HOWTO: Uninstall and Remove Azure MFA Server versions 7.x and 8.x Implementations

Azure MFA

Last week, Microsoft announced that Azure MFA Server will no longer be available for new deployments per July 1, 2019.

InformationNew customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated Azure MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

I’m expecting organizations to make the move from Azure MFA Server to the Azure MFA service, leveraging one or more of the following options:

  1. Integrating applications, systems and services with Azure AD and leveraging Conditional Access to trigger Azure MFA
  2. Using the built-in AD FS Adapter in Hybrid Identity implementations, that is available for use in Active Directory Federation Services since the Windows Server 2016 Farm Behavioral Level (FBL) 
  3. The Azure MFA NPS Extension to secure RADIUS-based access solutions, and/or switching Citrix NetScaler-based configuration over to the claims-based access model.

After organizations have successfully migrated over from Azure MFA Server to the Azure MFA service, their next task is to decommission the Azure MFA Server infrastructure.

InformationIn this blogpost, I’ll cover how to remove an Azure MFA Server Complete Deployment, as mentioned in the supported Azure MFA Server Deployment Scenarios and their pros and cons. Some steps may not be applicable to every Azure MFA Server deployment scenario.

Uninstalling and removing Azure MFA Server consists of these high-level steps:

  • Disable and remove Azure MFA Server as MFA provider in AD FS
  • Uninstall the Azure MFA Server Mobile Web Service
  • Uninstall the Azure MFA Server User Portal
  • Uninstall the Azure MFA Server Web Service SDK
  • Remove Server reference from Azure AD
  • Uninstall the central Azure MFA Server component
  • Remove IIS
  • Remove TLS Certificate
  • Remove service accounts and groups from Active Directory
  • Remove DNS records from DNS
  • Remove the server from the domain
  • Remove the server from the network

Let’s walk through these steps:

    

Disable and remove Azure MFA Server as MFA provider in AD FS

The Azure MFA Server adapter in AD FS might be configured to allow multi-factor authentication in relying party trusts (RPTs). The first thing we need to do is remove Azure MFA Server’s MFA Adapter as an MFA method.

Execute the following three lines of Windows PowerShell in an elevated Windows PowerShell window on the primary AD FS Server to unselect Azure MFA Server’s AD FS Adapter in AD FS’ global multi-factor authentication policy:

InformationAD FS farms leveraging the Windows Internal Database (WID) feature one AD FS server that operates as the Primary AD FS server. It is the only server with read/write access to the AD FS Configuration database. In an AD FS farm, where SQL Server is used, all AD FS server have read/write access to the database and the below lines of Windows PowerShell can be executed on any of the AD FS servers in the AD FS farm.

$C = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider

$C.Remove(AzureMfaServerAuthentication)

Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $C

Next, run the following lines of Windows PowerShell on all AD FS Servers in an elevated Windows PowerShell window, to remove Azure MFA Server’s AD FS adapter from these systems, followed by a restart of the AD FS service:

Unregister-ADFSAuthenticationProvider -Name AzureMFAServerAuthentication

Restart-Service -Name adfssrv

          

AD FS no longer knows about the Azure MFA Server Adapter and the Azure MFA Server. Now we can uninstall the components from the environment.

Use the following sequence (outside in):

  • Uninstall the Mobile Web Service
  • Uninstall the User Portal
  • Uninstall the Web Service SDK
  • Uninstall Azure MFA Server

Uninstall Azure MFA Server’s Mobile Web Service

Azure MFA Server 7.x’s Mobile Web Service offers the ability to people in the organization to register the Microsoft Authenticator app with the Azure MFA Server implementation.

InformationTypically, you wouldn’t find Azure MFA Server’s Mobile Web Service in Azure MFA Server 8.x deployments, as the Mobile Web Service reference in Azure MFA Server’s User Portal was replaced with an iFrame that redirects to an Azure-based page. In this latter case, skip this paragraph.

To uninstall Azure MFA Server’s Mobile Web Service, perform these steps:

  1. Sign in to the web server that hosts the Mobile Web Service.
  2. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
  3. In the left navigation pane, navigate to Sites. Expand it.
  4. Select the website or subfolder that corresponds to Azure MFA Server’s Mobile Web Service.
  5. When Azure MFA Server’s Mobile Web Service is installed as a separate site, right-click the site, click on Manage Website and then select Stop.
  6. In the action pane, click Basic Settings….
  7. Note the information in the Physical Path: field.
  8. Click OK to close the Edit Site pop-up.
  9. When Azure MFA Server’s Mobile Web Service is installed as a separate site, in the main window of Internet Information Services (IIS) Manager, double-click Logging. Note the information in the Directory: field.
  10. When Azure MFA Server’s Mobile Web Service is installed as a separate site, in the left navigation menu, right-click the site again and select Remove from the context-menu.
                       
