Per this week, Azure Active Directory is no longer available in the ‘Old’ Portal experience. Previously, I’ve shared with you how to download, install and configure Microsoft’s on-premises Multi-Factor Authentication Server, while using the old Portal Experience. Now, let me show you how to download, install and configure it with the ‘New’ Portal.
In this blogpost, we’ll follow the Simple Deployment scenario.
Step 1 Create an MFA Provider
Log onto the Azure Portal.
In the left navigation menu, click Azure Active Directory.
In the navigation menu of your Azure AD tenant (just to the right of the main navigation menu) scroll down until you reach MFA Server in the SECURITY area.
Click MFA Server.
In the MFA Server blade, click on Providers in the feature’s navigation menu.
Click + Add.
In the Add Provider blade, fill in the values for:
- Name
This is the name for the Multi-factor Authentication Provider. This is only shown in the Azure Portal. Make sure to create a name that corresponds to your organization’s naming convention. - Usage Model
Choose between Per Enabled User or Per Authentication. The usage model cannot be changed after the Multi-Factor Authentication Provider is created. For more information, refer to Option 3 in the How to Get Azure MFA section of the What is Azure Multi-factor Authentication documentation. - Subscription
Select the subscription you want to have your authentications or enabled users to be billed to.
When done, click the Add button at the bottom of the blade.
You have now successfully created the MFA Provider.
Step 2 Download MFA Server
Double-click the MFA Provider you just created.
In the MFA Provider’s navigation menu, click Server Settings.
Click the Download link.
The Download page for Multi-Factor Authentication Server opens in a new tab, by default. Click the Download button on the page and save MultiFactorAuthenticationServerSetup.exe to disk.
Do not close the web browser, just yet.
Step 3 Install MFA Server
After you downloaded MultiFactorAuthenticationServerSetup.exe, open it.
Walk through the prerequisites and screens to install Multi-Factor Authentication Server.
In the Welcome screen, click Next >.
In the Activate screen, we need to enter the activation credentials. You generate the activation credentials in the Azure Portal, so let’s switch back to the Azure Portal in our web browser:
Click the Generate link.
This will show two more fields below the link, consisting of an e-mail address and a password. Copy these two values in the Multi-Factor Authentication Server’s Activate screen. Click Next > and close the browser screen.
In the Join Group screen, click Next >.
In the Enable Replication Between Servers screen, click Next >.
In the Select Applications screen, select the applications, services and protocols you want the Multi-Factor Authentication Server to provide. At least one application needs to be selected. Click Next > when done and walk through the steps to configure the application, protocol or service.
In the Finish screen, click Finish.
You have now successfully installed and configured Multi-Factor Authentication Server.
Concluding
Many people I talked to about the transition of the old PhoneFactor Web Portal (PFWEB) and the old Microsoft Azure Management Portal to the new Azure Portal, were worried about not being able to select the Per Authentication licensing option, or reusing their previously configured MFA Provider settings.
The above steps show that all these options are still available.
Although Multi-Factor Authentication Server has been ‘renamed’ in the Azure Portal and the Microsoft Forums, the latest version of the product still refers to itself as the Windows Azure Multi-Factor Authentication Server… Let’s name it MFA Server, from now on.
Further reading
Marching into the future of the Azure AD admin experience: retiring the Azure AD classic portal
Related blogposts
Azure Multi-Factor Authentication is now in the new Azure Portal (in Public Preview)
Ten Things you need to know about Azure Multi-Factor Authentication Server
Azure Multi-Factor Authentication Server 7.3.0.3 with lots of improvements
Azure Multi-Factor Authentication features per license and implementation
Azure Multi-Factor Authentication Methods per Supported Protocol
Connecting to Azure MFA Server’s Web Service SDK using certificate authentication
Things to know about Billing for Azure MFA and Azure MFA Server
Supported Azure MFA Server Deployment Scenarios and their pros and cons
Hi Sander,
Are you going to write a new mfa installation article like you did on 4sysops site? That article describes every step beautifully!
There are some (minor) errors in those articles, but they remain correct. After I decided to write the mainstream articles on 4Sysops, I decided to branch out here on DirTeam. Looking at the list of related blogposts, there sure was more to tell…
When Microsoft releases version 8, I might. 😉
Hi Sander,
Great article mate.
I'm working with a client on MFA Detailed Level Design document and would like to know if you have any preferred templates? Thank you
Hi Mick,
I'd start by taking a look at these two resources (on this blog):
Ten Things you need to know about Azure Multi-Factor Authentication Server
Supported Azure MFA Server Deployment Scenarios and their pros and cons
Also, searching for 'Multi-Factor Authentication' and 'MFA Server' might provide some other insights too.
Great work. We're using the MFA Azure plugin for RDS rather than an on-prem MFA server. Really struggling making it work….any pointers? Thanks!
Hi Glen,
I feel it's the correct route to look at Azure MFA ("the Microsoft MFA service") instead of MFA Server ("the on-premises Microsoft MFA server") for your organization's multi-factor authentication needs. To make this work with Active Directory Federation Services (AD FS), please deploy AD FS using Windows Server 2016, or up, as this Operating System comes with the Azure MFA plug-in, out of the box. The Azure MFA plug-in connects your AD FS servers to Microsoft's MFA service.
Hi sir, I looked for your technical web page azure MFA-server technicals idea, it's good for me,
and I need to your help, nowadays at Azure portal is not available Manager MFA Server MFA- Server
settings Generate Activation Credentials, and I installed MFA-server into my azure portal windows server 2016,
and I am stuck with it, plz define me,
and how do I activate for my MFA server
Hi,
As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments and trial tenants. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. You can generate activation credentials only when you have at least one functioning Azure MFA Server running already. Otherwise, the functionality to activate an Azure MFA Server is no longer available.