MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Azure Multi-Factor Authentication Part 1 Deployment

This is the Azure Multi-Factor Authentication blog series of two Parts. Part 1 will describe the Azure MFA Prerequisite, Download steps, and installation steps walkthrough.

Prerequisite

Let us review the Azure MFA server prerequisites as mentioned below:

Hardware

  • 200 MB of hard disk space
  • x32 or x64 capable processor
  • 1 GB or greater RAM

Software

  • Windows Server 2008 or greater if the host is a server OS
  • Windows 7 or greater if the host is a client OS
  • Microsoft .NET 4.0 Framework
  • IIS 7.0 or greater if installing the user portal or web service SDK

Licensing

  • Azure MFA requires either Azure AD Premium or Enterprise Mobility Suite license.

We can also install it on ADFS server.

Firewall requirements

Each MFA server must be able to communicate on port 443 outbound to the following:

  • https://pfd.phonefactor.net
  • https://pfd2.phonefactor.net
  • https://css.phonefactor.net

If outbound firewalls are restricted on port 443, the following IP address ranges will need to be allowed on your firewall:

IP Subnet Netmask IP Range
134.170.116.0/25 255.255.255.128 134.170.116.1 – 134.170.116.126
134.170.165.0/25 255.255.255.128 134.170.165.1 – 134.170.165.126
70.37.154.128/25 255.255.255.128 70.37.154.129 – 70.37.154.254

Download the Azure Multi-Factor Authentication Server

To download the Azure Multi-Factor Authentication server from the Azure portal

  • Sign in to the Azure Portal as an Administrator.

    https://portal.azure.com/

  • On the left select pane “More Services” and Select “Multi-Factor Authentication (MFA)”.


Double Click on “Active Directory” in the left pane.


Click on configure on this screen


Then click on “Manage Service Settings”


Select “Go to the Portal” here.


Now the portal window will open. Click Downloads.

 

Above Generate Activation Credentials, click Download and save the download.


Once downloaded, run the setup


We need the update KB 2919355 before installing Azure MFA


Verify, install and click ok.


I had it on my server so I click ok.

Now we needed Visual C++ update. Clicked on install to install it.


Agree and install on the agreement.


Click close when done.


Do it again for the 2nd update.

After sometime installation window comes. Click next on it.


Click Finish to start Azure MFA Server Agent.


Azure MFA Configuration begins here. Click next on the screen


Now go back to the download page and then click on “Generate Activation Credentials”

Type the activation code here.


If session will expire then the code will not work so, click on the go to the portal and generate new code.


Give a Group name or click next. I am going with Default.


Enable Replication and click next.


Accept the default and click next


Click next to accept the group creation and membership addition.


Click next to generate SSL cert between Servers.


Select the applications which you would like to secure. We can add them later or you will have to provide the details right now. We need to at least check one application so I have selected Outlook Web Access.


On this screen, we have to provide the same authentication method as Outlook Web access. So, check the OWA authentication in ECP and select accordingly.



Provide the OWA URL and click next.

I got the following error.


After some research, I figured out that we can’t use IIS based MFA rather we should use claim based MFA for OWA.

So, in other words, the auto configuration wizard will not do anything. We have to configure it manually. Also, Form Based Authentication will not work for OWA.

So, I went back 2 steps which brought me to this screen. I check the checkbox and clicked next.


Now it opened MFA Server to configure.


Click Users and select import from Active Directory.

This ends the Azure MFA Deployment Part 1.

Azure Multi-Factor Authentication Part 2 is here.

 

Prabhat Nigam

CTO @ Golden Five

Team@MSExchangeGuru

3 Responses to “Azure Multi-Factor Authentication Part 1 Deployment”

  1. Azure Multi-Factor Authentication Part 2 Deployment « MSExchangeGuru.com Says:

    […]   « Azure Multi-Factor Authentication Part 1 Deployment […]

  2. jason Says:

    Is this MFA on server 2016?
    Are there no IIS or .NET prereqs/components you need to install first?

  3. Prabhat Nigam Says:

    Hey Jason,
    It is ok 2012.
    I mentioned in the prerequisite that we need IIS and .net. Read again.

Leave a Reply

Categories

Archives

MSExchangeGuru.com