Tag Archives: Office 365

Setting Up Azure MFA Server


  • You must own an Azure AD Premium license for each user that you wish to use with MFA Server. This can be purchased stand-alone or as part of EM+S.
  • You must have a server running Windows 2008 R2 or higher that is domain-joined and patched. This server will need open access to port 443 on the Internet. It will be used as the MFA Server.
  • Create a group called “MFA Users” in Active Directory and add the appropriate users to it.
  • Make sure all users that need to use MFA have a Mobile phone number listed in AD.
  • A valid SSL certificate needs to be installed on the MFA Server if you wish to use the Mobile Authenticator app. This server will also need to be open on port 443 to the Internet and a valid DNS entry created.
  • This document assumes that you’ve previously setup an Office 365 Tenancy.

Get the MFA Server Software

1. Log into https://portal.office.com

2. Click on Admin Centers à Azure AD in the left-hand menu


3. This will open https://manage.windowsazure.com in your Azure AD instance.

4. Click on Configure from the top menu bar


5. Scroll down to “multi-factor authentication” and click on the “Manage service settings” link

6. This will open a new tab. Scroll to the bottom and click on the “Go to the portal” link


7. Click on the Downloads link

8. Click on the “Generate Activation Credentials” button and make a note of the settings

9. Click on the Download link to download the MFA Server software


Installing MFA Server

1. Double-click on the MFA Server executable

2. Click Next on the Select Installation Folder screen

3. Click Finish to launch the Configuration Wizard

4. On the Configuration Wizard welcome screen, check “Skip using the Authentication Configuration Wizard” and click Next.


5. Enter the Activation Credentials that were generated earlier in the boxes provided and click Activate

Configure the MFA Server

1. Launch the Multi-Factor Authentication Server application

2. Click on Company Settings and configure the default settings as shown


3. Click on Directory Integration and make sure “Use Active Directory” is selected


4. Click on the Synchronization tab then click Add at the bottom of the screen

5. In the View drop down, choose “Security Groups” and choose the MFA Users group that you created in the Prerequisites. Enter the Settings as shown.


6. Check the “Enable synchronization with Active Directory” checkbox and set the sync interval.


7. Click on Users and verify that your users have successfully been imported, their phone numbers have been imported and the accounts are enabled. If phone numbers are missing, you will need to add them into AD and sync again. Note that accounts won’t automatically enable when you do this so click on them in the Users screen, click Edit, and check the Enabled option on the bottom


8. Highlight a user and click Test to verify MFA access

Install Web Portal

1. Add the “Web Server” Role. Under Role Services, add the following…

a. Web Server –> Application Development –> ASP.NET

b. Management Tools –> IIS 6 Management Compatibility –> IIS 6 Metabase Compatibility

2. Install and bind a public SSL certificate to the Default Website. Make sure the server is externally accessible and doesn’t present any certificate warnings.

3. Click on User Portal and click “Install User Portal”. Take the default settings to install it under the Default website.

4. Once installed, configure the User Portal URL. The format should be https://server.domain.com/MultiFactorAuth. Configure the other settings as shown


5. Click on the Trusted IPs tab and enter any internal IP ranges that you want to bypass MFA for. This will keep users from having to use MFA when accessing the User Portal from the internal network


6. Click on Web Service SDK and click “Install Web Service SDK”. Take the default settings to install it under the Default website

7. To install the Mobile App Web Service, browse to “C:\Program Files\Windows Azure Multi-Factor Authentication” and execute MultiFactorAuthenticationMobileAppWebServiceSetup64.msi. Take the default settings to install it under the Default website

8. Click on Mobile App and configure the “Mobile App Web Service URL”. The format should be https://server.domain.com/MultiFactorAuthMobileAppWebService. Configure the “Account Name” with the company’s name


9. Create a user account in AD named “MfaWebService” and add it to the “PhoneFactor Admins” security group.

10. Browse to C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService

11. Open web.config in Notepad and modify the following values. The URL format should be https://server.domain.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx


12. Test access by browsing to the URL listed above and logging with the service account. You should see the following result


Registering the Mobile App

1. Download the Microsoft Authenticator app on your phone. It is available from the App Store on both iOS and Android.

2. Browse to https://server.domain.com/MultiFactorAuth and log in. Note that if you haven’t configured a Trusted IP address range or your logging in from outside of that range, you will have to perform MFA. If you follow this guide, this will be a two-way text message.

