Setting Up Azure MFA Server


  • You must own an Azure AD Premium license for each user that you wish to use with MFA Server. This can be purchased stand-alone or as part of EM+S.
  • You must have a server running Windows 2008 R2 or higher that is domain-joined and patched. This server will need open access to port 443 on the Internet. It will be used as the MFA Server.
  • Create a group called “MFA Users” in Active Directory and add the appropriate users to it.
  • Make sure all users that need to use MFA have a Mobile phone number listed in AD.
  • A valid SSL certificate needs to be installed on the MFA Server if you wish to use the Mobile Authenticator app. This server will also need to be open on port 443 to the Internet and a valid DNS entry created.
  • This document assumes that you’ve previously setup an Office 365 Tenancy.

Get the MFA Server Software

1. Log into

2. Click on Admin Centers à Azure AD in the left-hand menu


3. This will open in your Azure AD instance.

4. Click on Configure from the top menu bar


5. Scroll down to “multi-factor authentication” and click on the “Manage service settings” link

6. This will open a new tab. Scroll to the bottom and click on the “Go to the portal” link


7. Click on the Downloads link

8. Click on the “Generate Activation Credentials” button and make a note of the settings

9. Click on the Download link to download the MFA Server software


Installing MFA Server

1. Double-click on the MFA Server executable

2. Click Next on the Select Installation Folder screen

3. Click Finish to launch the Configuration Wizard

4. On the Configuration Wizard welcome screen, check “Skip using the Authentication Configuration Wizard” and click Next.


5. Enter the Activation Credentials that were generated earlier in the boxes provided and click Activate

Configure the MFA Server

1. Launch the Multi-Factor Authentication Server application

2. Click on Company Settings and configure the default settings as shown


3. Click on Directory Integration and make sure “Use Active Directory” is selected


4. Click on the Synchronization tab then click Add at the bottom of the screen

5. In the View drop down, choose “Security Groups” and choose the MFA Users group that you created in the Prerequisites. Enter the Settings as shown.


6. Check the “Enable synchronization with Active Directory” checkbox and set the sync interval.


7. Click on Users and verify that your users have successfully been imported, their phone numbers have been imported and the accounts are enabled. If phone numbers are missing, you will need to add them into AD and sync again. Note that accounts won’t automatically enable when you do this so click on them in the Users screen, click Edit, and check the Enabled option on the bottom


8. Highlight a user and click Test to verify MFA access

Install Web Portal

1. Add the “Web Server” Role. Under Role Services, add the following…

a. Web Server –> Application Development –> ASP.NET

b. Management Tools –> IIS 6 Management Compatibility –> IIS 6 Metabase Compatibility

2. Install and bind a public SSL certificate to the Default Website. Make sure the server is externally accessible and doesn’t present any certificate warnings.

3. Click on User Portal and click “Install User Portal”. Take the default settings to install it under the Default website.

4. Once installed, configure the User Portal URL. The format should be Configure the other settings as shown


5. Click on the Trusted IPs tab and enter any internal IP ranges that you want to bypass MFA for. This will keep users from having to use MFA when accessing the User Portal from the internal network


6. Click on Web Service SDK and click “Install Web Service SDK”. Take the default settings to install it under the Default website

7. To install the Mobile App Web Service, browse to “C:\Program Files\Windows Azure Multi-Factor Authentication” and execute MultiFactorAuthenticationMobileAppWebServiceSetup64.msi. Take the default settings to install it under the Default website

8. Click on Mobile App and configure the “Mobile App Web Service URL”. The format should be Configure the “Account Name” with the company’s name


9. Create a user account in AD named “MfaWebService” and add it to the “PhoneFactor Admins” security group.

10. Browse to C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService

11. Open web.config in Notepad and modify the following values. The URL format should be


12. Test access by browsing to the URL listed above and logging with the service account. You should see the following result


Registering the Mobile App

1. Download the Microsoft Authenticator app on your phone. It is available from the App Store on both iOS and Android.

2. Browse to and log in. Note that if you haven’t configured a Trusted IP address range or your logging in from outside of that range, you will have to perform MFA. If you follow this guide, this will be a two-way text message.

