- You must own an Azure AD Premium license for each user that you wish to use with MFA Server. This can be purchased stand-alone or as part of EM+S.
- You must have a server running Windows 2008 R2 or higher that is domain-joined and patched. This server will need open access to port 443 on the Internet. It will be used as the MFA Server.
- Create a group called “MFA Users” in Active Directory and add the appropriate users to it.
- Make sure all users that need to use MFA have a Mobile phone number listed in AD.
- A valid SSL certificate needs to be installed on the MFA Server if you wish to use the Mobile Authenticator app. This server will also need to be open on port 443 to the Internet and a valid DNS entry created.
- This document assumes that you’ve previously setup an Office 365 Tenancy.
Get the MFA Server Software
1. Log into https://portal.office.com
2. Click on Admin Centers à Azure AD in the left-hand menu
3. This will open https://manage.windowsazure.com in your Azure AD instance.
4. Click on Configure from the top menu bar
5. Scroll down to “multi-factor authentication” and click on the “Manage service settings” link
6. This will open a new tab. Scroll to the bottom and click on the “Go to the portal” link
7. Click on the Downloads link
8. Click on the “Generate Activation Credentials” button and make a note of the settings
9. Click on the Download link to download the MFA Server software
Installing MFA Server
1. Double-click on the MFA Server executable
2. Click Next on the Select Installation Folder screen
3. Click Finish to launch the Configuration Wizard
4. On the Configuration Wizard welcome screen, check “Skip using the Authentication Configuration Wizard” and click Next.
5. Enter the Activation Credentials that were generated earlier in the boxes provided and click Activate
Configure the MFA Server
1. Launch the Multi-Factor Authentication Server application
2. Click on Company Settings and configure the default settings as shown
3. Click on Directory Integration and make sure “Use Active Directory” is selected
4. Click on the Synchronization tab then click Add at the bottom of the screen
5. In the View drop down, choose “Security Groups” and choose the MFA Users group that you created in the Prerequisites. Enter the Settings as shown.
6. Check the “Enable synchronization with Active Directory” checkbox and set the sync interval.
7. Click on Users and verify that your users have successfully been imported, their phone numbers have been imported and the accounts are enabled. If phone numbers are missing, you will need to add them into AD and sync again. Note that accounts won’t automatically enable when you do this so click on them in the Users screen, click Edit, and check the Enabled option on the bottom
8. Highlight a user and click Test to verify MFA access
Install Web Portal
1. Add the “Web Server” Role. Under Role Services, add the following…
a. Web Server –> Application Development –> ASP.NET
b. Management Tools –> IIS 6 Management Compatibility –> IIS 6 Metabase Compatibility
2. Install and bind a public SSL certificate to the Default Website. Make sure the server is externally accessible and doesn’t present any certificate warnings.
3. Click on User Portal and click “Install User Portal”. Take the default settings to install it under the Default website.
4. Once installed, configure the User Portal URL. The format should be https://server.domain.com/MultiFactorAuth. Configure the other settings as shown
5. Click on the Trusted IPs tab and enter any internal IP ranges that you want to bypass MFA for. This will keep users from having to use MFA when accessing the User Portal from the internal network
6. Click on Web Service SDK and click “Install Web Service SDK”. Take the default settings to install it under the Default website
7. To install the Mobile App Web Service, browse to “C:\Program Files\Windows Azure Multi-Factor Authentication” and execute MultiFactorAuthenticationMobileAppWebServiceSetup64.msi. Take the default settings to install it under the Default website
8. Click on Mobile App and configure the “Mobile App Web Service URL”. The format should be https://server.domain.com/MultiFactorAuthMobileAppWebService. Configure the “Account Name” with the company’s name
9. Create a user account in AD named “MfaWebService” and add it to the “PhoneFactor Admins” security group.
10. Browse to C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService
11. Open web.config in Notepad and modify the following values. The URL format should be https://server.domain.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
12. Test access by browsing to the URL listed above and logging with the service account. You should see the following result
Registering the Mobile App
1. Download the Microsoft Authenticator app on your phone. It is available from the App Store on both iOS and Android.
2. Browse to https://server.domain.com/MultiFactorAuth and log in. Note that if you haven’t configured a Trusted IP address range or your logging in from outside of that range, you will have to perform MFA. If you follow this guide, this will be a two-way text message.
3. Click on the “Activate Mobile App” link and click “Generate New Activation Code”
4. Launch the Microsoft Authenticator app on your phone. Click the “+” to add an account. Choose “Work or School Account”
5. Take a picture of the QR Code or manually enter the data presented on the activation page
1. Make sure the “PFUP_ServerName” account has been granted the “Log on as a batch job” right. If this is being controlled by a GPO, make sure this account is added to the GPO.
2. Make sure that ASP.NET, ISAPI Extensions and ISAPI Filters are installed on the server and make sure that the ASP.NET 4.0 extensions are Allowed.
3. Make sure that the account specified in the MultiFactorAuthMobileAppWebService Web.config file is a member of the “PhoneFactor Admins” Security Group. This group is created in Active Directory.