3. Click on the “Activate Mobile App” link and click “Generate New Activation Code”


4. Launch the Microsoft Authenticator app on your phone. Click the “+” to add an account. Choose “Work or School Account”

5. Take a picture of the QR Code or manually enter the data presented on the activation page

Important Notes

1. Make sure the “PFUP_ServerName” account has been granted the “Log on as a batch job” right. If this is being controlled by a GPO, make sure this account is added to the GPO.


2. Make sure that ASP.NET, ISAPI Extensions and ISAPI Filters are installed on the server and make sure that the ASP.NET 4.0 extensions are Allowed.


3. Make sure that the account specified in the MultiFactorAuthMobileAppWebService Web.config file is a member of the “PhoneFactor Admins” Security Group. This group is created in Active Directory.

Helpful Links

· https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server

· https://docs.microsoft.com/en-gb/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice

· http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/


Fix Skype for Business Integration with Outlook

Verify Presence is Enabled

  1. In Outlook click File à Options à People
  2. Verify that “Display online status next to name” is checked

  3. If this option is greyed out launch Regedit and browse to HKEY_CURRENT_USER à SOFTWARE à IM Providers. Verify that DefaultIMApp is set to “Lync” (this is still the current value even with Skype for Business).

  4. Once this is set close and relaunch Outlook. The “Display online status next to name” should no longer be greyed out and presence information should show up in Outlook.

Steps for Renewing ADFS 3.0 Certificate

The following steps should be performed when the SSL certificate on your ADFS Server is close to expiring…

Preliminary Steps

  1. Make sure you know the username and password for the main domain.onmicrosoft.com Administrator account.
  2. Install the new certificate on the ADFS Server.  If you have a primary and secondary ADFS Server, make sure to install the certificate on both servers.

PowerShell Commands

  1. Launch the standard “blue” PowerShell on the ADFS Server as an Administrator.
  2. Run “Get-ChildItem -path cert:\LocalMachine\My” to determine the Certificate Thumbprint.  Make a note of the thumbprint value.
  3. Run “Set-AdfsSslCertificate -Thumbprint Thumbprint” where Thumbprint is the value from Step 2.
  4. Run “Update-AdfsCertificate –Urgent”.
  5. Run “Connect-MsolService” and enter your Office 365 credentials from Step 1 in the Preliminary Steps section.
  6. Run “Update-MsolFederatedDomain -DomainName “domain.com”” where domain.com is the appropriate domain name. Note you may need to add the “-SupportMultipleDomain” if you have multiple federated domains.

Restart Services

  1. Restart the “Active Directory Federation Service” service.


  1. Attempt to login with an ADFS account and verify the certificate warning is gone.

New Azure AD PowerShell Module and Windows Server 2008 R2

A new version of the Azure Active Directory Module for PowerShell was released in mid September 2014.  You can find the link to it here…


That’s great except if you are trying to install it on Windows Server 2008 R2.  If you read the link it looks like all you need is the version of .NET and PowerShell that comes with Windows 2008 R2 (3.51 and 2.0 respectively).

When you install the updated version of the AAD Module for PowerShell on a vanilla machine and launch it though you are greeted with this message…


That doesn’t look good!  I could never find any official support article but I found a couple of hints that it needed PowerShell 3.0.  So I installed Windows Management Framework 3.0 on my system and tested again and it worked.  You can download it here…


Note, if you are installing this on a production server, make sure you aren’t running any of the unsupported products listed under the System Requirements section.

