Getting started with the Azure Multi-Factor Authentication Server
Now that we have determined to use on-premises Multi-Factor Authentication Server, let’s get going. This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see Upgrade to the latest Azure Multi-Factor Authentication Server. If you're looking for information on installing just the web service, see Deploying the Azure Multi-Factor Authentication Server Mobile App Web Service.
Plan your deployment
Before you download the Azure Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.
A good guideline for the amount of memory you need is the number of users you expect to authenticate on a regular basis.
Do you need to set up multiple servers for high availability or load balancing? There are a number of ways to set up this configuration with Azure MFA Server. When you install your first Azure MFA Server, it becomes the master. Any additional servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.
When a master Azure MFA Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted.
Prepare your environment
Make sure the server that you're using for Azure Multi-Factor Authentication meets the following requirements:
|Azure Multi-Factor Authentication Server Requirements||Description|
|Permissions||Domain Administrator or Enterprise Administrator account to register with Active Directory|
Azure MFA Server Components
There are three web components that make up Azure MFA Server:
- Web Service SDK - Enables communication with the other components and is installed on the Azure MFA application server
- User Portal - An IIS web site that allows users to enroll in Azure Multi-Factor Authentication (MFA) and maintain their accounts.
- Mobile App Web Service - Enables using a mobile app like the Microsoft Authenticator app for two-step verification.
All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Azure MFA application server and the User Portal and Mobile App Web Service are installed on an internet-facing server.
Azure Multi-Factor Authentication Server firewall requirements
Each MFA server must be able to communicate on port 443 outbound to the following addresses:
If outbound firewalls are restricted on port 443, open the following IP address ranges:
|IP Subnet||Netmask||IP Range|
|18.104.22.168/25||255.255.255.128||22.214.171.124 – 126.96.36.199|
|188.8.131.52/25||255.255.255.128||184.108.40.206 – 220.127.116.11|
|18.104.22.168/25||255.255.255.128||22.214.171.124 – 126.96.36.199|
If you aren't using the Event Confirmation feature, and your users aren't using mobile apps to verify from devices on the corporate network, you only need the following ranges:
|IP Subnet||Netmask||IP Range|
|188.8.131.52/29||255.255.255.248||184.108.40.206 – 220.127.116.11|
|18.104.22.168/29||255.255.255.248||22.214.171.124 – 126.96.36.199|
|188.8.131.52/29||255.255.255.248||184.108.40.206 – 220.127.116.11|
Download the MFA Server
Follow these steps to download the Azure Multi-Factor Authentication Server from the Azure portal:
- Sign in to the Azure portal as an administrator.
- Select Azure Active Directory > MFA Server.
- Select Server settings.
Select Download and follow the instructions on the download page to save the installer.
Keep this page open as we will refer to it after running the installer.
Install and configure the MFA Server
Now that you have downloaded the server you can install and configure it. Be sure that the server you are installing it on meets requirements listed in the planning section.
- Double-click the executable.
- On the Select Installation Folder screen, make sure that the folder is correct and click Next.
- Once the installation is complete, click Finish. The configuration wizard launches.
On the configuration wizard welcome screen, check Skip using the Authentication Configuration Wizard and click Next. The wizard closes and the server starts.
Back on the page that you downloaded the server from, click the Generate Activation Credentials button. Copy this information into the Azure MFA Server in the boxes provided and click Activate.
Send users an email
To ease rollout, allow MFA Server to communicate with your users. MFA Server can send an email to inform them that they have been enrolled for two-step verification.
The email you send should be determined by how you configure your users for two-step verification. For example, if you are able to import phone numbers from the company directory, the email should include the default phone numbers so that users know what to expect. If you do not import phone numbers, or your users are going to use the mobile app, send them an email that directs them to complete their account enrollment. Include a hyperlink to the Azure Multi-Factor Authentication User Portal in the email.
The content of the email also varies depending on the method of verification that has been set for the user (phone call, SMS, or mobile app). For example, if the user is required to use a PIN when they authenticate, the email tells them what their initial PIN has been set to. Users are required to change their PIN during their first verification.
Configure email and email templates
Click the email icon on the left to set up the settings for sending these emails. This page is where you can enter the SMTP information of your mail server and send email by checking the Send emails to users check box.
On the Email Content tab, you can see the email templates that are available to choose from. Depending on how you have configured your users to perform two-step verification, choose the template that best suits you.
Import users from Active Directory
Now that the server is installed you want to add users. You can choose to create them manually, import users from Active Directory, or configure automated synchronization with Active Directory.
Manual import from Active Directory
- In the Azure MFA Server, on the left, select Users.
- At the bottom, select Import from Active Directory.
- Now you can either search for individual users or search the AD directory for OUs with users in them. In this case, we specify the users OU.
Highlight all the users on the right and click Import. You should receive a pop-up telling you that you were successful. Close the import window.
Automated synchronization with Active Directory
- In the Azure MFA Server, on the left, select Directory Integration.
- Navigate to the Synchronization tab.
- At the bottom, choose Add
- In the Add Synchronization Item box that appears choose the Domain, OU or security group, Settings, Method Defaults, and Language Defaults for this synchronization task and click Add.
- Check the box labeled Enable synchronization with Active Directory and choose a Synchronization interval between one minute and 24 hours.
How the Azure Multi-Factor Authentication Server handles user data
When you use the Multi-Factor Authentication (MFA) Server on-premises, a user’s data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Azure MFA cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are:
- Unique ID - either username or internal MFA server ID
- First and last name (optional)
- Email address (optional)
- Phone number - when doing a voice call or SMS authentication
- Device token - when doing mobile app authentication
- Authentication mode
- Authentication result
- MFA Server name
- MFA Server IP
- Client IP – if available
In addition to the fields above, the verification result (success/denial) and reason for any denials is also stored with the authentication data and available through the authentication/usage reports.
Back up and restore Azure MFA Server
Making sure that you have a good backup is an important step to take with any system.
To back up Azure MFA Server, ensure that you have a copy of the C:\Program Files\Multi-Factor Authentication Server\Data folder including the PhoneFactor.pfdata file.
In case a restore is needed complete the following steps:
- Reinstall Azure MFA Server on a new server.
- Activate the new Azure MFA Server.
- Stop the MultiFactorAuth service.
- Overwrite the PhoneFactor.pfdata with the backed-up copy.
- Start the MultiFactorAuth service.
The new server is now up and running with the original backed-up configuration and user data.
Managing the TLS/SSL Protocols and Cipher Suites
Once you have upgraded to or installed MFA Server version 8.x or higher, it is recommended that older and weaker cipher suites be disabled or removed unless required by your organization. Information on how to complete this task can be found in the article Managing SSL/TLS Protocols and Cipher Suites for AD FS
- Set up and configure the User Portal for user self-service.
- Set up and configure the Azure MFA Server with Active Directory Federation Service, RADIUS Authentication, or LDAP Authentication.
- Set up and configure Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS.
- Deploy the Azure Multi-Factor Authentication Server Mobile App Web Service.
- Advanced scenarios with Azure Multi-Factor Authentication and third-party VPNs.