Roughly four months ago, we saw the release of a new major version of Microsoft’s Azure Multi-Factor Authentication (MFA) Server, version 8.0.0.3. Last week, Microsoft released a minor version, dubbed version 8.0.1.1 that addresses a couple of issues you might experience with version 8.0.0.3.
What’s New
Incompatibility with Japanese Windows installations
The team fixed an issue that admins might experience when launching the Azure Multi-Factor Authentication (MFA) Server Admin Console on Japanese version of Windows.
Language selection for the User Portal
Azure Multi-Factor Authentication (MFA) Server’s User Portal is an additional component that allows end-users to make changes to their on-premises MFA registrations in a web-based environment. The User Portal is available in several languages and offers end-users a selection of languages for text messages, phone calls and other authentication-related settings.
The team fixed an issue with retaining the selected language in the User Portal.
Other minor bug fixes
While the above fixes could be classified as minor fixes, the team reports that they’ve fixed other minor issues in Azure Multi-Factor Authentication (MFA) Server as well.
Upgrade considerations
You must upgrade MFA Server and Web Service SDK before upgrading the User Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.
Download
You can download Azure Multi-Factor Authentication Server 8.0.1.1 here.
The download weighs 128.2 MB.
Version information
This is version 8.0.1.1 of Azure Multi-Factor Authentication (MFA) Server.
It was signed off on July 26, 2018.
Thank you for the post, I tried updating as you outlined https://dirteam.com/sander/2016/04/06/azure-multi-factor-authentication-server-reaches-version-7-0-0-9/, but I didn't find any executable (.msi) for the Multi-Factor Authentication Mobile App Web Service.
Any ideas how to upgrade that part?
I have a big question… Why is a user enabled on Authentication Server on prem not enabled on Azure Cloud 🙁
If I want to do a conditional access over a cloud application the users have to enroll themselves again…
Currently, Azure Multi-Factor Authentication (MFA) Server and Azure MFA (as-a-Service) are completely different products and systems. There is no overlap between the two products or systems in terms of configuration or management, only in licensing and functionality.
Where MFA Server was designed for on-premises strong authentication, Azure MFA was designed for cloud-based strong authentication. These lines have blurred significantly when the AD FS adapter was introduced for MFA Server on-premises, as this enabled many Conditional Access-like, cloud-oriented scenarios. Likewise, Azure MFA now also offers an AD FS adapter on Windows Server 2016 and an NPS add-on for RADIUS strong authentication, encroaching on MFA Server's traditional turf.
Is it possible to upgrade from v6.1 to v8.0.1. According to MS support the upgrade should be 6.x to 7.x and than 7x to 8.x.
What happens to users who are already using the Mobile App after the upgrade to 8.x? do they need to re-register the app after the upgrade or it will continue working without having to do anything?
Hi DD,
One of the interesting aspects of MFA Server version 8 is that its installation file no longer contains the Mobile Portal installer. When upgrading from version 6.x to version 8.x, the absent components would not be upgraded, resulting in the unnecessary usage of an older version of the component. In the case of MFA Server 8.0 Azure AD is used to register and interact with Microsoft Authenticator app installations on mobile devices. However, MFA Server's previous Mobile Portal would remain on the system as a relatively old (MFA Server 7 was released in April 2016) and possibly vulnerable component.
Another issue might be backward compatibility between the components.
Version 7 and version 8 of MFA Server are based on .NET Framework version 4, while previous versions of MFA Server and MFA Server components were not.
Our recommendation would be to create a new MFA Provider in Azure AD, perform a new MFA Server v8.0 implementation and then copy over the phonefactor pfdata file from the existing MFA Server implementation. As a last step, decommission the previous MFA Server.
We have installed MFA Server as per this great article.
We have installed MFA server, the User Portal, Web Service SDK, the Mobile Portal and deployed the AD FS adapter
Currently we have two MFA Servers in HA configuration.
The two MFA servers both run Windows Server 2008 R2.
Now, we want to upgrade the Windows Server 2008 R2-based MFA Servers to Windows Server 2016 and also upgrade the MFA Server software to v8.0.
I know there is the upgrade article for MFA Server, but this is an in-place upgrade.
We want new Operating System and MFA Server version. What would the best approach then be?
I used MFA Server version 6.3 to write those articles on 4Sysops.
Assuming the MFA Servers run version 6.3, option 3 would be our recommended approach here.
It's the only scenario that allows for testing without impacting production, it allows for roll-back, and avoids any incompatibilities between Windows Server (.NET Framework) and MFA Server. As MFA Server v8.0 doesn't include a Mobile Portal installer anymore, this would also result in the cleanest end result.
The drawback of option 3 might be that it takes more time to complete, but it's all building steps, instead of remediation steps.
Do check the backups of the current MFA Servers as step 1. 😉
Sander,
Thanks for your reply. I did an option 3 migration to V8 and all went smooth. Indeed step 1 backup of the servers and phonefactor db 🙂 Shame cliënt did not want NPS extension for radius and azure mfa/conditional access 🙁 PS. Any idea what lifetime of mfa server would be? I hear rumours…
Can you clarify the user experience for upgrading from 7 to 8? I am currently running v7 have thousands of users who have already registered mobile devices with the Authenticator app.
1. When I move to version 8, will they have to re-register their mobile devices?
2. Is it just the registration of new mobile devices for Authenticator that's moved to the cloud, or is the entire mobile app service on-premises no longer necessary, and I can stop publishing that externally after upgrading to v8?
Thanks!
No, end-users do not have to re-register when you upgrade/move to MFA Server 8.
The service is moved to Azure. However, registrations are still recorded in the phonefactor.pfdata file on the MFA Server.
It's not easy to get support from Microsoft for issues with the on-premises MFA Server. Microsoft wants customers to move to Azure MFA.
I've been told Microsoft only has a few engineers with knowledge on on-premises MFA Server.
I opened a support ticket with Microsoft regarding the MFA upgrade last week and am still waiting for call back…
Anyway, we’re also in the process to upgrade our MFA servers from 6.x to 8.x and agreed that a new installation is a better approach instead of performing an in-place upgrade. My concern is that our MFA Server is already integrated with AD FS and we can’t have two MFA environments connect to same AD FS farm, correct?
For the new installation to work we need to:
1. Install a new MFA Server farm (two servers)
2. Copy over the PhoneFactor.pfdate file
3. On the two ADFS servers:
a. Uninstall the old MFA ADFS adapter and re-install the new MFA ADFS adapter
b. Run Register-MultiFactorAuthenticationAdfsAdapter.ps1
Am I missing any steps?
There are three scenarios for moving to a new version of MFA Server:
This first route gets increasingly harder with more MFA Servers versions in between the upgrade and when you need to in-place upgrade the Operating Systems, too.
The second route gets you into the nicest state afterwards, but requires jumping through some inconvenient hoops in the short term.
If you go the 3rd route, you don't have to worry about multiple AD FS adapters, etc., works for going from MFA Server version 6.x to version 8.x and it also works with introducing new Operating Systems at the same time.