    Confirm Remove Site
                             
    Else, right-click the folder, and select Remove. Click Yes to confirm.
  11. In the Confirm Remove pop-up window, click Yes.
  12. In the left navigation menu, navigate to Application Pools. Expand it.
  13. Right-click the application pool corresponding to Azure MFA Server’s Mobile Web Service and select Stop from the menu.
  14. Right-click it again, and select Remove from the menu.
  15. Click Yes to confirm.
  16. Close Internet Information Services (IIS) Manager.
  17. Open File Manager (explorer.exe)
  18. Navigate to the folder that resembles the folder that was mentioned in the Physical Path: field of Azure MFA Server’s Mobile Web Service.
  19. Remove the folder.
  20. When Azure MFA Server’s Mobile Web Service ran as a separate website, navigate to the folder that resembles the folder that was mentioned in the Directory: field of Azure MFA Server’s Mobile Web Service’s logging properties and remove this folder, too.
  21. Close File Explorer.

Uninstall Azure MFA Server’s Mobile Web Service from any Windows Server that offers it.

     

Uninstall Azure MFA Server’s User Portal

Use the following steps to uninstall Azure MFA Server’s User Portal in the same way as you have uninstalled Azure MFA Server’s Mobile Web Service from any Windows Server that offers it:

  1. Sign in to the web server that hosts the User Portal.
  2. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
  3. In the left navigation pane, navigate to Sites. Expand
    it.
  4. Select the website or subfolder that corresponds to Azure MFA Server’s User Portal.
  5. When Azure MFA Server’s User Portal is installed as a separate site,
    right-click the site, click on Manage Website and then
    select Stop.
  6. In the action pane, click Basic Settings….
  7. Note the information in the Physical Path:
    field.
  8. Click OK to close the Edit Site
    pop-up.
  9. When Azure Server’s User Portal is installed as a separate
    site, in the main window of Internet Information Services (IIS)
    Manager
    , double-click Logging. Note the information in
    the Directory: field.
  10. When Azure MFA Server’s User Portal is installed as a separate site, in the
    left navigation menu, right-click the site again and select Remove
    from the
    context-menu.
  11. Else, right-click the folder, and select Remove.
    Click Yes to confirm.
  12. In the Confirm Remove pop-up window, click
    Yes.
  13. In the left navigation menu, navigate to Application Pools.
    Expand it.
  14. Right-click the application pool corresponding to Azure MFA Server’s User Portal and select Stop from the menu.

                                
    Remove Azure MFA Server's User Portal Application Pool
                                  
  15. Right-click it again, and select Remove from the menu.
  16. Click Yes to confirm.
  17. Close Internet Information Services (IIS) Manager.
  18. Open File Manager (explorer.exe)
  19. Navigate to the folder that resembles the folder that was mentioned in the
    Physical Path: field of Azure MFA Server’s User Portal.
  20. Remove the folder.
  21. When Azure MFA Server’s User Portal ran as a separate website, navigate to
    the folder that resembles the folder that was mentioned in
    the Directory: field of Azure MFA Server’s User Portal’s logging properties and remove this folder,
    too.
  22. Close File Explorer.

                 

Uninstall Azure MFA Server’s Web Service SDK

Azure MFA Server’s Mobile Web Service and Azure MFA Server’s User Portal communicate to the central Azure MFA Server component using its Web Service SDK.

InformationAzure MFA Server deployment scenarios, where the Mobile Web Service and User Portal are not used, or are deployed on the same server that runs the Azure MFA Server’s central component, do not use the Web Service SDK. In these scenarios, this paragraph can be skipped.

To uninstall the Web Service SDK, perform these steps:

  1. Press Win and X simultaneously, right-click the Start button and select Programs and Features from the top of the menu, or search for Programs and Features.
                          
