AD FS 2016 與 Azure MFA 設定Configure AD FS 2016 and Azure MFA

適用於:Windows Server 2016Applies To: Windows Server 2016

如果您的組織會聯盟使用 Azure AD,您可以使用 Azure 多因素驗證安全 AD FS 資源,這兩個上場所和雲端。If your organization is federated with Azure AD, you can use Azure Multi-Factor Authentication to secure AD FS resources, both on-premises and in the cloud. Azure MFA 可讓您能排除的密碼,並提供更安全的驗證方式。Azure MFA enables you to eliminate passwords and provide a more secure way to authenticate. 開始使用 Windows Server 2016,您現在可以設定 Azure MFA 主要驗證。Starting with Windows Server 2016, you can now configure Azure MFA for primary authentication.

不同於在 Windows Server 2012 R2,AD FS 使用 AD FS 2016 Azure MFA 介面卡直接整合 Azure AD 並不需要在場所 Azure MFA 伺服器。Unlike with AD FS in Windows Server 2012 R2, the AD FS 2016 Azure MFA adapter integrates directly with Azure AD and does not require an on premises Azure MFA server. Azure MFA 介面卡是 Windows Server 2016 並不需要其他安裝的。The Azure MFA adapter is built in to Windows Server 2016, and there is no need for additional installation.

請注意,在登記使用者的使用 AD FS 2016 Azure MFANote on Registering users for Azure MFA with AD FS 2016

AD FS 目前不支援情形證明(登記)上的 Azure MFA 安全性驗證資訊。AD FS does not currently support inline proof up (registration) of Azure MFA security verification information. 如此一來,當驗證,AD FS Azure MFA 嘗試已不尚未登記完畢(設定的確認資訊)中 Azure AD 的使用者,他們將會收到一則錯誤。As a result, when a user who has not yet registered (configured verification information) in Azure AD tries to authenticate with Azure MFA at AD FS, they will get an error. 雖然我們努力新增情形校正功能,以下是讓 Azure AD FS 使用的 MFA 為建議的設定。While we are working to add inline proofing functionality, the following are the recommended configurations for enabling Azure MFA with AD FS.

Azure MFA 做為主要驗證Azure MFA as Primary Authentication

如果您想要作為主要驗證方法 AD FS,以避免密碼的 Office 365 登入,例如中使用 Azure MFA 您可以執行此設定 Azure AD 執行 MFA 場所上的。If you wish to use Azure MFA as a primary authentication method in AD FS, for example to avoid passwords for Office 365 signin, you can do this without configuring Azure AD to do MFA on premises. 這表示您的網域聯盟 $false SupportsMfa(Get-MsolDomainFederationSettings-網域名稱 [您的網域名稱])仍將設定。This means your domain's federation setting SupportsMfa (Get-MsolDomainFederationSettings -DomainName [your domain name]) remains set to $false.

Azure AD 做為主要驗證不會根據 SupportsMfa 網域設定。Azure AD as primary authentication does not depend on the SupportsMfa domain setting. 此外,此設定以您就可以使用 Azure AD 情形登記功能讓使用者校正上。In addition, with this configuration you'll be able to use Azure AD's inline registration capability to enable your users to proof up. 每個使用者必須執行一次使用存取 Azure 入口網站」額外的安全性驗證」頁面,並登記的使用者名稱和密碼。Each user will have to do this once by using username and password to access the "Additional Security Verification" page in the Azure portal and register.

Azure MFA 做為額外的驗證,Office 365Azure MFA as Additional authentication to Office 365

現在,如果您想要 Azure MFA 做為額外的驗證方法,AD FS 中的 Office 365,您可以使用複合 MFA 達成此、Azure AD 中執行哪一個主要驗證觸發 AD FS 和 MFA 場所。Today, if you wish to have Azure MFA as an additional authentication method in AD FS for Office 365, you can achieve this with compound MFA, in which primary authentication is performed on premises in AD FS and MFA is triggered by Azure AD. Azure AD 需要 MFA,但網域 SupportsMFA 設定為 [$False 時,這是預設行為。This will be the default behavior when Azure AD requires MFA, but the domain SupportsMFA setting is set to $False. 這表示 Azure AD MFA 將會完成 Azure AD 並 AD FS,但它避免非提供使用者硬碟 AD FS 錯誤。This means Azure AD MFA will be done by Azure AD and not AD FS, but it avoids the hard AD FS error for non provisioned users.

另一種上述,您可以使用 Active Directory 群組,包含只 proofed 向上控制會提示您輸入 Azure AD FS 層級的 MFA Azure AD 使用者。As an alternative to the above, you can use an Active Directory group containing only proofed up Azure AD users to control who is prompted for Azure MFA at the AD FS level. 這需要維護群組成員資格,,它將會使需要 MFA 群組以外的使用者存取 Azure AD 條件案例。This requires you to maintain group membership, and it will break Azure AD Conditional Access scenarios that require MFA for users outside the group.