3. Click on the “Activate Mobile App” link and click “Generate New Activation Code”


4. Launch the Microsoft Authenticator app on your phone. Click the “+” to add an account. Choose “Work or School Account”

5. Take a picture of the QR Code or manually enter the data presented on the activation page

Important Notes

1. Make sure the “PFUP_ServerName” account has been granted the “Log on as a batch job” right. If this is being controlled by a GPO, make sure this account is added to the GPO.


2. Make sure that ASP.NET, ISAPI Extensions and ISAPI Filters are installed on the server and make sure that the ASP.NET 4.0 extensions are Allowed.


3. Make sure that the account specified in the MultiFactorAuthMobileAppWebService Web.config file is a member of the “PhoneFactor Admins” Security Group. This group is created in Active Directory.

Helpful Links





Lync Room System (LRS) Setup with Hybrid Exchange Online Deployment

I’ve found a number of articles that discuss setting up Lync Room System (LRS) with Exchange and Lync On-Premise and with Exchange Online but none that dealt with a Hybrid Exchange deployment.  Below are the steps I used to get LRS configured with Skype for Business Online and Exchange Online with a Hybrid deployment.  For more information on Lync Room System, check on the following link…

Create Room Mailbox in Office 365

  1. Connect to Exchange Online via PowerShell
  2. To create the Room Mailbox, run “New-Mailbox -room -name “Skype Room Test” -RoomMailboxPassword (ConvertTo-SecureString ‘Password’ -AsPlainText -Force) -EnableRoomMailboxAccount $true”
  3. To configure the required calendar processing, run “Set-CalendarProcessing “Skype Room Test”  -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -DeleteSubject $false”
  4. Log into the Office 365 Portal.  Click on Active Users and find the Skype Room Test.
  5. Change the accounts Email Address / UPN to be “” (where is your primary UPN suffix).
  6. Assign both a license for Both Exchange and Skype for Business to the account

Create Remote Mailbox On-Premise

  1. Log into the Exchange Admin Center on-premise
  2. Click on Recipients –> Mailboxes
  3. Click on the drop down next to the + sign and select “Office 365 mailbox”
  4. Enter the appropriate account information
  5. Open the new account in AD Users and Computers and verify that the UPN and the primary Mail value match what you set in Office 365
  6. Force or wait for a directory synchronization to run
  7. Verify that the account in the Office 365 Portal shows as “Synced” versus “Cloud”

Enable Lync Room Account

  1. Connect to Skype for Business via PowerShell
  2. Determine an existing accounts Registrar Pool by running “Get-CSOnlineUser | FL Name,RegistrarPool”
  3. To enable LRS, run “Enable-CsMeetingRoom –Identity -SipAddressType EmailAddress –RegistrarPool” where “” is the RegistrarPool value determined in Step 2

Fix Skype for Business Integration with Outlook

Verify Presence is Enabled

  1. In Outlook click File à Options à People
  2. Verify that “Display online status next to name” is checked

  3. If this option is greyed out launch Regedit and browse to HKEY_CURRENT_USER à SOFTWARE à IM Providers. Verify that DefaultIMApp is set to “Lync” (this is still the current value even with Skype for Business).

  4. Once this is set close and relaunch Outlook. The “Display online status next to name” should no longer be greyed out and presence information should show up in Outlook.

Steps for Renewing ADFS 3.0 Certificate

The following steps should be performed when the SSL certificate on your ADFS Server is close to expiring…

Preliminary Steps

  1. Make sure you know the username and password for the main Administrator account.
  2. Install the new certificate on the ADFS Server.  If you have a primary and secondary ADFS Server, make sure to install the certificate on both servers.

PowerShell Commands

  1. Launch the standard “blue” PowerShell on the ADFS Server as an Administrator.
  2. Run “Get-ChildItem -path cert:\LocalMachine\My” to determine the Certificate Thumbprint.  Make a note of the thumbprint value.
  3. Run “Set-AdfsSslCertificate -Thumbprint Thumbprint” where Thumbprint is the value from Step 2.
  4. Run “Update-AdfsCertificate –Urgent”.
  5. Run “Connect-MsolService” and enter your Office 365 credentials from Step 1 in the Preliminary Steps section.
  6. Run “Update-MsolFederatedDomain -DomainName “”” where is the appropriate domain name. Note you may need to add the “-SupportMultipleDomain” if you have multiple federated domains.