    MFA Server in Programs And Features
                                 
  2. Select Multi-Factor Authentication Web Service SDK from the list of installed programs.
  3. In the action bar on top of the list of installed programs, click Uninstall.
  4. Click Yes to answer the pop-up question Are you sure you want to uninstall Multi-Factor Authentication Web Service SDK?
  5. After several short progress bars filling, Azure MFA Server’s Web Service SDK will be removed.
  6. Close Programs and Features.
  7. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
  8. In the left navigation pane, navigate to Sites. Expand
    it.
  9. Select the website or subfolder that corresponds to Azure MFA Server’s Web Service SDK.
  10. When Azure MFA Server’s Web Service SDK is installed as a separate site, right-click
    the site, click on Manage Website and then select
    Stop.
  11. In the action pane, click Basic Settings….
  12. Note the information in the Physical Path:
    field.
  13. Click OK to close the Edit Site
    pop-up.
  14. When Azure MFA Server’s Web Service SDK is installed as a separate site, in the
    main window of Internet Information Services (IIS) Manager,
    double-click Logging. Note the information in the
    Directory: field.
  15. When Azure MFA Server’s Web Service SDK is installed as a separate site, in the left
    navigation menu, right-click the site again and select Remove
    from the context-menu.
    Else, right-click the folder, and select Remove.
    Click Yes to confirm.
  16. In the Confirm Remove pop-up window, click
    Yes.
  17. In the left navigation menu, navigate to Application Pools.
    Expand it.
  18. Right-click the application pool corresponding to Azure MFA Server’s Web Service SDK and select Stop from the menu.
  19. Right-click it again, and select Remove from the menu.
  20. Click Yes to confirm.
  21. Close Internet Information Services (IIS) Manager.
  22. Open File Manager (explorer.exe)
  23. Navigate to the folder that resembles the folder that was mentioned in the
    Physical Path: field of Azure MFA Server’s Web Service SDK.
  24. Remove the folder.
  25. When Azure MFA Server’s Web Service SDK ran as a separate website, navigate to
    the folder that resembles the folder that was mentioned in
    the Directory: field of Azure MFA Server’s Web Service SDK’s logging properties and remove this folder,
    too.
  26. Close File Explorer.

              

Remove Server references from Azure AD

To clean up the Azure AD tenant, delete the MFA Provider from Azure AD, since it’s no longer needed, even when you use Azure MFA with the NPS Extension for Azure MFA or Azure MFA with AD FS in Windows Server 2016 or Windows Server 2019. This paragraph also provides the ability to determine the primary server when there are multiple MFA Servers in the MFA Server group.

The steps in this paragraph depend on the way the Azure MFA Server implementation is licensed.

Perform these steps:

  1. Open a web browser and navigate to the Azure Portal.
  2. Sign in with an account that has the Global administrator role assigned.
    Perform Azure-based multi-factor authentication, when prompted.
  3. In the left navigation menu, click Azure Active Directory.
  4. In the Azure AD navigation menu, scroll down to the Security section.
  5. Click MFA.

          

MFA Provider scenario

When the implementation uses an MFA Provider, perform these steps:

  1. In the Multi-Factor Authentication navigation menu, click Providers.
  2. Select a provider in the list of MFA providers to open its settings.
  3. In the navigation menu for the MFA Provider, click Server Status.
  4. In the list of Azure MFA Servers, take note of the Azure MFA Server installation that has the value Yes in the Master column.
  5. Click on the to the left of each of the Azure MFA Servers, and select Delete from the menu.
  6. In the Delete Entry pop-up, click OK to acknowledge that the selected entry will be removed from the report.
                   
    Repeat steps 5 and 6 for each Azure MFA Server in the list.
                        
  7. Delete the MFA Provider.

    

Hybrid Identity Scenario

When the implementation is licensed through Azure AD Premium license or another license that includes that license, perform these steps:

  1. In the Multi-Factor Authentication navigation menu, click Server Status.
  2. In the list of Azure MFA Servers, take note of the MFA Server installation that has the value Yes in the Master column.
  3. Click on the to the left of each of the Azure MFA Servers, and select Delete from the menu.
  4. In the Delete Entry pop-up, click OK to acknowledge that the selected entry will be removed from the report.

Repeat steps 3 and 4 for each Azure MFA Server in the list.

                            

Uninstall the central Azure MFA Server component    

The central Azure MFA Server component offers the Management User Interface, Directory Synchronization and other Azure MFA Server services that may be in use.

InformationWhen multiple Azure MFA Servers are part of the implementation, uninstall the central Azure MFA Server component on the Master server last. This is the only Azure MFA Server that has read/write access to the phonefactor.pfdata file.

