Académique Documents
Professionnel Documents
Culture Documents
Microsoft France
Published: January 2014 (Updated: June 2015)
Version: 1.1a
Abstract: With escalating IT security threats and a growing number of users, Software-as-a-Service (SaaS)
applications, and devices, multi-factor authentication is becoming the new standard for securing access and
how businesses ensure trust in a multi-device, mobile, cloud world. Passwords not enough strong can be
easily compromised, and the consumerization of IT along with the Bring-Your-Own-Device (BYOD) trend
have only increased the scope of vulnerability. Regulatory agencies agree and have mandated its use across
a broad range of industries.
Azure Multi-Factor Authentication (Azure MFA) helps reduce organizational risk and enable regulatory
compliance by providing an extra layer of authentication in addition to a users account credentials. For that
purpose, it leverages for additional authentication a convenient form factor that the users already have (and
care about): their phone. During sign in, users must also authenticate using the mobile app or by responding
to an automated phone call or text message before access is granted. An attacker would need to know the
users password and have in their possession of the users phone to sign in. As a solution for both cloud-
based and on-premises applications, Azure MFA can notably be used as part of the Azure Active Directory
authentication.
Table of Contents
INTRODUCTION ................................................................................................................................................. 3
OBJECTIVES OF THIS PAPER ..................................................................................................................................................... 5
NON-OBJECTIVES OF THIS PAPER ........................................................................................................................................... 7
ORGANIZATION OF THIS PAPER .............................................................................................................................................. 7
ABOUT THE AUDIENCE ............................................................................................................................................................. 7
BUILDING A TEST LAB ENVIRONMENT ......................................................................................................... 8
CREATING AN AZURE AD TEST TENANT ................................................................................................................................ 8
BUILDING THE ON-PREMISES TEST LAB ENVIRONMENT ....................................................................................................... 9
TESTING AND EVALUATING THE MULTI-FACTOR AUTHENTICATION SERVER .................................... 15
CREATING A MULTI-FACTOR AUTHENTICATION PROVIDER VIA THE AZURE PORTAL .................................................... 15
DOWNLOADING THE MULTI-FACTOR AUTHENTICATION SERVER.................................................................................... 17
INSTALLING THE MULTI-FACTOR AUTHENTICATION SERVER ON THE FEDERATION SERVER .......................................... 18
CONFIGURING MULTI-FACTOR AUTHENTICATION ON THE FEDERATION SERVER ............................................................ 20
INSTALLING THE MULTI-FACTOR AUTHENTICATION SDK (OPTIONAL) ........................................................................... 34
DEPLOYING THE MULTI-FACTOR AUTHENTICATION USER PORTAL (OPTIONAL) ............................................................ 38
DEPLOYING THE MULTI-FACTOR AUTHENTICATION SERVER MOBILE APP WEB SERVICE (OPTIONAL)........................ 42
Note Not only do the above organizations need multi-factor authentication for their employees, but many
of them are also increasingly building cloud-based applications for consumers and citizens that require multi-factor
authentication to ensure a high level of security. These B2C scenarios are growing rapidly and require easy end-
user technology.
Furthermore, multi-factor authentication is no longer optional for many of the above organizations; many
are required by various governing or regulatory agencies to strongly authenticate access to sensitive data
and applications across a broad range of industries.
In such a landscape, phone-based authentication constitutes a very compelling technical approach for multi-
factor authentication as it provides enhanced security for businesses and consumers in a convenient form
factor that the user already has: their phone.
Azure Multi-Factor Authentication (Azure MFA)3 addresses user demand for a simple sign-in process while
also helping address the organization's security and compliance standards. The service offers enhanced
protection from malware threats, and real-time alerts notify your IT department of potentially compromised
account credentials.