Restart Services

  1. Restart the “Active Directory Federation Service” service.


  1. Attempt to login with an ADFS account and verify the certificate warning is gone.

New Azure AD PowerShell Module and Windows Server 2008 R2

A new version of the Azure Active Directory Module for PowerShell was released in mid September 2014.  You can find the link to it here…

That’s great except if you are trying to install it on Windows Server 2008 R2.  If you read the link it looks like all you need is the version of .NET and PowerShell that comes with Windows 2008 R2 (3.51 and 2.0 respectively).

When you install the updated version of the AAD Module for PowerShell on a vanilla machine and launch it though you are greeted with this message…


That doesn’t look good!  I could never find any official support article but I found a couple of hints that it needed PowerShell 3.0.  So I installed Windows Management Framework 3.0 on my system and tested again and it worked.  You can download it here…

Note, if you are installing this on a production server, make sure you aren’t running any of the unsupported products listed under the System Requirements section.

Hope this helps!

Migrating Public Folders to Exchange 2013 / Exchange Online After Coexistence

If you are migrating from Exchange 2007/2010 to either Exchange 2013 or Exchange Online and your customer has Public Folders chances are you followed the following document from Microsoft for setting up coexistence with legacy Public Folders…

Now you’ve completed moving mailboxes to Exchange 2013 (or Exchange Online) and you want to migrate Public Folders to the new system so you follow one of the following articles…

Life is good.  You run the command…

Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>

…against a test mailbox and successfully access Public Folders.  You think you are all set and run…

Get-Mailbox -PublicFolder | Set-Mailbox -PublicFolder -IsExcludedFromServingHierarchy $false

…but, then to your shock, nobody else can get to the recently migrate Public Folders.

The problem is caused by when you setup legacy coexistence.  As part of this process you ran the command…

Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes PFMailbox1

Your Exchange Organization still thinks it should direct Public Folder traffic to a remote Organization.  To fix this, run the following command…

Set-OrganizationConfig -PublicFoldersEnabled Local

It will take awhile to take effect but, once it does, you should see the DefaultPublicFolderMailbox automatically change for your mailboxes.  To check run the following command…

Get-Mailbox | FT Alias,DefaultPublicFolderMailbox

Blackberry Enterprise Server and Exchange 2013

After a long Friday night I thought I would provide some insights in what needed to be done to get BES 5.x to work with Exchange 2013.  It was definitely not as easy as it should be.

First and foremost follow the article provided by Blackberry.  There are a lot of steps and, if you miss one, you’ll be in for some trouble.  Here’s the link to that article which includes sublinks that you’ll have to follow…

A couple of additional notes that helped me…

This requires either BES 5.0 SP4 MR2 (or higher) or BES Express SP4.  For BES Express you’ll also need to call Blackberry and get them to send you a special update.  You can reference KB33406. Note that, if you don’t have a support contract, you’ll either need to pay for the support call or open the support call through you’re wireless carrier.

You’ll need to update MAPI-CDO to version 6.5.8353.0.  You can download that here…  Updating this caused our first issue.  When you run it, it will act like it installed correctly but, on checking the CDO.dll file, it was clear that it didn’t update because the file was in use.  I ended up uninstalling the current version of MAPI-CDO, which stopped the necessary services, and then installing the new version.

In KB33413 the article references setting the RPCHTTPProxyMap_BES Registry value to “*=”.  Later in the article it tells you to change this Registry value to “” if you are setting up coexistence between Exchange 2007/2010 and Exchange 2013.  This appears to be where I ran into problems.  When starting the BES Controller Service after making these changes we got the following error…

MailboxManager::TestOpenMsgStore – OpenMsgStore (0x8004011d)

We ended up opening a case with Blackberry and found out it was caused by problems connecting to Exchange 2013 via RPC-HTTP.  Changing the RPCHTTPProxyMap_BES Registry value back to “*=” got us working again.  I asked if this would cause problems with coexistence with Exchange 2007/2010 and was told no.  Everything seems to be working so I’m assuming they are correct.  🙂

Good luck!