This week, Microsoft made available guidance to migrate from Azure MFA Server to Azure multi-factor authentication (Azure MFA).
While Microsoft officially still supports its on-premises Azure MFA Server product, the reality for organizations using MFA Server for multi-factor authentication purposes is harsh:
- Since MFA Server 8, released on April 10, 2018. MFA registration for the Authenticator app flow through the Azure MFA infrastructure instead of through MFA Server’s mobile portal.
- As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments and trial tenants.
- The MFA SDK stopped working on October 1, 2020
It’s confusing as even last month, Microsoft released a new version of MFA Server. Now, Microsoft is hammering another nail in MFA Server’s coffin by urging organizations to leave their MFA Servers and opt for Azure MFA. In the process, Microsoft Identity Manager and AD FS get snagged too.
Its guidance is thorough and sheds light on some snags you will encounter on this path, as I encountered them myself when performing these migrations:
- While MFA Server offers many authentication methods, only phone numbers can be migrated easily. Migrating phone numbers may lead to stale numbers being migrated and make users more likely to stay on phone-based MFA instead of setting up more secure methods like Microsoft Authenticator. While MFA Server supports PINs, Azure MFA does not support them in all scenarios.
- To use Azure MFA with Active Directory Federation Services (AD FS), the farm behavioral level (FBL) needs to be Windows Server 2016, or up. While Windows Server 2012 is still supported, AD FS on Windows Server 2012 and Windows Server 2012 R2 now lacks a future within your organization.
- When transitioning using a coexistence scenario, people will be prompted to select an authentication provider (MFA Server or Azure MFA) until the migration is complete.
- When using MFA Server with OATH-based hardware tokens, these tokens must be uploaded using a *.csv file to Azure MFA. Hardware tokens in Azure MFA are still in preview.
- When you use Microsoft Identity Manager (MIM)’s self-service password reset (SSPR) with MFA Server, Microsoft recommends moving your self-service password reset functionality to Azure AD SSPR.
It’s clear that 2021 and 2022 are the years in which your organization needs to move off MFA Server. Budgets should be made available to perform these projects. Communications should be started to prepare people in your organization for moving to more secure authentication methods.
HOWTO: Uninstall and Remove MFA Server versions 7.x and 8.x Implementations
Ten Things you need to know about Azure Multi-Factor Authentication Server
Choosing the right Azure MFA authentication methods
HOWTO: Enable Azure Multi-factor Authentication on AD FS