Azure MFA helps to deliver strong security via a range of easy authentication options. Thus, in addition to
entering a username and password during sign in, enabled users are also required to authenticate with a
mobile app on their mobile device or via an automated phone call or a text message, allowing these users
to choose the method that works best for them. Consequently, in order for an attacker to gain access to a
users account, they would need to know the users login credentials AND be in possession of the users
phone. Furthermore, support for the above multiple methods enables to support more scenarios such as
offline (no carrier) scenarios.
1
Enabling Hybrid Cloud today with Microsoft Technologies: http://www.microsoft.com/en-us/download/details.aspx?id=39052
2
Modern business applications: http://www.microsoft.com/en-us/server-cloud/cloud-os/modern-business-apps.aspx
3
Azure Multi-Factor Authentication: http://azure.microsoft.com/en-us/services/multi-factor-authentication/
Note For more information, see the Microsoft TechNet article ADDING MULTI-FACTOR AUTHENTICATION TO AZURE
ACTIVE DIRECTORY5.
The white-paper LEVERAGE MULTI-FACTOR AUTHENTICATION WITH AZURE AD6 describes how to enable,
configure, and use Azure MFA with such cloud users in Azure AD for securing resource access in the
Cloud.
Enabling Multi-Factor Authentication for on-premises applications and Windows Server. The
Multi-Factor Authentication Server works out-of-the-box with a wide range of on-premises
applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems
and much more. This includes:
Microsoft products and technologies like Microsoft VPN/RRAS, Remote Desktop Services
and Remote Desktop Gateway, Universal Access Gateway, SharePoint, Outlook Web Access,
etc.
As well as third party VPNs and virtual desktop system.
4
Application access enhancements for Azure AD: http://technet.microsoft.com/en-us/library/dn308588.aspx
5
ADDING MULTI-FACTOR AUTHENTICATION TO WINDOWS AZURE ACTIVE DIRECTORY: http://technet.microsoft.com/en-
us/library/dn249466.aspx
6
AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391
Note For more information, see Microsoft TechNet article ENABLING MULTI-FACTOR AUTHENTICATION FOR ON-
PREMISES APPLICATIONS AND WINDOWS SERVER7.
Note For more information, see Microsoft TechNet article BUILDING MULTI-FACTOR AUTHENTICATION INTO CUSTOM
APPS (SDK)8.
Note For more information, see Microsoft TechNet article DIRECTORY SYNC WITH SINGLE SIGN-ON SCENARIO9.
This integration scenario implies to configure the Multi-Factor Authentication Server to work with Active
Directory Federation Services (AD FS) or other supported on-premises third-party security token services
(STS) so that Multi-Factor Authentication is triggered on-premises, or in an Infrastructure-as-a-Service (IaaS)
cloud environment such as Azure as per OFFICE 365 ADAPTER: DEPLOYING OFFICE 365 SINGLE SIGN-ON USING
AZURE10 whitepaper.
7
ENABLING MULTI-FACTOR AUTHENTICATION FOR ON-PREMISES APPLICATIONS AND WINDOWS SERVER: http://technet.microsoft.com/en-
us/library/dn249467.aspx
8
BUILDING MULTI-FACTOR AUTHENTICATION INTO CUSTOM APPS (SDK): http://technet.microsoft.com/en-us/library/dn249464.aspx
9
DIRECTORY SYNC WITH SINGLE SIGN-ON SCENARIO: http://technet.microsoft.com/en-us/library/dn441213.aspx
10
OFFICE 365 ADAPTER: DEPLOYING OFFICE 365 SINGLE SIGN-ON USING AZURE: http://www.microsoft.com/en-
us/download/details.aspx?id=38845
For the other supported on-premises third-party security token services (STS), the aforementioned SDK is available
for use with custom applications and directories.
Beyond this integration, this scenario additionally implies directory synchronization between the on-
premises identity infrastructure (based on Windows Server Active Directory (AD) or on other (LDAP-based)
directories) and the Multi-Factor Authentication Server to streamline user management and automated
provisioning.
