After helping clients with implementing Azure Multi-Factor Authentication (MFA), the on-premises Azure Multi-Factor Authentication (MFA) Server, MFA AD FS Adapters and sharing implementation and troubleshooting information on version 6.3.1, now is the time to take a look at version 7.0 of Azure Multi-Factor Authentication (MFA) Server, as released on March 26 by Microsoft.
According to the release notes, version 220.127.116.11 of the on-premises Azure Multi-Factor Authentication (MFA) Server brings these changes:
- Azure Multi-Factor Authentication (MFA) Server was upgraded to use .NET Framework 4.0 instead of .NET Framework 2.0.
- The Azure MFA Active Directory Federation Services (AD FS) Adapter now displays a list of MFA methods to choose from based on 1) options configured under the Allow users to select method checkbox and 2) the information registered by the user.
This allows users to choose a preferred authentication method each time they sign in. Alternatively, the adapter can perform the users default MFA method immediately, then display the list of options if the user doesn’t respond.
Colleagues connecting from Windows Phone devices, whose default method is Mobile App will always see the list of options except Mobile App, due to a known issue where the app being accessed loses state when switching over to the authenticator app, thus, resulting in a failed authentication after completing multi-factor authentication.
- Other minor bug fixes and security improvements.
- Windows Authentication for Terminal Services is still not supported for Windows Server 2012 R2.
- All other features and components are backwards-compatible with all previous versions.
Version 18.104.22.168 of the on-premises Azure Multi-Factor Authentication (MFA) Server can be downloaded via the old-fashioned Azure Management Portal or straight from the MFA Management Portal:
- Log on to the Azure Portal.
- In the column on the left that lists all the available items and services, scroll down until you reach ACTIVE DIRECTORY.
- In the main pane, select the default directory.
- Just above the list of directories, click the text MULTI-FACTOR AUTH PROVIDERS.
- Click the Multi-Factor Authentication Provider that you’ve configured for your organization and is marked as Active in the STATUS column.
- Click MANAGE in the bottom pane on the general settings for the Multi-Factor Authentication Provider.
- This will redirect you to your tenant view of the PhoneFactor Portal.
- In the main pane of the portal click on the Downloads header.
- Click the Download link below the list of supported platforms.
Save MultiFactorAuthenticationServerSetup.exe to a network location where you can use it from each of the Windows Servers that have Azure Multi-Factor Authentication installed.
Also, make sure you have 2919355 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update: April 2014 installed on the Windows Servers running Azure Multi-Factor Authentication (MFA) Server. If not, download it to the same location, and run it before running the Azure Multi-Factor Authentication (MFA) Server setup. You will be prompted for this update every time you run the Azure Multi-Factor Authentication (MFA) Server setup file.
How to upgrade
Make a backup first
Before in-place upgrading the Azure Multi-Factor Authentication Server, make sure you have a working backup of the Windows Server installation(s) running Azure Multi-Factor Authentication (MFA) Server components.
Although Microsoft indicates only the Phonefactor.pfdata file is of importance, since it contains the Azure Multi-Factor Authentication (MFA) Database, make sure to back-up and document all the other components, because it might be hard and time-consuming to re-implement all the Windows Server installation(s) running Azure Multi-Factor Authentication (MFA) Server components.
Checking your MFA Server version
To check the version of Azure Multi-Factor Authentication Server click on About Multi-Factor Authentication Server in the Help menu of the Multi-Factor Authentication Server Management Console (multifactorauthui.exe). The About Multi-Factor Authentication Server window will display the logo, copyright information, the version and the account ID.
Alternatively, you can check the version of the Multi-Factor Authentication Server and any services and components in Programs and Features. When logged on with administrative privileges, right-click the Start Button and select Programs and Features from the Admin context menu. Alternatively, you can open the Programs and Features Control Panel applet by running appwiz.cpl.
Checking for updates
You can check for updates by clicking on Check for updates in the Help menu of the Multi-Factor Authentication Server Management Console (multifactorauthui.exe).
When there’s an updated version available, you will see the above Multi-Factor Authentication Server pop-up window notifying you An updated version is available. Click OK to download.
