Leverage Multi-Factor Authentication Server for Azure AD single

Leverage Multi-Factor Authentication
Server for Azure AD single sign-on with
AD FS
Overview Technical Article
Microsoft France
Published: January 2014 (Updated: June 2015)
Version: 1.1a
Author: Philippe Beraud (Microsoft France)
Contributors/Reviewers: Arnaud Jumelet, Jean-Yves Grasset (Microsoft France), Yann Kristofic, Christophe Leroux,
Philippe Maurent (Microsoft Corporation)
For the latest information, please see
www.windowsazure.com/en-us/services/multi-factor-authentication
Copyright © 2015 Microsoft Corporation. All rights reserved.
Abstract: With escalating IT security threats and a growing number of users, Software-as-a-Service (SaaS)
applications, and devices, multi-factor authentication is becoming the new standard for securing access and
how businesses ensure trust in a multi-device, mobile, cloud world. Passwords not enough strong can be
easily compromised, and the consumerization of IT along with the Bring-Your-Own-Device (BYOD) trend
have only increased the scope of vulnerability. Regulatory agencies agree and have mandated its use across
a broad range of industries.
Azure Multi-Factor Authentication (Azure MFA) helps reduce organizational risk and enable regulatory
compliance by providing an extra layer of authentication in addition to a user’s account credentials. For that
purpose, it leverages for additional authentication a convenient form factor that the users already have (and
care about): their phone. During sign in, users must also authenticate using the mobile app or by responding
to an automated phone call or text message before access is granted. An attacker would need to know the
user’s password and have in their possession of the user’s phone to sign in. As a solution for both cloudbased and on-premises applications, Azure MFA can notably be used as part of the Azure Active Directory
authentication.
Table of Contents
INTRODUCTION ................................................................................................................................................. 3
OBJECTIVES OF THIS PAPER ..................................................................................................................................................... 5
NON-OBJECTIVES OF THIS PAPER ........................................................................................................................................... 7
ORGANIZATION OF THIS PAPER .............................................................................................................................................. 7
ABOUT THE AUDIENCE ............................................................................................................................................................. 7
BUILDING A TEST LAB ENVIRONMENT ......................................................................................................... 8
CREATING AN AZURE AD TEST TENANT ................................................................................................................................ 8
BUILDING THE ON-PREMISES TEST LAB ENVIRONMENT ....................................................................................................... 9
TESTING AND EVALUATING THE MULTI-FACTOR AUTHENTICATION SERVER .................................... 15
CREATING A MULTI-FACTOR AUTHENTICATION PROVIDER VIA THE AZURE PORTAL .................................................... 15
DOWNLOADING THE MULTI-FACTOR AUTHENTICATION SERVER.................................................................................... 17
INSTALLING THE MULTI-FACTOR AUTHENTICATION SERVER ON THE FEDERATION SERVER .......................................... 18
CONFIGURING MULTI-FACTOR AUTHENTICATION ON THE FEDERATION SERVER ............................................................ 20
INSTALLING THE MULTI-FACTOR AUTHENTICATION SDK (OPTIONAL) ........................................................................... 34
DEPLOYING THE MULTI-FACTOR AUTHENTICATION USER PORTAL (OPTIONAL) ............................................................ 38
DEPLOYING THE MULTI-FACTOR AUTHENTICATION SERVER MOBILE APP WEB SERVICE (OPTIONAL)........................ 42
2
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Introduction
Today many organizations use on-premises multi-factor authentication systems to protect mission critical
data in their file servers and their critical Line of Business (LOB) applications. As these workloads (or parts of
them) move to the cloud (at least in a hybrid manner, see whitepaper ENABLING HYBRID CLOUD TODAY WITH
MICROSOFT TECHNOLOGIES1), they need an effective and easy-to-use solution in the Cloud for protecting:

That data in the Microsoft services, such Office 365 and Dynamics CRM Online, or other Softwareas-a-Service (SaaS) they’ve subscribed to,

The custom cloud-based Line of Business (LOB) applications – on Azure or in other clouds -,

