After January’s Azure Multi-Factor Authentication Server version 7.2.0.1 release, over the weekend, Microsoft released version 7.3.0.0 of its on-premises Azure Multi-Factor Authentication Server with a lot of performance improvements and other fixes.
While the changes mentioned in the change log aren’t world shocking, this release should alleviate much of the problems you might have with this product.
What’s New
AD FS adapter performance improvements
Azure Multi-Factor Authentication (MFA) Server’s Active Directory Federation Services (AD FS) adapter was put through its paces and several areas have been identified to improve its performance.
Since most organization get on the MFA Server bandwagon using the AD FS Adapter, this is very welcome.
Fix AD FS adapter to handle cultures that aren't associated with a locale ID
Another improvement in the Active Directory Federation Services (AD FS) adapter has to do with multi-language setups.
Tags performance improvements
In organizations with multi-forest, multi-domain environments with many groups, assigning tags could be terribly slow. Using Global filters was the work around to this, but introduces other challenges,
Log request IDs to allow correlation with backend logs
With the advent of the Web Service SDK Logging feature in Azure Multi-Factor Authentication Server version 7.2.0.1, putting together the jigsaw puzzle with information from each of the logs is improved with the request ID.
Modified AD sync service to clear phone numbers that are cleared in the directory
When you use the Directory Integration feature, and clear the phone number attribute for a (group of) user(s), Azure Multi-Factor Authentication (MFA) Server would not clear it in its database. Starting this version, it does, overriding the ‘keep synchronized’ setting.
Fix for RADIUS one-way text message fallback to OATH token
Fallback methods play an important role in multi-factor authentication, so it’s good to see fixes and improvements in this area.
Fix for passwords that contain leading or trailing spaces
Even though passwords are securely interchanged for the initial handshake towards the Identity Provider (Active Directory, LDAP), in cases with passwords that contain leading or trailing spaces, things might go wrong. This is now fixed.
Change mobile app references from Azure Authenticator to Microsoft Authenticator
While one team may change things, another team might not be able to change gears that fast. After the change from Azure Authenticator to Microsoft Authenticator in last August, the Azure Multi-Factor Authentication (MFA) Server team has finally been able to change all the references in their user interfaces and admin interfaces.
Known Issues
Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2.
Upgrade considerations
You must upgrade MFA Server and Web Service SDK before upgrading AD FS adapter.
Read the guidance in the How to Upgrade section in this blogpost for more information.
Download
Version 7.3.0.3 of the on-premises Azure Multi-Factor Authentication (MFA) Server can be downloaded via the old-fashioned Azure Management Portal or straight from the MFA Management Portal:
- Log on to the Azure Portal.
- In the column on the left that lists all the available items and services, scroll down until you reach ACTIVE DIRECTORY.
- In the main pane, select the default directory.
- Just above the list of directories, click the text MULTI-FACTOR AUTH PROVIDERS.
- Click the Multi-Factor Authentication Provider that you’ve configured for your organization and is marked as Active in the STATUS column.
- Click MANAGE in the bottom pane on the general settings for the Multi-Factor Authentication Provider.
- This will redirect you to your tenant view of the PhoneFactor Portal.
- In the main pane of the portal click on the Downloads header.
- Click the Download link below the list of supported platforms.
Save MultiFactorAuthenticationServerSetup.exe to a network location where you can use it from each of the Windows Servers that have Azure Multi-Factor Authentication installed.
Concluding
Azure Multi-Factor Authentication Server version 7.3.0.3 adds a lot of performance improvements and other fixes.
While the changes aren’t world shocking, this release should alleviate much of the problems you might have with this product. I recommend to upgrade to this version to get rid of them.
Related blogposts
Azure Multi-Factor Authentication Server version 7.2.0.1 adds Oracle LDAP Support
Azure Multi-Factor Authentication Server version 7.1.2.1 for your convenience
Azure Multi-Factor Authentication Server version 7.0.2.1 is here
Azure Multi-Factor Authentication Server reaches version 7.0.0.9
So if I'm running RDS 2012 R2 and my user uses windows credentials to login to RDS website or launch a remoteapp they WILL NOT get prompted for 2FA?
Hi David,
When you want to use 'Windows Authentication' with Windows Server 2012 R2 RDS Hosts, then that is not going to work.
Microsoft still hasn't provided a timeline to share on the availability of securing 'Windows Authentication' on Windows Server 2012 R2-based RDS Hosts.
However, when you deploy an RD Gateway and use the RADIUS protocol, you can secure access to the RDS Hosts with multi-factor authentication. Microsoft provides a document on configuring the MFA Server with RD Gateway.
Hi,
So if I need to enable MFA for member server terminal service/RDP, is it true that I need to install the Azure MFA server on each member servers? I don't see any "adapter" for terminal service..
Hi Tung,
No, there is no need to do that.
There are two better alternatives:
You can install the Azure MFA Server on the Windows Server(s) running the Remote Desktop Web Access role.
The built-in IIS Adapter functionality allows you to configure the IIS website to require multi-factor authentication.
You can configure the Azure MFA Server with the RADIUS feature and then point the Remote Desktop Web Gateway configuration to one or more Azure MFA Servers as the RADIUS server to use for authentication.
running into an issue when upgrading to this version. Something about unable to bind to the MFA authentication service. Any suggestions?
Hi David, they have had the 2012r2 "known issue" for years now. I don't think it's being worked on. I assume the story is the same for server 2016 despite it never being referenced?
is there any way we can bulk change user details using a csv import of sorts?
Azure MFA Server does not offer a CSV export of import feature for the per user MFA settings.
However, the Management GUI offers several tricks to change up multiple accounts at once.
Please note that although your phonefactor.pfdata database is clear-text, it does not support manually editing lines for user configurations.