Upgrading Azure MFA Servers in-place
Upgrading multiple Azure MFA Servers
Now, in environments with multiple Azure Multi-Factor Authentication (MFA) Server installations, you’d start with in-place upgrading slave servers. In the Multi-Factor Authentication Server Management console, you can promote a server to master by simply right-clicking it:
In an environment with a single Azure Multi-Factor Authentication (MFA) Server installation, you’ll want to perform the upgrade during a maintenance window.
Upgrading Azure MFA Servers
Install 2919355 Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update: April 2014, if you haven’t already.
Run MultiFactorAuthenticationServerSetup.exe manually. Click OK to acknowledge that you have installed the above update. Click Install to install both the x86 and x64 versions of the Visual C++ 2015 Redistributables. Walk through their setups.
Then, the Multi-Factor Authentication Server Setup will appear:
You’ll be presented with the Select Installation Folder screen of the Multi-Factor Authentication Server installer. The Folder: field will contain the location where you’ve installed the previous version of the on-premises Azure Multi-Factor Authentication Server software. The field and the Browse… button will both be greyed out.
Click Next >.
The previous version of the on-premises Azure Multi-Factor Authentication Server software will be automatically upgraded in-place. This may take a while.
After a successful in-place upgrade, you’ll see the Installation Complete screen.
After installation, the Multi-Factor Authentication Server Management Console is started automatically. When you check the version, it should display the updated version. When you check for updates, it would report No updates available at this time.
Upgrading MFA Services and Portals in-place
After upgrading the Multi-Factor Authentication (MFA) Server, the Multi-Factor Server Management Console appears. It will prompt you to install a new version of the User Portal and then prompt you to install a new version of the Web Service SDK, but not for the Mobile App Web Service…
I recommend to not run the installers when prompted from the Multi-Factor Server Management Console, but instead close the management console and run the installers manually. The preferred sequence to upgrade these is to work from the core out, as signified by the traffic flows for Azure Multi-Factor Authentication (MFA) Server:
- Multi-Factor Authentication Web Service SDK
- Multi-Factor Authentication User Portal
- Multi-Factor Authentication Mobile App Web Service
As with installing these components, the setup files for these components can be found in the Azure Multi-Factor Authentication (MFA) Server installation folder which, by default, is C:\Program Files\Multi-Factor Authentication Server\.
The process of in-place upgrading the components is as straight-forward as in-place upgrading the Azure Multi-Factor Authentication (MFA) Server product itself.
Again, you can check the version of Multi-Factor Authentication Server and any services and components in Programs and Features. After you’ve upgraded all components, they should read the same version:
Upgrading MFA AD FS Adapters in-place
After you’ve in-place upgraded the Multi-Factor Authentication Server and its services and portals, you can optionally upgrade any Multi-Factor Authentication Adapters.
When you’ve deployed the Multi-Factor Authentication Active Directory Federation Services (AD FS) Adapter, this is the stage where you’d in-place upgrade it.
Upgrading multiple AD FS Servers
It is a best practice to deploy multiple AD FS Servers for redundancy.
When you have multiple AD FS Servers, divide the AD FS Servers in two groups. Remove AD FS Servers in the first group from the AD FS Farm. Perform the actions listed below. When done, join the updated AD FS Servers back to the farm and remove the AD FS Servers in the second group from the farm. Then, update the AD FS Servers in the second group.
If you have a single AD FS Server, simply perform the steps below.
Upgrading AD FS Servers in-place
To update the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) Adapter on an AD FS Server without restarts, perform these steps:
When you simply double-click to update the Azure Multi-Factor Authentication (MFA) Server Active Directory Federation Services (AD FS) Adapter, you’ll need to restart the Windows Server installation for the in-place upgrade to succeed.
- From the installation folder of an in-place upgraded Multi-Factor Authentication Server, copy these four files to a (network) location that is accessible to your Active Directory Federation Services (AD FS) hosts:
Be sure to make a folder with the version of the AD FS Adapter version for each version of the AD FS Adapter in this location. In this case, create a folder named 7.0.0, next to the 6.3.1 folder you might have (to create).
