As you may already know, Office 365 has introduced the use of multi factor authentication (MFA) few time ago.
This feature is based on Microsoft Azure Active Directory Multi Factor service and allow you to setup additional authentication methods to secure the access to your Office 365 tenant.
This works also perfectly fine if you have federated your Office 365 tenant with your internal Active Directory; in this case, the user is first redirected to your ADFS authentication form and then MFA from Office 365 is instantiated.
BUT, this secures ONLY your Office 365 services; how can you use this service to secure your other federated services?
This post details all steps to install and configure Azure MFA On Premises with AD integration, self service portal and mobile app usage.
The first step is to deploy and configure ADFS 3.0 – included as server role in Windows Server 2012 R2 – and update your federation trust with Office 365 (this will ensure service continuity after deploying your ADFS 3.0 farm).
Then, you must download, install and configure the multi authentication form on your ADFS server.
As reminder, MFA is part of Azure Active Directory Premium offer.
Enable Multi Factor Authentication on Azure Active Directory
Ensure you have MFA enabled on your Microsoft Azure Active Directory – this should have been done already if you have enabled MFA for Office 365. If not, follow the following steps – NOTE this apply also if you don’t have Office 365 and want to take advantage of this service, in this case you have also to configure Directory Synchronization with Azure AD
- Logon to you Azure management portal using your Office 365 admin account – https://manage.windowsazure.com
NOTE you may faced the error “we were unable to find any subscription associated with your account”, no worries, just click on the Sign Up for Windows Azure and you will get a trial access – which will not expire for AAD service.
- Click on the New\App Services\Active Directory\Multi Factor Auth provider menu
- Name the new service, define the usage/licensing mode. For the directory, you should have only one, your Office 365. As we are going to secure other applications, this does not need to be filled as the MFA service will then be deployed On Premises
Download and Install the Software Piece
- Once successfully created the MFA service, you must download the software piece to be deployed on premises. To download it, just reach the Active Directory section and click on the Multi Factor Auth Provider tab and finally select your MFA provider and click to Manage
- From the new page opened, just scroll down a little to find the Downloads section
- When you click on the Downloads link, you will get a new page with an Activation Credentials button. The download link itself is just on top of the button.
- Install the MFA software on your ADFS server. There is no specific option to configure.
- Once installed, a configuration wizard starts. Choose to Skip the wizard
- Return to the MFA administration page and now click to the Activation Credentials button; for security reason, this credential is valid ONLY for 10 minutes; if you need to regenerate, just hit again the button
- On the MFA console, enter the credentials generated and click on Activate
- Once activated, you can import your users from AD by hitting the Users button and Import – or using the File\Import Users menu to import from a CSV file
Configure Directory Synchronization
- Reach the Directory Integration option and click on the Synchronization tab
- Click on the Add button and select the domain/OU to be synchronized; define all other options accordingly to your need
- Finally enable the synchronization and the interval between each synchronization, as well as actions related to removed/disabled users
Integrate with ADFS 3.0
- Then click on the ADFS button to enable the integration with your ADFS. Enable user enrollment; optionally you can also let the user to choose the MFA method by enabling the desired option below Allow users to select method. Then click on Install AD FS Adapter
- To complete the integration, you must then run a PowerShell script to register it as additional authentication method. Open a Windows PowerShell command line using the run as administrator and execute the following script Register-MultiFactorAuthenticationAdfsAdapter.ps1 located within the directory C:\Program Files\Multi-Factor Authentication Server\
- Then open your ADFS console and reach the Authentication Policies section to enable the MFA from Azure
- Click on Edit for the Multi factor authentication and then enable WindowsAzureMultiFactorAuthentication; off course you have to configure to which users/groups and devices or location to use MFA
- Once this has been done, you just have to test it
- From a web browser, enter your ADFS URL (https://<ADFS URL>/adfs/ls/IdpInitiatedSignon.aspx) and try to logon using one MFA enabled account
Install MFA Portal
The MFA portal allows users to self register themselves.
- Before installing the user portal, you must enable IIS server role, including IIS 6 Metabase and ASP.Net. For the purpose of this post, I have also pre created a new IIS web site to use for the self service portal. It is recommended to not use the default IIS website
- Reach the User Portal section and click the Install User Portal button
- As the server is part of an Active Directory, the integration will be configured automatically; if you choose to configure manually just check the Skip automatic Active Directory configuration
- Select the IIS web site to use for hosting the portal
- Then define all other options, like the URL (include HTTP:// or HTTPS://), user enrollment….; for the URL, do not forget to provide the FULL URL – like https://mfaportal/MultiFactorAuth/
Install the mobile app and the DSK
This step allows to use the mobile app – available from all mobile app store, to authenticate using the MFA solution. The SDK is required even if you don’t plan to develop applications which will use the MFA service.
This is recommended to deploy on an internet facing server; for the purpose of this post, I’m installing on the same server than the previous components.
This requires IIS role installed, with ASP.Net and IIS 6 Metabase. For the purpose of this post, I have precreated a new IIS website – it is recommended to not use the default website; it can be also the same IIS site than the one use for the self service portal
- From the MFA console, reach the Web Service SDK section and hit the Install Web Service SDK
- Select the IIS web site to use as installation target
- Open a command prompt with the run as administrator
- Browse to C:\Program Files\Multi-Factor Authentication Server and run the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi package
- Select the IIS website to host the web service mobile application
- Then edit the web.config file located within the C:\inetpub\mfa_portal\MultiFactorAuthMobileAppWebService directory
- Update the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME and WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD with the value for the service account to be used. A service account has been already setup using the wizard but as you don’t know the password (used for the application pool), it is recommended to create a new one and add it as member of the PhoneFactor Admins group created also by the wizard
- Update the value of pfpaws_pfwssdk_PfWsSdk with the URL of your portal – include HTTPS; it then looks like https://mfaportalurl/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
- If you open a web browser window and enter this URL, you should get prompted for authentication and then get the ASMX details
Configure SMTP service
The SMTP service will be used to send notification email to end-users enabled for MFA with details to complete the registration.
- From the MFA console, reach the Email section and enable the Send emails to users and define your own settings for using your SMTP server
- Optionally, you can also customize the notification emails thanks to the Email Content tab. For this post, I’m keeping all by default as it provides all required information
Enable users for MFA
- From the MFA console, reach the Users section
- Select a user (or multiple users) to enabled
- Define the authentication method to be used and enable it
- An email is sent to the user (thanks to the configuration done earlier) with all the details to complete the configuration
- Then the user logon onto the MFA portal to complete the configuration
- As I allowed to choose which authentication method to use, it is possible to select from phone call to mobile app
- For the purpose of this post, I choose Mobile App; just click on Generate Activation Code button to get the tag and code generated; if needed, the user can enter manually the URL and the activation code if the tag reader can not be read
- I start my Multi Factor Auth mobile app and present the tag
- Then I asked for being authenticated now, which generates a request on my mobile app for confirmation
- Then complete the security questions. And that’s it