KnowledgeBase: Users in Azure Multi-Factor Authentication Server 6.3.x and up can not select One-Way OTP or PIN options in the User Portal

Microsoft’s on-premises Azure Multi-Factor Authentication Server is a rapidly evolving product for all your multi-factor authentication needs.

In recent versions, Microsoft has added numerous features in the product that was originally developed by the acquired PhoneFactor company. One such feature is the one-way SMS authentication method, as an alternative to the two-way SMS method. Microsoft introduced this feature in version 6.3.

 

Changing the method in the User Portal

Even though this feature is available in version 6.3.0 and up, in the web-based Azure Multi-Factor Authentication User Portal, users and admins can not select the authentication method this granularly:

Changing the authentication method in the Azure Multi-Factor Authentication User Portal (click for original screenshot)

There is a pull-down list with authentication methods, but these merely mention PhoneCall, Text message and the likes. There is no way to select one-way or two-way…

Instead, Azure Multi-Factor Authentication, by default, uses the default value that was active in the Company Settings at the time the user was provisioned in the Azure Multi-Factor Authentication database.

But, back when users were provisioned (for instance using Active Directory sync), one-way SMS may not have been available.

Now, when an organization is switching to one-way text messages as the default text message authentication method, because of reasons listed here, you’re in a bit of a pickle: colleagues won’t be able to switch and helpdesk personnel using the User Portal won’t be able to be of much assistance.

 

Changing the default method granularly

Luckily, you can switch the entire organization in one fell swoop.
Let’s use One-Way OTP for text messages as an example.

Perform these steps:

  • Log on to the server running the Multi-Factor Authentication Server with administrative privileges.
  • Open the Multi-Factor Authentication Server Management console by searching for it on the Start Screen.
  • In the left pane, click Company Settings.
  • In the User defaults section, do not select the radio option in front of Text message, but do change the value from Two-Way to One-Way.
  • In the left pane, click Users.
  • Click on the Filter User List link, when you don’t see the filter options on top of the list of Users in the Azure Multi-Factor Authentication database.
  • In the filter options, click on the field labeled Two-Way. (this will automatically select the option to filter on Text message only, which is what you’d want)
  • Click Filter.
  • You now have a list of Users that have Two-Way OTP as a possible authentication method.

Note:
These users may or may not have it selected as their authentication method.

  • Select one of the users and then press Ctrl + A to select them all.
  • Click Edit…

Edit users in Azure Multi-Factor Authentication Server to change their text message to One-Way OTP (click for original screenshot)

  • In the screen with options for the selection of users, change Two-Way to One-Way, again without clicking the option to the left of Text message.
  • Click OK.

Concluding

It may not be ideal in some scenarios, but changing the authentication method in Azure Multi-Factor Authentication (MFA) Server granularly is only possible in the Multi-Factor Authentication Server Management Interface.

Related blogposts

Choosing the right Azure MFA authentication methods
KnowledgeBase: Azure MFA Portal shows error “Error communicating with the local Multi-Factor Authentication service. Please contact your administrator.”
Knowledgebase: You receive a “Web Service Requests must be protected by authentication” error when activating a Multi-Factor Auth app

Further reading

Signing in for the first time using Azure Multi-Factor Authentication
Getting started with Windows Azure Multi-Factor Authentication
Azure Multi-Factor Authentication
Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication
Use mobile app as your contact method with Azure Multi-Factor Authentication

Walkthroughs

Azure Multi-Factor Authentication – Part 1: Introduction and licensing
Azure Multi-Factor Authentication – Part 2: Components and traffic flows
Azure Multi-Factor Authentication – Part 3: Configuring the service and server
Azure Multi-Factor Authentication – Part 4: Portals
Azure Multi-Factor Authentication – Part 5: Settings
Azure Multi-Factor Authentication – Part 6: Onboarding
Azure Multi-Factor Authentication – Part 7: Securing AD FS
Azure Multi-Factor Authentication – Part 8: Delegating Administration

leave your comment