And the modern business applications2 they’ve created.
Passwords in use that are often not enough strong and the consumerization of IT has only even increased
the scope of vulnerability.
Multi-factor authentication is becoming the new standard for securing access and how businesses ensure
trust in a multi-device, mobile, cloud world.
Note
Not only do the above organizations need multi-factor authentication for their employees, but many
of them are also increasingly building cloud-based applications for consumers and citizens that require multi-factor
authentication to ensure a high level of security. These B2C scenarios are growing rapidly and require easy enduser technology.
Furthermore, multi-factor authentication is no longer optional for many of the above organizations; many
are required by various governing or regulatory agencies to strongly authenticate access to sensitive data
and applications across a broad range of industries.
In such a landscape, phone-based authentication constitutes a very compelling technical approach for multifactor authentication as it provides enhanced security for businesses and consumers in a convenient form
factor that the user already has: their phone.
Azure Multi-Factor Authentication (Azure MFA)3 addresses user demand for a simple sign-in process while
also helping address the organization's security and compliance standards. The service offers enhanced
protection from malware threats, and real-time alerts notify your IT department of potentially compromised
account credentials.
Azure MFA helps to deliver strong security via a range of easy authentication options. Thus, in addition to
entering a username and password during sign in, enabled users are also required to authenticate with a
mobile app on their mobile device or via an automated phone call or a text message, allowing these users
to choose the method that works best for them. Consequently, in order for an attacker to gain access to a
user’s account, they would need to know the user’s login credentials AND be in possession of the user’s
phone. Furthermore, support for the above multiple methods enables to support more scenarios such as
offline (no carrier) scenarios.
1
Enabling Hybrid Cloud today with Microsoft Technologies: http://www.microsoft.com/en-us/download/details.aspx?id=39052
2
Modern business applications: http://www.microsoft.com/en-us/server-cloud/cloud-os/modern-business-apps.aspx
3
Azure Multi-Factor Authentication: http://azure.microsoft.com/en-us/services/multi-factor-authentication/
3
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Azure MFA exists in different flavors:

Azure MFA stand-alone.

Included in Azure Active Directory (Azure AD) Premium.

A subset of Azure MFA functionality included in Office 365 for both administrators and users.

Free for Azure administrators.
Whilst Azure MFA is powered by a cloud service, the stand-alone version and well as the one included in
Azure AD Premium support on-premises, cloud, and hybrid scenarios. The following solutions are indeed
available for use with Azure MFA:

Adding Multi-Factor Authentication to Azure AD. Azure MFA works with any applications that
use the Azure AD directory tenants. As such, Azure MFA can be rapidly enabled for Azure AD
identities to help secure access:

The Azure management portal,

Microsoft Online Services like Office 365, Intune, and Dynamics CRM Online, etc.

Any custom LOB, third-party multitenant cloud-based, or modern business applications that
integrate with Azure AD for authentication,

As well as thousands of cloud SaaS applications like Box, GoToMeeting, Salesforce.com and
others, thanks to the application gallery of the Application Access Enhancements for Azure
AD4 feature.
Users will be prompted to set up additional verification the next time they sign in.
Note
For more information, see the Microsoft TechNet article ADDING MULTI-FACTOR AUTHENTICATION TO AZURE
ACTIVE DIRECTORY5.
The white-paper LEVERAGE MULTI-FACTOR AUTHENTICATION WITH AZURE AD6 describes how to enable,
configure, and use Azure MFA with such cloud users in Azure AD for securing resource access in the
Cloud.

4
Enabling Multi-Factor Authentication for on-premises applications and Windows Server. The
Multi-Factor Authentication Server works out-of-the-box with a wide range of on-premises
applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems
and much more. This includes:

Microsoft products and technologies like Microsoft VPN/RRAS, Remote Desktop Services
and Remote Desktop Gateway, Universal Access Gateway, SharePoint, Outlook Web Access,
etc.

As well as third party VPNs and virtual desktop system.
Application access enhancements for Azure AD: http://technet.microsoft.com/en-us/library/dn308588.aspx
ADDING MULTI-FACTOR AUTHENTICATION TO WINDOWS AZURE ACTIVE DIRECTORY: http://technet.microsoft.com/enus/library/dn249466.aspx
5
6
4
AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
The Multi-Factor Authentication Server allows the administrator integrate with IIS authentication to
secure Microsoft IIS web applications, RADIUS authentication, LDAP authentication, and Windows
authentication.
The Multi-Factor Authentication Server can be run on-premises on your existing hardware - as a
virtual machine (VM) or not -, or in the cloud for instance as an Azure Virtual Machine. Multiple,
redundant servers can be configured for high availability and fail-over.
Note
For more information, see Microsoft TechNet article ENABLING MULTI-FACTOR AUTHENTICATION
PREMISES APPLICATIONS AND WINDOWS SERVER7.