Hope this helps!

Reset ADFS IIS Permissions

If you receive the error “Not Authorized: HTTP Error 401. The requested resource requires user authentication” when trying to connect to your ADFS Server from inside the network here’s what you need to do to reset permissions in IIS…

  1. Launch the IIS Management Console and browse to Default Website
  2. Disable all Authentication options for the Default Web Site as well as the ADFS and LS Virtual Directories
  3. Enable Windows Authentication on the Default Web Site.  Set Extended Protection to “Accept”
  4. Enable Anonymous Authentication on the ADFS Virtual Directory
  5. Enable Windows Authentication on the LS Virtual Directory.  Set Extended Protection to “Accept”
  6. Run an IISRESET

To setup your browser to automatically authenticate you while connected to the internal network do the following…

  1. Open Internet Options in IE and click on the Security tab
  2. Click Local Intranet
  3. Click Custom
  4. Under the User Authentication section enable “Automatic logon with current user name and password”
  5. Click on the Advanced tab
  6. Under the Security section enable “Enable Integrated Windows Authentication”

More information on this can be found at the following Office 365 Forum post…


Office 365 PowerShell–The Two-Headed Monster

One of the best features in Office 365 is the ability to manage it via PowerShell.  However, currently there are two separate PowerShell interfaces into Office 365 depending on what you’re trying to do.  If you want to manage settings under the main Portal (think AD stuff) you connect via a PowerShell 1.0 interface requiring you to load tools on your local workstation.  If you want to manage things under Exchange Online you utilize PowerShell remoting which requires you to have nothing installed on your local system other than PowerShell 2.0.  Here’s the specifics for each method…


Portal PowerShell Administration


  • Windows 7 or Windows Server 2008 R2
  • Windows PowerShell and the .NET Framework 3.5.1 enabled

Software to Install

  • Microsoft Online Services Sign-In Assistant – 32bit  64bit
  • Microsoft Online Services Module for PowerShell – 32bit  64bit

Connecting to the Microsoft Online Services Portal

  1. Click on Start > All Programs > Microsoft Online Services > Microsoft Online Services Module for PowerShell
  2. Run “Connect-MsolService”
  3. When prompted enter the credentials of an administrator account
  4. To get a list of all available commands run “Get-Command –Module MSOnline”

For a complete list of all commands and usage click on the following link…



Exchange Online PowerShell Administration


  • Windows 7 or Windows Server 2008 R2 – No Additional Software Necessary
  • Windows XP SP3, Vista SP1, Server 2003 SP2, Server 2008 SP1 – See Below

Software to Install

Connecting to Exchange Online

  1. Click on Start > All Programs > Accessories > Windows PowerShell > Windows PowerShell
  2. The first time run “Set-ExecutionPolicy RemoteSigned”
  3. Run “$LiveCred = Get-Credential”
  4. When prompted enter the credentials of an administrator account
  5. Run “$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection”
  6. Run “Import-PSSession $Session”
  7. To get a list of all commands run “Get-Command –Module tmp*”

For a complete list of all commands and usage click on the following link…


Create Whitelists and Blacklists in FOPE


Creating a Whitelist

1. Click on the Administration tab


2. Click on the Policy Rules tab


3. Click New Policy Rule in the Tasks box on the right-hand side


4. Choose the appropriate Domain Scope. Set the Action to Allow. Enter the appropriate IP Addresses, Domains and/or Email Addresses you wish to whitelist. Items should be separated with a comma.



Creating a Blacklist

1. Click on the Administration tab


2. Click on the Policy Rules tab


3. Click New Policy Rule in the Tasks box on the right-hand side


4. Choose the appropriate Domain Scope. Set the Action to Reject. Enter the appropriate IP Addresses, Domains and/or Email Addresses you wish to whitelist. Items should be separated with a comma.