Creating an MFA Provider when you have CSP or DreamSpark

Microsoft is working hard to migrate all management activities from the ‘classic’ Windows Azure Management website (manage.windowsazure.com) to the ‘new’ Azure Portal (portal.azure.com).

Some of Microsoft’s new subscriptions, like its DreamSpark and CSP-style subscriptions, don’t offer access to the ‘classic’ Windows Azure Management website. But alas, some of the management tasks for implementing Multi-factor Authentication (MFA) for your organization can only be performed in that portal. Setting up an Azure MFA Provider to implement MFA Server on-premises is one such scenario, and a fairly common one: You can’t download and connect your on-premises MFA Servers without an MFA Provider.

However, you might hit the No subscriptions found. screen when you follow a link from the new Azure Portal to the classic portal, or when you navigate directory to the ‘classic’ Azure Management website:

No subscriptions found.

This blogpost shows you how to overcome that hurdle, by creating an Azure Active Directory-only Azure subscription.

 

About Azure AD-only Azure subscriptions

Azure AD-only subscriptions are special subscription that give access to Azure Active Directory only. With a special Azure offer code, you can sign up for such a subscription. Signing up does not require a credit card.

This subscription has the following characteristics:

  • It is a regular Azure subscription
  • It has a subscription ID that can be managed and associated with EA
  • It will not expire or incur charges
  • It can only manage Azure AD services
  • You can assign licenses for Azure AD Basic or Free since these are purchased over licensing agreements as opposed to Azure consumption
  • You cannot create any other Azure resources except those related to Azure AD
  • You can add other co-admins and change the service admin from the account portal
  • The account that signed up for this subscription is also the account admin and has access to the account portal

 

Signing up for an Azure AD-only Subscription

Perform these steps to sign up for an Azure AD-only subscription:

  • Make sure you use a clean browser or browser tab where you are not already signed in to any Microsoft services, either Azure AD-based or Microsoft Account (MSA)-based. My recommendation is to use an InPrivate browser session.
  • Navigate to the following URL:
    https://account.windowsazure.com/signup?offer=MS-AZR-0110P
  • Select Sign in with your organizational account and sign in with the Global Administrator account of your Azure AD tenant.

Sign up for an Azure AD-only Subscription (click for original screenshot)

  • Complete the Azure sign up form and press the Next button to complete the first piece of the form.
  • Now, enter your phone number and press the Next button in the second piece of the form.

Sign up for an Azure AD-only Subscription, step 2 (click for original screenshot)

  • Press the Sign up button.

Welcome to Microsoft Azure (click for original screenshot)

  • You will be forwarded to the Azure Account portal while your subscription is set up. This will only take a few minutes. After this brief period of time, you will receive an e-mail message and the screen will change.
  • At this moment, go to your browser’s address bar, and change the URL to https://manage.windowsazure.com.
  • You can opt to take the Windows Azure tour, or skip it by pressing the little x in the right top corner of the modal screen.
  • You can close the New pane that appeared from the bottom, and you can certainly close the blue Portal modal that lures you to the New Azure Portal.
  • In the left navigation pane, click on Active Directory.

Azure Active Directory in the Classic Portal (click for original screenshot)

  • From the menu items below active directory in the main screen, click on MULTI-FACTOR AUTH PROVIDERS.
  • Click the link CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER.
  • In the Name field, type something useful to name your MFA Provider. If your organization has a naming convention, follow that.
  • Select the Usage Model.
  • Click Create at the bottom of the screen.

 

Concluding

Now, you now have access to manage the full feature set of Azure AD and Azure Multi-Factor Authentication. Go ahead and enjoy all the goodness Azure MFA Server has for you!

Further reading

Multi-Factor Authentication – Access control | Microsoft Azure
Get started Azure Multi-Factor Auth Provider
Azure MFA – Auth Provider Creation
Hybrid Cloud Identity Part 3: Multi-factor Authentication
Customize Azure Multi-factor Authentication – Part 1

leave your comment