Getting started with the Azure Multi-Factor Authentication Server

MFA on-premises

Now that we have determined to use on-premises Multi-Factor Authentication Server, let’s get going. This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see Upgrade to the latest Azure Multi-Factor Authentication Server. If you're looking for information on installing just the web service, see Deploying the Azure Multi-Factor Authentication Server Mobile App Web Service.

Plan your deployment

Before you download the Azure Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.

A good guideline for the amount of memory you need is the number of users you expect to authenticate on a regular basis.

Users RAM
1-10,000 4 GB
10,001-50,000 8 GB
50,001-100,000 12 GB
100,000-200,001 16 GB
200,001+ 32 GB

Do you need to set up multiple servers for high availability or load balancing? There are a number of ways to set up this configuration with Azure MFA Server. When you install your first Azure MFA Server, it becomes the master. Any additional servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.

When a master Azure MFA Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted.

Prepare your environment

Make sure the server that you're using for Azure Multi-Factor Authentication meets the following requirements:

Azure Multi-Factor Authentication Server Requirements Description
  • 200 MB of hard disk space
  • x32 or x64 capable processor
  • 1 GB or greater RAM
  • Software
  • Windows Server 2008 or greater if the host is a server OS
  • Windows 7 or greater if the host is a client OS
  • Microsoft .NET 4.0 Framework
  • IIS 7.0 or greater if installing the user portal or web service SDK
  • Azure Multi-Factor Authentication Server firewall requirements

    Each MFA server must be able to communicate on port 443 outbound to the following addresses:

    If outbound firewalls are restricted on port 443, open the following IP address ranges:

    IP Subnet Netmask IP Range – – –

    If you aren't using the Event Confirmation feature, and your users aren't using mobile apps to verify from devices on the corporate network, you only need the following ranges:

    IP Subnet Netmask IP Range – – –

    Download the Azure Multi-Factor Authentication Server

    There are two different ways that you can download the Azure Multi-Factor Authentication Server. Both are done via the Azure portal. The first is by managing the Multi-Factor Auth Provider directly. The second is via the service settings. The second option requires either a Multi-Factor Auth Provider or an Azure MFA, Azure AD Premium, or Enterprise Mobility Suite license.


    These two options seem similar, but it is important to know which one to use. If your users have licenses that come with MFA (Azure MFA, Azure AD Premium, or Enterprise Mobility + Security), don't create a Multi-Factor Auth Provider to get to the server download. Instead, use option 2 to download the server from the service settings page.

    Option 1: Download Azure Multi-Factor Authentication Server from the Azure classic portal

    Use this download option if you already have a Multi-Factor Auth Provider because you pay for MFA on a per-enabled user or per-authentication basis.

    1. Sign in to the Azure classic portal as an administrator.
    2. On the left, select Active Directory.
    3. On the Active Directory page, click Multi-Factor Auth Providers Multi-Factor Auth Providers
    4. At the bottom click Manage. A new page opens.
    5. Click Downloads.
    6. Click the Download link. Download
    7. Save the download.

    Option 2: Download Azure Multi-Factor Authentication Server from the service settings

    Use this download option if you have Enterprise Mobility Suite, Azure AD Premium, or Enterprise Cloud Suite licenses.

    1. Sign in to the Azure classic portal as an administrator.
    2. On the left, select Active Directory.
    3. Double-click your instance of Azure AD.
    4. At the top click Configure
    5. Scroll down to the multi-factor authentication section, and select Manage service settings
    6. On the services settings page, at the bottom of the screen click Go to the portal. A new page opens. Download
    7. Click Downloads.
    8. Click the Download link. Download
    9. Save the download.

    Install and Configure the Azure Multi-Factor Authentication Server

    Now that you have downloaded the server you can install and configure it. Be sure that the server you are installing it on meets requirements listed in the planning section.

    These steps followed an express setup with the configuration wizard. If you don't see the wizard or want to rerun it, you can select it from the Tools menu on the server.

    1. Double-click the executable.
    2. On the Select Installation Folder screen, make sure that the folder is correct and click Next.
    3. Once the installation is complete, click Finish. The configuration wizard launches.
    4. On the configuration wizard welcome screen, check Skip using the Authentication Configuration Wizard and click Next. The wizard closes and the server starts. Cloud
    5. Back on the page that we downloaded the server from, click the Generate Activation Credentials button. Copy this information into the Azure MFA Server in the boxes provided and click Activate.

    Import users from Active Directory

    Now that the server is installed and configured you can quickly import users into the Azure MFA Server.

    1. In the Azure MFA Server, on the left, select Users.
    2. At the bottom, select Import from Active Directory.
    3. Now you can either search for individual users or search the AD directory for OUs with users in them. In this case, we specify the users OU.
    4. Highlight all the users on the right and click Import. You should receive a pop-up telling you that you were successful. Close the import window. Cloud

    Send users an email

    Now that you have imported your users into the MFA Server, send an email to inform them that they have been enrolled for two-step verification.

    The email you send should be determined by how you configured your users for two-step verification. For example, if you were able to import phone numbers from the company directory, the email should include the default phone numbers so that users know what to expect. If you didn't import phone numbers, or your users are going to use the mobile app, send them an email that directs them to complete their account enrollment. Include a hyperlink to the Azure Multi-Factor Authentication User Portal in the email.

    The content of the email also varies depending on the method of verification that has been set for the user (phone call, SMS, or mobile app). For example, if the user is required to use a PIN when they authenticate, the email tells them what their initial PIN has been set to. Users are required to change their PIN during their first verification.

    Configure email and email templates

    Click the email icon on the left to set up the settings for sending these emails. This page is where you can enter the SMTP information of your mail server and send email by checking the Send emails to users check box.

    Email Settings

    On the Email Content tab, you can see the email templates that are available to choose from. Depending on how you have configured your users to perform two-step verification, choose the template that best suits you.

    Email templates

    How the Azure Multi-Factor Authentication Server handles user data

    When you use the Multi-Factor Authentication (MFA) Server on-premises, a user’s data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Azure MFA cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are:

    • Unique ID - either username or internal MFA server ID
    • First and last name (optional)
    • Email address (optional)
    • Phone number - when doing a voice call or SMS authentication
    • Device token - when doing mobile app authentication
    • Authentication mode
    • Authentication result
    • MFA Server name
    • MFA Server IP
    • Client IP – if available

    In addition to the fields above, the verification result (success/denial) and reason for any denials is also stored with the authentication data and available through the authentication/usage reports.

    Next steps