Azure MFA 做為額外的驗證的其他 (非 Azure AD) AD FS 信賴派對Azure MFA as Additional authentication for other (non Azure AD) AD FS relying parties

現在如果您想做為額外的驗證方法,AD FS 中有其他信賴的對象 Azure MFA,這可以達成使用 Azure AD 網域 SupportsMFA 設定為 $False。Today if you wish to have Azure MFA as an additional authentication method in AD FS for other relying parties, this can be achieved with the Azure AD domain SupportsMFA setting set to $False.
此設定,您將無法使用 Azure AD 情形登記功能,讓使用者校正上。In this configuration you'll be able to use Azure AD's inline registration capability to enable your users to proof up. 每個使用者必須執行一次使用存取 Azure 入口網站」額外的安全性驗證」頁面,並登記的使用者名稱和密碼。Each user will have to do this once by using username and password to access the "Additional Security Verification" page in the Azure portal and register. 使用者的登記、之後將會在無法登入透過非 AAD 應用程式需要 MFA AD FS。Once users are registered, they will be able sign on via AD FS to non AAD applications that require MFA.


使用 Azure MFA AD FS 進行驗證時,所需下列必要條件:The following pre-requisites are required when using Azure MFA for authentication with AD FS:


Azure AD 以及 Azure MFA 包含 Azure AD Premium 和 Enterprise Mobility Suite (EMS)。Azure AD and Azure MFA are included in Azure AD Premium and the Enterprise Mobility Suite (EMS). 如果您擁有的其中您不需要個人月租方案。If you have either of these you do not need individual subscriptions.

設定 AD FS 伺服器Configure the AD FS Servers

以完成設定 MFA Azure AD fs,您需要每個 AD FS 使用設定伺服器所述。In order to complete configuration for Azure MFA for AD FS, you need to configure each AD FS server using the steps described. 確保,執行下列步驟執行所有AD FS 伺服器。Ensure that these steps are performed on all AD FS servers in the farm. 如果您有多個 AD FS 伺服器陣列中,您可以執行從遠端使用 Azure AD Powershell 必要的設定。If you have have multiple AD FS servers in your farm, you can perform the necessary configuration remotely using Azure AD Powershell.

步驟 1:產生 Azure MFA 的每個 AD FS 伺服器使用憑證New-AdfsAzureMfaTenantCertificatecmdlet。Step 1: Generate a certificate for Azure MFA on each AD FS server using the New-AdfsAzureMfaTenantCertificate cmdlet.

您需要做的第一件事就是產生 Azure MFA 使用的憑證。The first thing you need to do is generate a certificate for Azure MFA to use. 這可以使用 PowerShell。This can be done using PowerShell. 在本機電腦的憑證存放區中,找到產生的憑證,並已標示包含您 Azure AD directory 的 TenantID 主體名稱。The certificate generated can be found in the local machines certificate store, and it is marked with a subject name containing the TenantID for your Azure AD directory.


請注意,TenantID 您 directory 名稱 Azure AD 中。Note that TenantID is the name of your directory in Azure AD. 使用下列 PowerShell cmdlet 產生新的憑證。Use the following PowerShell cmdlet to generate the new certificate.
$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <tenantID>


步驟 2:將新的憑證新增至 Azure 多因素驗證 Client SPNStep 2: Add the new credentials to Azure Multi-Factor Auth Client SPN

為了讓 AD FS 伺服器 Azure 多因素驗證 Client 的通訊,您需要新增至 SPN Azure 多因素驗證 Client 認證。In order to enable the AD FS servers to communicate with the Azure Multi-Factor Auth Client, you need to add the credentials to the SPN for the Azure Multi-Factor Auth Client. 憑證產生使用New-AdfsAzureMFaTenantCertificatecmdlet 做為這些認證。The certificates generated using the New-AdfsAzureMFaTenantCertificate cmdlet will serve as these credentials. 執行下列 PowerShell 使用 Azure 多因素驗證 Client SPN 以新增新的認證。Do the following using PowerShell to add the new credentials to the Azure Multi-Factor Auth Client SPN.


您需要連接到您的使用 Connect-MsolService PowerShell 使用 Azure AD 的執行個體才能完成此步驟。In order to complete this step you need to connect to your instance of Azure AD with PowerShell using Connect-MsolService. 這些步驟假設您透過 PowerShell 已連接。These steps assume you have already connected via PowerShell. 資訊的查看連接-MsolService。For information see Connect-MsolService.

  1. 設定為新認證的憑證針對 Azure 多因素驗證 ClientSet the certificate as the new credential against the Azure Multi-Factor Auth Client

    New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64


981f26a1-7f43-403b-a875-f8b09b8cd720 是 Azure 多因素驗證 Client 的 guid。981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client.

設定 AD FS 陣列Configure the AD FS Farm

一旦您完成在每個 AD FS 伺服器上一節,您將需要執行Set-AdfsAzureMfaTenantcmdlet。Once you have completed the previous section on each AD FS server, you will need to run the Set-AdfsAzureMfaTenant cmdlet.

這個 cmdlet 需要 AD FS 陣列執行一次。This cmdlet needs to be executed only once for an AD FS farm. 使用 PowerShell 完成此步驟。Use PowerShell to complete this step.


您將需要在每個伺服器 AD FS 服務陣列中重新開機,這些變更生效前。You will need to restart the AD FS service on each server in the farm before these changes take affect.

Set-AdfsAzureMfaTenant -TenantId <tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720  


之後,您將會看到 Azure MFA 可為主要的驗證方法內部和外部網路使用。After this, you will see that Azure MFA is available as a primary authentication method for intranet and extranet use.