This also supposes to deploy:
The on-premises Multi-Factor Authentication Users portal, which allows users to enroll in Multi-
Factor Authentication and maintain their accounts.
And optionally the Multi-Factor Authentication Server mobile app web service, which is used in the
Multi-Factor Authentication mobile app activation process. The Multi-Factor Authentication App
offers an additional out-of-band authentication option.
With all of the above, the enrolled federated users can use their on-premises corporate credentials
(user name and password) and their existing phone for additional authentication to access Azure AD
and any cloud-based application that is integrated into Azure AD as well as their existing on-premises
resources.
Important note With the Multi-Factor Authentication Server, only browser-based applications can be
secured. Rich clients wont work with the Multi-Factor Authentication Server. The App Password feature that is
devoted to rich client is indeed currently only provided through the Azure MFA service and is not available for
federated users. For more information on the App Password feature, see the aforementioned whitepaper LEVERAGE
AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD13.
Built on existing Microsoft documentation and knowledge base articles, this document provides a complete
walkthrough to build a suitable test lab environment in Azure, test, and evaluate the above scenario. It
provides additional guidance if any.
11
USING MULTI-FACTOR AUTHENTICATION WITH ACTIVE DIRECTORY FEDERATION SERVICES http://technet.microsoft.com/en-
us/library/dn394281.aspx
12
WALKTHROUGH GUIDE: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS:
http://technet.microsoft.com/en-us/library/dn280946.aspx
13
LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH WINDOWS AZURE AD: http://www.microsoft.com/en-
us/download/details.aspx?id=36391
Note For more information, see Microsoft TechNet article ENABLING MULTI-FACTOR AUTHENTICATION FOR ON-
PREMISES APPLICATIONS AND WINDOWS SERVER16.
14
USING MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://technet.microsoft.com/en-us/library/jj713614.aspx
15
LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391
16
ENABLING MULTI-FACTOR AUTHENTICATION FOR ON-PREMISES APPLICATIONS AND WINDOWS SERVER: http://technet.microsoft.com/en-
us/library/dn249467.aspx
We have tried to streamline and to ease as much as possible the way to build a suitable test lab environment,
to consequently reduce the number of instructions that tell you what servers to create, how to configure the
operating systems and core platform services, and how to install and configure the required core services,
products and technologies, and, at the end, to reduce the overall effort that is needed for such an
environment.
We hope that the provided experience will enable you to see all of the components and the configuration
steps both on-premises and in the cloud that go into such a multi-products and services solution.
17
Office 365 Enterprise: http://office.microsoft.com/en-us/business/office-365-enterprise-e3-business-software-FX103030346.aspx
Note For more information, see the article SIGN IN TO OFFICE 36518.
For the course of this walkthrough, weve provisioned an Office 365 Enterprise (E3) tenant:
litware369.onmicrosoft.com. You will have to choose in lieu of a tenant domain name of your choice
whose name is currently not in used. Whenever a reference to litware369.onmicrosoft.com is made
in a procedure, it has been replaced by the tenant domain name of your choice to reflect accordingly
the change in naming.
Note You can log into the Office 365 administrator portal and go to the Azure Signup page or go directly
to the signup page, select sign in with an organizational account and log in with your Office 365 global administrator
credentials. Once you have completed your trial tenant signup you will be redirected to the Azure account portal20
and can proceed to the Azure management portal by clicking Portal at the top right corner of your screen.
18
SIGN IN TO OFFICE 365: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637600.aspx
19
Office 365 Enterprise E3 Trial: http://office.microsoft.com/en-us/business/redir/XT104175934.aspx
20
Azure account portal: https://account.windowsazure.com/Subscriptions
At this stage, you should have an Office 365 Enterprise E3 trial subscription with a Azure trial
subscription.