Perform the  To uninstall the central MFA Server components, perform these steps:

  1. Press Win and X simultaneously, right-click the Start button and select Programs and Features from the top of the menu, or search for Programs and Features.
  2. Select Multi-Factor Authentication Server from the list of installed programs.
  3. In the action bar on top of the list of installed programs, click Uninstall.
  4. Click Yes to answer the pop-up question Are you sure you want to uninstall Multi-Factor Authentication Server?
  5. After several short progress bars filling, Azure MFA Server will be removed.
  6. Close Programs and Features.
  7. Open File Manager (explorer.exe)
  8. Navigate to the C:\Program Files\Multi-Factor Authentication Server folder
    (or the installation location for Azure MFA Server, if you’ve changed it from the default during installation)
  9. Delete the folder, including the Data and Logs subfolder and the files therein.
  10. Close File Manager.
  11. Restart the server.

                         

Remove IIS

WarningSkip this paragraph on Windows Servers that remain functioning as webservers, as the above steps will remove the Internet Information Services (IIS) role that hosts other IIS-based applications.

With all Azure MFA Server components removed, the servers in scope of the Azure MFA Server deployment no longer require Internet Information Services (IIS). Remove IIS from the server using the Remove roles and services wizard from Server Manager, or use the following line of Windows PowerShell in an elevated PowerShell window:

Uninstall-WindowsFeature -Name Web-Server,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Performance,Web-Stat-Compression,Web-Security,Web-Filtering,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase

Afterward, restart the server. For instance, using the following line of Windows PowerShell:

Restart-Server        

If there are any load-balancer rules directing traffic to Azure MFA Server’s former Mobile Web Service, User Portal or Web Service SDK, remove these, too.

                                                  

Remove TLS Certificates

The local computer still has a TLS certificate stored in its certificate store. Remove the certificate for the Windows Servers in scope for the Azure MFA Server implementation from their local computer certificate stores.

WarningSkip this paragraph if any of the Windows Servers in scope of the Azure MFA Server implementation remains a webserver, hosting websites over https using the same TLS certificate. However, when the time comes to renew the certificate, opt to remove any Azure MFA Server-specific DNS entries in the certificate request.

Perform these steps:

  1. Open the Certificates MMC Snap-in for the local computer (certlm.msc)
  2. In the left navigation pane, expand Personal, then Certificates.
  3. In the main pane, select the TLS certificate that was used for Azure MFA Server’s Mobile Web Service, Azure MFA Server’s User Portal and/or Azure MFA Server’s Web Service SDK.
  4. Right-click the certificate and select Delete from the menu.
                       
    MFAServerRemoveCert
                            
  5. Click Yes.
  6. Close the Certificates MMC Snap-in.

If you have connected MFA Server’s Mobile Web SDK and User Portal to Azure MFA Server’s Web Service SDK using certificate authentication, remove these certificates, too.

   

Remove service accounts and groups from Active Directory

For typical Azure MFA Server deployments, there are two service accounts and one group in Active Directory Domain Services:

  • The PhoneFactor Admins group in the Users container
  • The service account for the Azure MFA Server itself
  • The service account for the portals to connect to the Web Service SDK

Remove them all.

                    

Remove the servers from the domain

WarningSkip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Configure the Azure MFA Server as a member of the WORKGROUP workgroup, instead of the domain it’s a member of.

Restart the server, afterwards.

After a successful restart, remove the computer object from Active Directory Domain Services.

                    

Remove DNS records from DNS

WarningSkip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Many Azure MFA Servers are known in the internal network and the Internet with other names, than their hostnames.

Remove the A, AAAA and CNAME records, pointing to the host in the DNS zone for the internal network. Remove the A, AAAA and CNAME records, pointing to the host in the public DNS zone for the Internet.

                       

Remove the servers from the network

WarningSkip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Shut down the server. Remove the server from the virtualization platform, or disconnect the physical server and remove it from the server room.

This is also the perfect moment to remove any custom firewall rules you might have had in place to allow communications between the Mobile Web Service and/or User Portal and the Web Service SDK, and replication between MFA Servers.

Make sure the hosts from the Azure MFA Server implementation are correctly removed from monitoring, backup and other information security services, as well as the service catalog.

              

Concluding

The above paragraphs provide steps to clean Azure MFA Server implementations off a network. Following these steps, no remnants remain of this legacy product.               

Related blogposts

Supported Azure MFA Server Deployment Scenarios and their pros and cons 
HOWTO: Install Azure Multi-Factor Authentication (MFA) Server 8.0.1.1 
Things to know about Billing for Azure MFA and Azure MFA Server 
Ten Things you need to know about Azure Multi-Factor Authentication Server 

Further reading

Configure Azure MFA as authentication provider with AD FS   
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication  
Azure: How to unregister and register MFA Server 6.x ADFS Authentication Provider 

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.