- Edit MultiFactorAuthenticationAdfsAdapter.config from the 7.0.0 folder the same way you edited the configuration file when you first set up the AD FS Adapter: This involves configuring the AD FS Adapter to use the Web Service SDK, entering the url for the Web Service SDK on (one of) your Multi-Factor Authentication Server installation(s) and specifying the user account details and password for the service account to access the Multi-Factor Authentication Web Service SDK.
- Start AD FS Management by searching for it in the Start Menu or selecting it from the Tools menu in Server Manager.
- In the left pane navigate to Authentication Policies and select it.
- From the right task pane select Edit Global Multi-factor Authentication Policies.
- At the bottom of the Multi-factor tab, deselect the WindowsAzureMultiFactorAuthentication in the field containing additional authentication method.
- Click OK to save your changes.
- Close the AD FS Management console.
- Open a PowerShell window with administrative privileges (from the Task bar, for instance) and run Unregister-MultiFactorAuthenticationAdfsAdapter.ps1 from the 6.3.1 folder.
- Restart Active Directory Federation Services by running Restart-Service adfssrv in PowerShell next.
- Run MultiFactorAuthenticationAdfsAdapterSetup64.msi from the 6.3.1 folder and choose the option to remove the Azure Multi-Factor Authentication Server AD FS Adapter.
- Run MultiFactorAuthenticationAdfsAdapterSetup64.msi from the 7.0.0 folder .
- This time choose to install the AD FS Adapter.
- Click Next >.
- Click Finish.
- This time choose to install the AD FS Adapter.
- Run Register-MultiFactorAuthenticationAdfsAdapter.ps1 from the 7.0.0 folder.
- Restart Active Directory Federation Services again by running Restart-Service adfssrv.
- In AD FS Management, on the Multi-factor tab of Authentication Policies, re-enable WindowsAzureMultiFactorAuthentication as an additional authentication method.
In-place upgrading the on-premises Azure Multi-Factor Authentication (MFA) Server and its components from version 6.3.x to version 7.0 without restarts is relatively straightforward. In-place upgrading the Multi-Factor Authentication AD FS Adapter without restarts, though, is a bit more challenging.
Knowledgebase: You receive a "Web Service Requests must be protected by authentication" error when activating a Multi-Factor Auth app
KnowledgeBase: Users in Azure Multi-Factor Authentication Server 6.3.x and up can not select One-Way OTP or PIN options in the User Portal
KnowledgeBase: Azure MFA Portal shows error “Error communicating with the local Multi-Factor Authentication service. Please contact your administrator.”
Choosing the right Azure MFA authentication methods
Microsoft Virtual Academy – How to Upgrade to Latest Azure MFA Server Version
How to upgrade / update current MFA version to the latest?
Azure Multi-Factor Authentication – Part 1: Introduction and licensing
Azure Multi-Factor Authentication – Part 2: Components and traffic flows
Azure Multi-Factor Authentication – Part 3: Configuring the service and server
Azure Multi-Factor Authentication – Part 4: Portals
Azure Multi-Factor Authentication – Part 5: Settings
Azure Multi-Factor Authentication – Part 6: Onboarding
Azure Multi-Factor Authentication – Part 7: Securing AD FS
Azure Multi-Factor Authentication – Part 8: Delegating Administration
New version of Azure MFA Server available (7.0.0)
Any chance of a follow-up, showing the way the new settings change the user experience? From testing if you initially allow the user to select options, it provides more choices than waiting for the time-out.
How ridiculous is it that Microsoft STILL does not support Windows 2012 R2 for this?? Their own product!
Hi – couple of things you need to be aware of which I ran into upgrading from 6.31 to 7.1
Upgrading the mobileweb, sdk and portal via the MSI's keeps the web.config files as is, without the new entries for 7.x. I backed up my old wwwroot folder, uininstalled these components, and reinstalled, copying the SDK username, password and URL's back into place.
The registration Powershell script for the ADFS connector needs to be editied and you have to add the -configurationfilepath switch with the path to your config file. Also in the config file, dont forget to ensure you set the UseWebServiceSDK to TRUE. Its false by default.
How is it that 2012r2 is still not supported for RDS? Neither is server 2016 🙁
When will this be addressed?