21
USING YOUR OFFICE 365 AZURE AD TENANT WITH APPLICATION ACCESS ENHANCEMENTS FOR WINDOWS AZURE AD:
http://blogs.technet.com/b/ad/archive/2013/09/10/empower-your-office-365-subscription-identity-management-with-application-
access-enhancements-for-windows-azure-ad.aspx
22
Office 365 management portal: https://portal.microsoftonline.com
23
Azure management portal: https://manage.windowsazure.com
24
APPLICATION ACCESS ENHANCEMENTS FOR AZURE AD: http://technet.microsoft.com/en-us/library/dn308588.aspx
25
WINDOWS AZURE ACTIVE DIRECTORY APPLICATIONS: http://azure.microsoft.com/en-us/marketplace/active-directory/
26
AZURE AD/OFFICE 365 SINGLE SIGN-ON WITH AD FS IN WINDOWS SERVER 2012 R2 PART 2: http://www.microsoft.com/en-
us/download/details.aspx?id=36391
27
Azure Active Directory Connect: http://www.microsoft.com/en-us/download/details.aspx?id=47594
28
AZURE AD CONNECT & CONNECT HEALTH IS NOW GA!: http://blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-amp-
connect-health-is-now-ga.aspx
29
INTEGRATING YOUR ON-PREMISES IDENTITIES WITH AZURE ACTIVE DIRECTORY: https://azure.microsoft.com/en-
us/documentation/articles/active-directory-aadconnect/
30
AZURE ACTIVE DIRECTORY CONNECT: https://msdn.microsoft.com/en-us/library/azure/dn832695.aspx
By following the instructions outlined in this whitepaper along with the provided Azure/Windows PowerShell
scripts, you should be able to successfully prepare your Azure-base lab environment based on virtual
machines (VMs) running in Azure to later deploy and configure the Multi-Factor Authentication Server
environment, install and configure it with Active Directory Federation Services (AD FS) in Windows Server
2012 R2, etc. and start evaluating/using it.
Important note Individual virtual machines (VMs) are needed to separate the services provided on the
network and to clearly show the desired functionality. This being said, the suggested configuration to later evaluate
the Multi-Factor Authentication Server is neither designed to reflect best practices nor does it reflect a desired or
recommended configuration for a production network. The configuration, including IP addresses and all other
configuration parameters, is designed only to work on a separate test lab networking environment.
Any modifications that you make to the configuration details provided in the rest of this document may affect or
limit your chances of successfully setting up the on-premises collaboration environment that will serve as the basis
for the integration with the Azure MFA service in the Cloud.
Microsoft has successfully built the suggested environment with Azure IaaS, and Windows Server 2012 R2 virtual
machines.
Once completed the aforementioned whitepapers walkthrough, youll have in place an environment
with a federated domain in the Azure AD tenant (e.g. litware369.onmicrosoft.com), the whitepaper
has opted to configure the domain litware369.com (LITWARE369). You will have to choose in lieu of
a domain name of your choice whose DNS domain name is currently not in used on the Internet. For
checking purpose, you can for instance use the domain search capability provided by several popular
domain name registrars.
Whenever a reference to litware369.com is made in a procedure later in this document, it has to be
replaced by the DNS domain name of your choice to reflect accordingly the change in naming.
Likewise, any reference to LITWARE369 should be substituted by the NETBIOS domain name of your
choice.
The Azure-based test lab infrastructure consists of the following components:
One computer running Windows Server 2012 R2 (named DC1 by default) that is configured as a
domain controller with a test user and group accounts, and Domain Name System (DNS) server.
One intranet member server running Windows Server 2012 R2 (named ADFS1 by default) that is
configured as an enterprise root certification authority (PKI server), and an AD FS federation server.
One Internet-facing member server running Windows Server 2012 R2 (named EDGE1 by default)
that is configured as a Web Application Proxy (WAP) server for the intranet ADFS1 federation server.
