Branding your Hybrid Identity Solution, Part 5: Azure Multi-Factor Authentication Server’s AD FS Adapter implementation

This entry is part 5 of 6 in the series Branding your Hybrid Identity Solution

BrandingOnce you’ve branded the Active Directory Federation Services (AD FS) and Azure Active Directory pages, you might want to apply your corporate branding to the Active Directory Federation Services Adapter pertaining to your on-premises Azure Multi-Factor Authentication (MFA) Server.

For AD FS running on Windows Server 2012 R2, this means that the Azure Multi-Factor Authentication (MFA) adapter plugs into the Active Directory Federation Services (AD FS) login pages.

 

Customizing the MFA Choice prompt

When your Active Directory Federation Services (AD FS) implementation features more than one Multi-Factor Authentication adapter, users that are required to perform multi-factor authentication, are prompted for a choice for the additional verification.

Note:
In environments where multi-factor authentication is critical to secure access to highly-classified data, it’s best to implement (at least) two multi-factor authentication solutions. This way, one can fail, without degrading the level of authentication assurance.

Since MFA adapters in Windows Server 2012 R2 are defined as a global setting, the choice cannot be made for the end-user, when you have multiple MFA adapters.

When, for instance, you use certificate-based authentication and Azure Multi-Factor Authentication, you will see the following text displayed in the custom authentication rendering area:

For security reasons, we require additional information to verify your account
Sign in using an X.509 certificate

Multi-Factor Authentication

 

Of course, this isn’t very consistent in the labels for the authentication method, so you might want to change the label for Azure Multi-Factor Authentication to read something like Sign in using Azure MFA or Sign in using PhoneFactor.

The labels for the additional verification are based on the localization settings of the browser the end-user is using. It does not use the language specified for the user object in the Azure Multi-Factor Authentication Server database.

So, for the languages in use, we’ll change the label for the Azure Multi-Factor Authentication (MFA) adapter for Active Directory Federation Services (AD FS) in the AD FS configuration. This is only possible through Windows PowerShell.

Note:
The labels showed above are the default labels for the Authentication Providers in AD FS.

MFA Server Version 7.1.0.2 and below

To change the label for Azure Multi-Factor Authentication, regardless of locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMultiFactorAuthenticationServerDisplayname Sign in using MFA

To change the label for Azure Multi-Factor Authentication for a specific locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMultiFactorAuthenticationServer -Locale en-us -Displayname Sign in using MFA

To get a list of all your modifications, use the following PowerShell one-liner:

Get-ADFSAuthenticationProviderWebContent

To remove a modification you’ve made above, use the Remove-ADFSAuthenticationProviderWebContent in the same fashion as you would change them, using the –Name and. optionally, the –Locale parameters.

MFA Server Version 7.2.0.1 and up

To change the label for Azure Multi-Factor Authentication, regardless of locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMFAServerAuthenticationDisplayname Sign in using MFA

To change the label for Azure Multi-Factor Authentication for a specific locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMFAServerAuthentication -Locale en-us -Displayname Sign in using MFA

List modifications

To get a list of all your modifications, use the following PowerShell one-liner:

Get-ADFSAuthenticationProviderWebContent

To remove a modification you’ve made above, use the Remove-ADFSAuthenticationProviderWebContent in the same fashion as you would change them, using the –Name and. optionally, the –Locale parameters.

 

Branding MFA User Enrollment through AD FS

By default, the Allow user enrollment setting for the Azure Multi-Factor Authentication Adapter for Active Directory Federation Services (AD FS) is off.

Settings for the Azure Multi-Factor Authentication Adapter for Active Directory Federation Services (AD FS) in Azure MFA Server (click for original screenshot)

When you’ve enabled Allow user enrollment for the Azure Multi-Factor Authentication Adapter for Active Directory Federation Services (AD FS), (and restarted the MFA User Portal website), user enrollment is enabled and branding is applied to the enrollment process using the AD FS Branding configuration.

Sure enough, this takes care of all the branding needs your organization might have.

 

Concluding

Customizing the way Active Directory Federation Services (AD FS) and Azure Multi-Factor Authentication (MFA) Server interact, follows AD FS branding, mostly.

Further reading

ADFS: Certificate Authentication with Azure AD & Office 365
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS

Series Navigation

<< Branding your Hybrid Identity Solution, Part 4: Active Directory Federation ServicesBranding your Hybrid Identity Solution, Part 6: The Azure Multi-Factor Authentication Server User Portal >>

leave your comment