One of the improvements with ADFS 4 (on Windows Server 2016) is the integration of Azure MFA as multi factor authentication method as well as primary authentication method; you can still use the certificate based or the Azure MFA Server (see http://blog.hametbenoit.info/2014/08/18/azure-use-windows-azure-multi-factor-authentication-to-secure-your-on-premises-application-and-with-your-adfs/) for the multi factor methods.
If you want to enable Azure MFA with ADFS 4, you need to follow these steps:
- generate a certificate for your Azure MFA tenant
- use the certificate to add a credential
- then enable Azure MFA as MFA authentication provider
Generate a certificate for your Azure MFA tenant
If you check the certificate store on your ADFS server you should see at least the certificate you are using to publish your ADFS, plus maybe certificates for the server itself
To generate the Azure MFA certificate tenant, open a PowerShell prompt and execute the following command
$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <your Office 365/Azure tenant – like mytenant.onmicrosoft.com>
If you refresh the certificate store, you will see a new certificate issued by your tenant
Use the certificate to authenticate against Azure MFA
To use the certificate generated on step 1, you need to the certificate as a credential to Azure MFA Auth Client SPN.
To do so you need to be connected to Microsoft Online Services
Import the MSOL PowerShell modules (you need to have first installed the Windows Azure Active Directory Module) and connect to your tenant with the Connect-MSOLService
Import-Module MSOnline
$cred = get-credential
Connect-MSOLService -credential:$cred
$certX509 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$certX509.Import([System.Convert]::FromBase64String($certBase64))
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
NOTE1 the value 981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client
NOTE2 you may find other documentation providing the same command with 2 additional parameters – -StartDate $certX509.GetEffectiveDateString() -EndDate $certX509.GetExpirationDateString(); these parameters usually generates errors
Complete the ADFS configuration
Still with the PowerShell prompt, execute the last 2 steps to enable Azure MFA
Set-AdfsAzureMfaTenant -TenantId <your Office 365/Azure tenant – like mytenant.onmicrosoft.com>-ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720
Restart-Service adfssrv
The configuration is now complete, you don’t have any more the information message telling you you have additional steps to configure Azure MFA authentication in the Authentication Methods properties window
Et voila, Azure MFA is available is one of the authentication methods
Off course, this means your users have been registered to use Azure MFA