31
AZURE AD/OFFICE 365 SINGLE SIGN-SIGN WITH AD FS IN WINDOWS SERVER 2012 R2 PART 1: http://www.microsoft.com/en-
us/download/details.aspx?id=36391
The above VMs expose one public endpoint for remote desktop (RDP) and another one for remote Windows
PowerShell (WinRMHTTPS) as illustrated hereafter.
These VMs will enable you to create snapshots so that you can easily return to a desired configuration for
further learning and experimentation.
The integrated test lab consists of:
A first subnet (10.0.1.0/24) that will expose the test lab resources that require Internet
connectivity/endpoint(s). It is separated from a second subnet that hosts the corporate intranet
resources. The computer on this subnet is EDGE1.
A second subnet (10.0.2.0/24) that simulates a private intranet. Computers on the Subnet2 subnet
are DC1 and ADFS1.
For the sake of simplicity, the same password pass@word1 is used throughout the configuration. This is
neither mandatory nor recommended in a real world scenario.
To perform all the tasks in this guide, we will use the LITWARE369 domain Administrator account
AzureAdmin for each Windows Server 2012 R2 VM, unless instructed otherwise.
The base configuration should now be completed at this stage if youve followed the whitepapers
walkthrough.
32
WINDOWS SERVER 2012 R2: http://technet.microsoft.com/en-US/windowsserver/hh534429
To resume working on the test lab, you will then need to start in order the DC1 computer, then the ADFS1
one, and finally EDGE1.
To start the VMs of the test lab environment, proceed with the following steps:
1. From within the Azure management portal, select VIRTUAL MACHINES on the left pane.
2. Under VIRTUAL MACHINE INSTANCES, select dc1 and then click START at the tray of the bottom.
3. Click dc1, and then select DASHBOARD.
4. Verify under quick glance that the INTERNAL IP ADDRESS is set to 10.0.2.4 in our configuration.
Note For the purpose of this document, it leverages the existing walkthrough WALKTHROUGH GUIDE: MANAGE
RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS33, adapt it to the Office 365 context in lieu
of the sample application ClaimApp, and extend it to illustrate the deployment of additional Azure MFA
components, namely the Users portal, the SDK, and the Mobile Application web service. For more information, see
the Microsoft TechNet article OVERVIEW: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE
APPLICATIONS34.
33
WALKTHROUGH GUIDE: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS:
http://technet.microsoft.com/en-us/library/dn280946.aspx
34
OVERVIEW: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS: http://technet.microsoft.com/en-
us/library/dn280949.aspx
1. Click CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER or click NEW in the tray at
the bottom, and then select APP SERVICES, ACTIVE DIRECTORY, MULTI-FACTOR AUTH
PROVIDER, and then QUICK CREATE.
Note For more information on usage model, see MULTI-FACTOR AUTHENTICATION PRICING DETAILS35.
c. Directory. The Azure AD tenant that the Multi-Factor Authentication Provider is associated
with. This is optional as the provider does not have to be linked to Azure AD when securing
on-premises resources. Ensure Do not link a directory is selected.
35
MULTI-FACTOR AUTHENTICATION PRICING DETAILS: http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/
Note For more information, see Microsoft TechNet article ADMINISTERING AZURE MULTI-FACTOR AUTHENTICATION
PROVIDERS36.
Next, you must download the Multi-Factor Authentication Server. You can do this by launching the Multi-
Factor Authentication Portal through the Azure management portal.
36
ADMINISTERING AZURE MULTI-FACTOR AUTHENTICATION PROVIDERS: http://technet.microsoft.com/en-us/library/dn376346.aspx
Note For more information, see Microsoft TechNet article NEW INSTALLATION OF AZURE MULTI-FACTOR
AUTHENTICATION SERVER37.
You are now ready to install on the ADFS1 computer the above setup file for the Multi-Factor Authentication
Server.
37
NEW INSTALLATION OF AZURE MULTI-FACTOR AUTHENTICATION SERVER: http://technet.microsoft.com/en-us/library/dn394280.aspx
3. Once the installation complete, click Finish. As indicated, this launches the Multi-Factor
Authentication Server Authentication Configuration wizard to configure it.
