One of the improvements with ADFS 4 (on Windows Server 2016) is the integration of Azure MFA as multi factor authentication method as well as primary authentication method; you can still use the certificate based or the Azure MFA Server (see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=618) for the multi factor methods.

If you want to enable Azure MFA with ADFS 4, you need to follow these steps:

  • generate a certificate for your Azure MFA tenant
  • use the certificate to add a credential
  • then enable Azure MFA as MFA authentication provider

 

Generate a certificate for your Azure MFA tenant

If you check the certificate store on your ADFS server you should see at least the certificate you are using to publish your ADFS, plus maybe certificates for the server itself

image 

To generate the Azure MFA certificate tenant, open a PowerShell prompt and execute the following command

$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your Office 365/Azure tenant – like mytenant.onmicrosoft.com>

image 

If you refresh the certificate store, you will see a new certificate issued by your tenant

image 

 

Use the certificate to authenticate against Azure MFA

To use the certificate generated on step 1, you need to the certificate as a credential to Azure MFA Auth Client SPN.

To do so you need to be connected to Microsoft Online Services

Import the MSOL PowerShell modules (you need to have first installed the Windows Azure Active Directory Module) and connect to your tenant with the Connect-MSOLService

Import-Module MSOnline

$cred = get-credential

Connect-MSOLService -credential:$cred

$certX509 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate

$certX509.Import([System.Convert]::FromBase64String($certBase64))

New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64

NOTE1 the value 981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client

NOTE2 you may find other documentation providing the same command with 2 additional parameters – -StartDate $certX509.GetEffectiveDateString() -EndDate $certX509.GetExpirationDateString(); these parameters usually generates errors

image 

Complete the ADFS configuration

Still with the PowerShell prompt, execute the last 2 steps to enable Azure MFA

Set-AdfsAzureMfaTenant -TenantId <your Office 365/Azure tenant – like mytenant.onmicrosoft.com>-ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720 
Restart-Service adfssrv

image 

The configuration is now complete, you don’t have any more the information message telling you you have additional steps to configure Azure MFA authentication in the Authentication Methods properties window

imageimage 

Et voila, Azure MFA is available is one of the authentication methods

image 

Off course, this means your users have been registered to use Azure MFA