Azure Multi-Factor Authentication Part 1 Deployment
This is the Azure Multi-Factor Authentication blog series of two Parts. Part 1 will describe the Azure MFA Prerequisite, Download steps, and installation steps walkthrough.
Prerequisite
Let us review the Azure MFA server prerequisites as mentioned below:
Hardware
- 200 MB of hard disk space
- x32 or x64 capable processor
-
1 GB or greater RAM
Software
- Windows Server 2008 or greater if the host is a server OS
- Windows 7 or greater if the host is a client OS
- Microsoft .NET 4.0 Framework
-
IIS 7.0 or greater if installing the user portal or web service SDK
Licensing
- Azure MFA requires either Azure AD Premium or Enterprise Mobility Suite license.
We can also install it on ADFS server.
Firewall requirements
Each MFA server must be able to communicate on port 443 outbound to the following:
-
https://pfd.phonefactor.net
-
https://pfd2.phonefactor.net
-
https://css.phonefactor.net
If outbound firewalls are restricted on port 443, the following IP address ranges will need to be allowed on your firewall:
IP Subnet | Netmask | IP Range |
134.170.116.0/25 | 255.255.255.128 | 134.170.116.1 – 134.170.116.126 |
134.170.165.0/25 | 255.255.255.128 | 134.170.165.1 – 134.170.165.126 |
70.37.154.128/25 | 255.255.255.128 | 70.37.154.129 – 70.37.154.254 |
Download the Azure Multi-Factor Authentication Server
To download the Azure Multi-Factor Authentication server from the Azure portal
-
Sign in to the Azure Portal as an Administrator.
-
On the left select pane “More Services” and Select “Multi-Factor Authentication (MFA)”.
Double Click on “Active Directory” in the left pane.
Click on configure on this screen
Then click on “Manage Service Settings”
Select “Go to the Portal” here.
Now the portal window will open. Click Downloads.
Above Generate Activation Credentials, click Download and save the download.
Once downloaded, run the setup
We need the update KB 2919355 before installing Azure MFA
Verify, install and click ok.
I had it on my server so I click ok.
Now we needed Visual C++ update. Clicked on install to install it.
Agree and install on the agreement.
Click close when done.
Do it again for the 2nd update.
After sometime installation window comes. Click next on it.
Click Finish to start Azure MFA Server Agent.
Azure MFA Configuration begins here. Click next on the screen
Now go back to the download page and then click on “Generate Activation Credentials”
Type the activation code here.
If session will expire then the code will not work so, click on the go to the portal and generate new code.
Give a Group name or click next. I am going with Default.
Enable Replication and click next.
Accept the default and click next
Click next to accept the group creation and membership addition.
Click next to generate SSL cert between Servers.
Select the applications which you would like to secure. We can add them later or you will have to provide the details right now. We need to at least check one application so I have selected Outlook Web Access.
On this screen, we have to provide the same authentication method as Outlook Web access. So, check the OWA authentication in ECP and select accordingly.
Provide the OWA URL and click next.
I got the following error.
After some research, I figured out that we can’t use IIS based MFA rather we should use claim based MFA for OWA.
So, in other words, the auto configuration wizard will not do anything. We have to configure it manually. Also, Form Based Authentication will not work for OWA.
So, I went back 2 steps which brought me to this screen. I check the checkbox and clicked next.
Now it opened MFA Server to configure.
Click Users and select import from Active Directory.
This ends the Azure MFA Deployment Part 1.
Azure Multi-Factor Authentication Part 2 is here.
CTO @ Golden Five
Team@MSExchangeGuru
January 28th, 2017 at 6:32 am
[…] « Azure Multi-Factor Authentication Part 1 Deployment […]
January 28th, 2017 at 11:56 am
Is this MFA on server 2016?
Are there no IIS or .NET prereqs/components you need to install first?
January 28th, 2017 at 2:40 pm
Hey Jason,
It is ok 2012.
I mentioned in the prerequisite that we need IIS and .net. Read again.