This is the topic of the next section.
Note For more information, see Microsoft TechNet article NEW INSTALLATION OF AZURE MULTI-FACTOR
AUTHENTICATION SERVER38.
You are now ready to configure the Multi-Factor Authentication Server Agent as an additional authentication
method in AD FS in Windows Server 2012 R2 for the course of this walkthrough.
38
NEW INSTALLATION OF AZURE MULTI-FACTOR AUTHENTICATION SERVER: http://technet.microsoft.com/en-us/library/dn394280.aspx
2. On the Welcome page, check Skip using the Authentication Configuration Wizard, and click
Next. This closes the wizard as expected and the Multi-Factor Authentication Server user
interface (MultiFactorAuthUI) brings up.
4. Back in the Multi-Factor Authentication Server user interface, enter the credentials that were
generated and click Activate. A Join Group dialog appears.
5. Click OK. Next, the Multi-Factor Authentication Server user interface prompts you to run the
Multi-Server Configuration Wizard.
6. Select No.
7. In the Multi-Factor Authentication Server user interface, select Company Settings and set your
options, most of these you will leave as the default:
9. Click Import from Active Directory. An Import from Active Directory window brings up.
14. Select the appropriate country code in Country Code and provide a cell phone number of this
account in Phone, make sure Enabled is checked, click Apply, and then Close.
15. Back in the Users list, select the Robert Hatley test account, and click Test. A Test User dialog
brings up.
16. Provide the credentials (e.g. pass@word1) for the Robert Hatley test account and click Test. When
the cell phone rings, press # to complete the account verification. An information dialog confirms
the successful authentication.
19. Make sure that Allow user enrollment, Allow users to select method (including Phone call, Text
message, and Mobile app), Use security questions for fallback and Enable logging are checked,
click Install AD FS Adapter. An Install ADFS Adapter installation wizard brings up.
It is recommended that you verify on your domain controller that the PhoneFactor Admins group is indeed
created and that the AD FS service account is a member of this group. If necessary, add the AD FS service account
to the PhoneFactor Admins group on your domain controller manually. For additional details on installing the AD
FS Adapter, click the Help link in the top right corner of the Multi-Factor Authentication Server.
24. To register the adapter in the federation service on the ADFS1 computer, open a Windows
PowerShell command prompt, and run the following commands:
26. Close the Windows PowerShell command prompt and launch the AD FS Management console
from the Tools menu of the Server Manager to finally configure Azure MFA as the additional
authentication method.
27. Navigate to the Authentication Policies node, scroll down in the middle pane to the Multi-factor
Authentication section.
28. Click Edit next to the Global Settings sub-section. An Edit Global Authentication Policy window
brings up.
Note You can customize the name and description of the Azure MFA method, as well as any configured
third-party authentication method, as it appears in your AD FS UI, by running the Set-
AdfsAuthenticationProviderWebContent cmdlet. For more information, see the Microsoft TechNet article SET-
ADFSAUTHENTICATIONPROVIDERWEBCONTENT39.
39
SET-ADFSAUTHENTICATIONPROVIDERWEBCONTENT: http://technet.microsoft.com/en-us/library/dn479401.aspx
Note Make sure to replace S-1-5-21-2309203066-2729394637-456832893-3109 with the value of the SID
of your AD group Finance.
Note The Azure AD Module is regularly updated with new features and functionality. The above link should
always point to the most current version of the module. For more information, see the Microsoft Wiki article
MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY41.
To perform multi-factor authentication on-premises for litware369.com, run the following command:
Where SupportsMFA as true means that Azure AD will redirected the user to AD FS for multi-factor
authentication if multi-factor authentication is required and a claim of type
http://schemas.microsoft.com/claims/authnmethodsreferences with the value
http://schemas.microsoft.com/claims/multipleauthn, which is so-called the MFA claim, is missing.
