the Azure AD Connect wizard, when the server is in Staging Mode.


This version introduces the following improvements:

  • The Start-ADSyncSyncCycle Windows PowerShell Cmdlet has been updated to indicate whether it is able to successfully start a new sync cycle or not.
  • The Stop-ADSyncSyncCycle Windows PowerShell Cmdlet has been introduced with this version to terminate sync cycle and operation which are currently in progress.
  • The Stop-ADSyncScheduler Windows PowerShell Cmdlet has been updated to terminate sync cycles and operations which are currently in progress.
  • When configuring Directory Extensions in the Azure AD Connect wizard, on-premises Active Directory attributes of type "Teletex string" can now be selected.

Version information

This is version of Azure AD Connect.

Download information

You can download Azure AD Connect here.
The download weighs 74,6 MB.


If the Automatic Updating functionality  hasn’t already upgraded your Azure AD Connect installation to version, you can download and install this version of Azure AD Connect above.


Azure Multi-Factor Authentication Server version for your convenience

This week, Microsoft released version of its on-premises Azure Multi-Factor Authentication Server to replace the revoked Azure Multi-Factor Authentication Server v7.1.1.1 bits, due to a signing issue in the Azure Multi-Factor Authentication User Portal, that resulted in problems with some Azure Multi-Factor Authentication Server deployments.


What’s New

Allow users to choose their authentication method during user portal sign-in

After the success of the change in the Azure Multi-Factor Authentication (MFA) Adapter for Active Directory Federation Services (AD FS) that allowed users to choose their authentication method when authenticating to AD FS-connected resources, the User Portal website now also supports this feature.

This allows users to change their additional authentication method(s) in case of a lost/replaced device and or unavailability of network connectivity. It adds flexibility to users to handle these kinds of situations.

Added support for Application Name for AD FS adapter

When you install the Azure Multi-Factor Authentication (MFA) Adapter for Active Directory Federation Services (AD FS), it will register itself with the default name of “Azure Multi-Factor Authentication”. You can now change this.

Added size limit checks to LDAP Import and AD Sync

Azure Multi-Factor Authentication Server utilizes its own phonefactor.pfdata database to store its information in. You can sync user definitions into this database using LDAP and Active Directory synchronization. Now, size limit checks have been added to these import activities.

Added Page Time Limit configuration to LDAP

Next to default query size limit (10000) for LDAP, and the above size limit, an additional time limit can be configured for Use specific LDAP configuration on the Settings tab for Directory Integration.

Edit LDAP Configuration for Directory Integration in the MFA Server Management UI (click for original screenshot)

The value for Page time limit specifies the number of seconds to wait for each page to be returned from the LDAP directory.  The default value is 2 seconds.

Fixed several bugs

Every software has bugs. In version a couple of bugs were fixed, including a bug that prevent 32-bit Internet Information Services (IIS)-based web applications from working. In version the bug was fixed with the signing of the User Portal.



Version of the on-premises Azure Multi-Factor Authentication (MFA) Server can be downloaded via the old-fashioned Azure Management Portal or straight from the MFA Management Portal:

  1. Log on to the Azure Portal.
  2. In the column on the left that lists all the available items and services, scroll down until you reach ACTIVE DIRECTORY.
  3. In the main pane, select the default directory.
  4. Just above the list of directories, click the text MULTI-FACTOR AUTH PROVIDERS.
  5. Click the Multi-Factor Authentication Provider that you’ve configured for your organization and is marked as Active in the STATUS column.
  6. Click MANAGE in the bottom pane on the general settings for the Multi-Factor Authentication Provider.
  7. This will redirect you to your tenant view of the PhoneFactor Portal.
  8. In the main pane of the portal click on the Downloads header.
  9. Click the Download link below the list of supported platforms.

Save MultiFactorAuthenticationServerSetup.exe to a network location where you can use it from each of the Windows Servers that have Azure Multi-Factor Authentication installed.



Version of Azure MFA Server provides new functionality, but also deprecates some other functionality. As an organization contemplating, evaluating or using Azure MFA Server, the impact of the depcrated features might cause you to stick with a previous version or even an alternative technology.

Related blogposts

Azure Multi-Factor Authentication Server version is here  
Azure Multi-Factor Authentication Server reaches version
Knowledgebase: You receive a “Web Service Requests must be protected by authentication” error when activating a Multi-Factor Auth app
KnowledgeBase: Users in Azure Multi-Factor Authentication Server 6.3.x and up can not select One-Way OTP or PIN options in the User Portal
KnowledgeBase: Azure MFA Portal shows error “Error communicating with the local Multi-Factor Authentication service. Please contact your administrator.”
Choosing the right Azure MFA authentication methods

Further reading

Azure Multi-Factor Authentication – Part 1: Introduction and licensing
Azure Multi-Factor Authentication – Part 2: Components and traffic flows
Azure Multi-Factor Authentication – Part 3: Configuring the service and server
Azure Multi-Factor Authentication – Part 4: Portals
Azure Multi-Factor Authentication – Part 5: Settings
Azure Multi-Factor Authentication – Part 6: Onboarding
Azure Multi-Factor Authentication – Part 7: Securing AD FS
Azure Multi-Factor Authentication – Part 8: Delegating Administration