question

Kani-1098 avatar image
0 Votes"
Kani-1098 asked Kani-1098 edited

Install Azure MFA Server On-Premises

I am trying to configure MFA server on-premises as a proof of concept. We are using Sharepoint 2016 and we have both form-based and windows based users. And all these users reside in on-premise AD and Database.

I need to check how MFA works with our current implementations before acquiring any licenses. For this, I have installed MFA server but I don't find the Activation details in the Azure portal.

Is this doable with a free license? Any idea whether this scenario is doable without migrating to online?

Thanks

office-sharepoint-server-developmentazure-ad-multi-factor-authentication
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JerryXu-MSFT avatar image JerryXu-MSFT ·

Hi, @Kani-1098,

Does the docs I provide solve you question? Any update in these days?

If the answer is helpful, please click Accept Answer and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·

4 Answers

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

Hi @Kani-1098 · If you want to use Azure App Proxy to leverage Azure MFA for your SharePoint on-premises instance, the users' requests should go to External URL so that the request reaches Azure App proxy. App proxy should be configured to perform pre-authentication, as part of which users will do MFA. After successful pre-auth, App Proxy translates the external url to internal url, so that users can connect to on-prem application. You need to keep below points in mind:
1. Configure SSO as mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-config-sso-how-to
2. If you want to enforce MFA for users who are accessing SharePoint site from your on-premises environment, they need to use External URL. If they use internal url, request will not be sent to App Proxy and they won't be enforced to do pre-auth with MFA.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JerryXu-MSFT avatar image
0 Votes"
JerryXu-MSFT answered

As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers who would like to require multi-factor authentication (MFA) from their users should use cloud-based Azure Multi-Factor Authentication.

To get started with cloud-based MFA, see Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication.

Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. The following steps only work if you were an existing MFA Server customer.

And please check the Prerequisites for deploying Azure MFA. If you have a no plan for a Hybrid environment, I assume you will need to deploy remote access to SharePoint with Azure AD Application Proxy.
21448-image.png

For MFA billing, have a check here: https://azure.microsoft.com/en-us/pricing/details/active-directory/. The available features vary for different licenses.

FAQ for Azure MFA:https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-faq#:~:text=If%20your%20directory%20has%20a,MFA%20through%20the%20MFA%20provider.



image.png (44.1 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered Kani-1098 commented

Hello @Kani-1098

On-Premises MFA Server is deprecated in favor of Azure MFA Service. Microsoft does not support MFA server for new deployments, Existing implementations of MFA server would still work but can no longer get the Activation details in the Azure portal for new deployments.

Since you want to protect On-premises SharePoint 2016 server with MFA, you can configure Azure Application Proxy with AAD Pre-authentication and implement MFA via Azure MFA service. You can also leverage Conditional Access and Azure AD Identity protection for this purpose as well. Please refer to below diagram:

21501-image.png

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (91.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image amanpreetsingh-msft ·

Hello @Kani-1098 Just wanted to check if you have any further question.

0 Votes 0 ·
Kani-1098 avatar image Kani-1098 ·

@amanpreetsingh-msft Thank you for the answer. I have a sketch of my current understanding of MFA. I am wondering whether the mentioned Azure application proxy will be able to establish the connection between the on-premise server and Azure.

41619-20201122-120336.jpg




Thank you.

0 Votes 0 ·
20201122-120336.jpg (2.1 MiB)
Kani-1098 avatar image
0 Votes"
Kani-1098 answered Kani-1098 edited

Hi @amanpreetsingh-msft ,

Many thanks to the Answer and the guidance you have given. Finally, I was able figure it out this. :) 45728-20201207-232142.jpg



I have three questions on this.

1) We have forms based authentication and it seems user has to login twice. i.e. First to the Microsoft account , Second to the internal portal (FBA). Is there a way to have a single sign on for this.
2) Is it possible to define a job to sync users created in on premise DB with Azure public users using a daily sync up job?
3) How would the Microsoft licensing to migrate around 20000 public users and to enable MFA to the site.

Thank you again.


20201207-232142.jpg (2.2 MiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.