40
Azure Active Directory Module for Windows PowerShell (64-bit version): http://go.microsoft.com/fwlink/p/?linkid=236297
41
MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY:
http://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-
release-history.aspx
Where SupportsMFA as false means that Azure AD does multi-factor authentication natively (again assuming
multi-factor authentication is required and MFA claim is missing). If flag is not set, it is assumed to be false.
Users won't be double MFA'd. If multi-factor authentication was already done at AD FS as part of login, the
MFA claim will be present and Azure AD won't ask for multi-factor authentication again.
Note For more information about how to customize the sign-in experience, see the Microsoft TechNet
article CUSTOMIZING THE AD FS SIGN-IN PAGES42.
Note The text also states that A call will be placed to your phone to complete your authentication. For
more information about signing in with Azure MFA and using various options for the preferred method of
verification, see AZURE MULTI-FACTOR AUTHENTICATION OVERVIEW43.
5. Click Continue. When the cell phone rings, press # to complete the account verification.
6. Since weve previously set Use security questions for fallback when installing the AD FS adapter
and because this is the first time you log on after we set the multi-factor authentication policy,
youre now invited to set four questions and provide an answer for each of them.
42
CUSTOMIZING THE AD FS SIGN-IN PAGES: http://technet.microsoft.com/en-us/library/dn280950.aspx
43
AZURE MULTI-FACTOR AUTHENTICATION OVERVIEW: http://technet.microsoft.com/en-us/library/dn249479.aspx
This is expected for the test user as in fact you have not assigned a license to the test user.
At this stage, you have successfully deployed the Multi-Factor Authentication Server in your
environment.
Note Instead of step 2 to 4, you can navigate to the folder where the Multi-Factor Authentication Server is
installed (e.g. C:\Program Files\Windows Azure Multi-Factor Authentication) and double-click the
MultiFactorAuthenticationWebServiceSdkSetup64.msi installation file (64-bit version).
5. Click Next.
7. Click Next. If the prerequisites are satisfied, the Select Installation Address page is displayed.
9. Click Close.
The Web Service SDK (PfWsSdk) is configured to be secured with an SSL certificate. We thus need to
configure HTTPS on the default web site. We already issued an adfs.litware369.com SSL certificate for the
AD FS configuration.
PS C:\users\AzureAdmin.LITWARE369> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
PS C:\users\AzureAdmin.LITWARE369>
PS C:\Users\AzureAdmin.LITWARE369>
3. Open a browsing session and navigate to the Web Service SDK (PfWsSdk) at
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx. A Windows Security
brings up.
4. Provide the credentials for the LITWARE369\AzureAdmin administrator account such as:
Username: AzureAdmin
Password: pass@word1
5. Click OK. The collection of operations supported by the Web Service SDK (PfWsSdk) should now be
listed in the .asmx page.
PS C:\Users\AzureAdmin.LITWARE369> cd .\Desktop
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
PS C:\Users\AzureAdmin.LITWARE369\Desktop> .\MultiFactorAuthenticationUserPortalSetup64.msi
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
6. Click Next.
7. Click Close.
</appSettings>
</configuration>
Note The username must be a member of the PhoneFactor Admins security group. Be sure to enter the
Username and Password in between the quotation marks at the end of the line, (value=""/>). It is recommended to
use a qualified username (e.g. domain\username).
</setting>
</pfup.Properties.Settings>
</applicationSettings>
</configuration>
Change the value from http://localhost:4898/PfWsSdk.asmx to the URL of the Web Service SDK
that is running on ADFS1, e.g.
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration.
Note The root certification authority litware369-ADFS1-CA certificate is imported into the Trusted Root
Certification Authorities store of the EDGE1 computer that will be our Mobile App Web Service web server. Thus, it
will trust the adfs.litware369.com certificate when initiating the SSL connection.
12. Save the web.config file after changes have been made.
Important note It is helpful to open a browsing session on EDGE1 and navigate to the URL of the Web Service
SDK that was entered into the web.config file, e.g.
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration. If the browser can
get to the web service successfully, it should prompt you for credentials as previously illustrated. Enter the username
and password that were entered into the web.config file exactly as it appears in the file. Ensure that no certificate
warnings or errors are displayed.
2. Provide the credentials (e.g. roberth and pass@word1) for the Robert Hatley test account and
click Log In. When the cell phone rings, press # to complete the account verification. After a
successful authentication, you can now manage the account settings.
44
INSTALLING THE AZURE MULTI-FACTOR AUTHENTICATION USERS PORTAL: http://technet.microsoft.com/en-us/library/dn394290.aspx
45
USER ENROLLMENT AND SELF-MANAGEMENT: http://technet.microsoft.com/en-us/library/dn394292.aspx
PS C:\Users\AzureAdmin.LITWARE369> cd .\Desktop
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
PS C:\Users\AzureAdmin.LITWARE369\Desktop> .\MultiFactorAuthenticationMobileAppWebServiceSetup64.msi
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
6. Change the Site if desired and change the Virtual directory to a short name such as PA. A short
virtual directory name is recommended since users must enter the Mobile App Web Service URL
into the mobile device during activation. Click Next.
7. Click Close.
8. After finishing the installation of the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi
file, browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory
name) and edit the web.config file.
9. Locate the appSettings section in the web.config file.
<?xml version="1.0"?>
</appSettings>
</configuration>
Note The username must a member of the PhoneFactor Admins security group. Be sure to enter the
Username and Password in between the quotation marks at the end of the line, (value=""/>). It is recommended to
use a qualified username (e.g. domain\username).
<?xml version="1.0"?>
<configuration>
<applicationSettings>
<pfpaws.Properties.Settings>
</setting>
</pfpaws.Properties.Settings>
</applicationSettings>
</configuration>
Change the value from http://localhost:4898/PfWsSdk.asmx to the URL of the Web Service SDK
that is running on ADFS1, e.g.
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration.
12. Save the web.config file after changes have been made.
Note Since the Multi-Factor Authentication User Portal is already installed on the EDGE1 computer, the
username, password and URL to the Web Service SDK can be copied from the User Portals web.config file.
13. Open a browsing session and navigate to the URL where Mobile App Web Service was installed (e.g.
https://www.litware369.com/PA/). Ensure that no certificate warnings or errors are displayed as
illustrated hereafter.
46
Multi-Factor Authentication app on Windows Phone Store: http://www.windowsphone.com/en-
us/store/app/phonefactor/0a9691de-c0a1-44ee-ab96-6807f8322bd1
47
Multi-Factor Authentication app on iTunes: https://itunes.apple.com/us/app/phonefactor/id475844606?mt=8
48
Multi-Factor Authentication app on Google Play: https://play.google.com/store/apps/details?id=com.phonefactor.phonefactor
5. Click Generate Activation Code. (You can instead contact an administrator who will generate an
activation code for them.)
9. Activate the Multi-Factor Authentication App by entering the above activation code and URL or by
scanning the barcode picture.
10. Switch the authentication method to Mobile App or contact an administrator who will change it for
them
Note For more information, see Microsoft TechNet article DEPLOYING THE AZURE MULTI-FACTOR AUTHENTICATION
SERVER MOBILE APP WEB SERVICE49.
This concludes the guided tour of Multi-Factor Authentication Server in the context of Azure AD federated
users as well as this paper.
For the configuration of the advanced settings and reports of the service, please refer to the aforementioned
whitepaper LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD50.
49
DEPLOYING THE AZURE MULTI-FACTOR AUTHENTICATION SERVER MOBILE APP WEB SERVICE: http://technet.microsoft.com/en-
us/library/dn394277.aspx
50
LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391