FOR
ON-
Building Multi-Factor Authentication into custom applications. A Software Development Kit
(SDK) is available for use for direct integration with custom cloud-based and on-premises
applications. It enables to build Multi-Factor Authentication phone call and text message verification
into the application’s sign-in or transaction processes and leverage the application’s existing user
database.
Note
For more information, see Microsoft TechNet article BUILDING MULTI-FACTOR AUTHENTICATION INTO CUSTOM
APPS (SDK)8.
Objectives of this paper
As an addition to the aforementioned white-paper LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE
AD, and for an organization that is federated with Azure AD, this paper aims at describing how to use MultiFactor Authentication Server and to configure it to secure cloud resources such as Office 365 so that so that
federated users will be prompted to set up additional verification the next time they sign in on-premises.
Such a scenario complements the directory synchronization with single sign-on (SSO) scenario, which
aims at providing users with the most seamless authentication experience as they access Microsoft cloud
services and/or other cloud-based applications while logged on to the corporate network.
Note
For more information, see Microsoft TechNet article DIRECTORY SYNC WITH SINGLE SIGN-ON SCENARIO9.
This integration scenario implies to configure the Multi-Factor Authentication Server to work with Active
Directory Federation Services (AD FS) or other supported on-premises third-party security token services
(STS) so that Multi-Factor Authentication is triggered on-premises, or in an Infrastructure-as-a-Service (IaaS)
cloud environment such as Azure as per OFFICE 365 ADAPTER: DEPLOYING OFFICE 365 SINGLE SIGN-ON USING
AZURE10 whitepaper.
ENABLING MULTI-FACTOR AUTHENTICATION FOR ON-PREMISES APPLICATIONS AND WINDOWS SERVER: http://technet.microsoft.com/enus/library/dn249467.aspx
7
8
BUILDING MULTI-FACTOR AUTHENTICATION INTO CUSTOM APPS (SDK): http://technet.microsoft.com/en-us/library/dn249464.aspx
9
DIRECTORY SYNC WITH SINGLE SIGN-ON SCENARIO: http://technet.microsoft.com/en-us/library/dn441213.aspx
OFFICE 365 ADAPTER: DEPLOYING OFFICE 365 SINGLE SIGN-ON USING AZURE: http://www.microsoft.com/enus/download/details.aspx?id=38845
10
5
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
Such an integration is natively supported by AD FS but differs in terms of integration path depending
on the version of AD FS. More specifically, for more information on using the Multi-Factor Authentication Server
with AD FS 2.x, see Microsoft TechNet article USING MULTI-FACTOR AUTHENTICATION WITH ACTIVE DIRECTORY FEDERATION
SERVICES11. For information on using Multi-Factor Authentication Server with AD FS in Windows Server 2012 R2, see
Microsoft TechNet article WALKTHROUGH GUIDE: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE
APPLICATIONS12.
For the other supported on-premises third-party security token services (STS), the aforementioned SDK is available
for use with custom applications and directories.
Beyond this integration, this scenario additionally implies directory synchronization between the onpremises identity infrastructure (based on Windows Server Active Directory (AD) or on other (LDAP-based)
directories) and the Multi-Factor Authentication Server to streamline user management and automated
provisioning.
This also supposes to deploy:

The on-premises Multi-Factor Authentication Users portal, which allows users to enroll in MultiFactor Authentication and maintain their accounts.

And optionally the Multi-Factor Authentication Server mobile app web service, which is used in the
Multi-Factor Authentication mobile app activation process. The Multi-Factor Authentication App
offers an additional out-of-band authentication option.
With all of the above, the enrolled federated users can use their on-premises corporate credentials
(user name and password) and their existing phone for additional authentication to access Azure AD
and any cloud-based application that is integrated into Azure AD as well as their existing on-premises
resources.
Important note
With the Multi-Factor Authentication Server, only browser-based applications can be
secured. Rich clients won’t work with the Multi-Factor Authentication Server. The App Password feature that is
devoted to rich client is indeed currently only provided through the Azure MFA service and is not available for
federated users. For more information on the App Password feature, see the aforementioned whitepaper LEVERAGE
AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD13.
Built on existing Microsoft documentation and knowledge base articles, this document provides a complete
walkthrough to build a suitable test lab environment in Azure, test, and evaluate the above scenario. It
provides additional guidance if any.
USING MULTI-FACTOR AUTHENTICATION WITH ACTIVE DIRECTORY FEDERATION SERVICES http://technet.microsoft.com/enus/library/dn394281.aspx
11
WALKTHROUGH GUIDE: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS:
http://technet.microsoft.com/en-us/library/dn280946.aspx
12
LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH WINDOWS AZURE AD: http://www.microsoft.com/enus/download/details.aspx?id=36391
13
6
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
AD14.
For more information, see Microsoft TechNet article USING MULTI-FACTOR AUTHENTICATION
WITH
AZURE
Non-objectives of this paper
This document doesn’t introduce Azure MFA. Such a presentation is provided in the aforementioned
whitepaper LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD15.
This document doesn’t discuss either how to configure Azure MFA for cloud identities in Azure AD to secure
cloud-based resources. This scenario is also covered in detail in the above whitepaper. This document
doesn’t describe either how to configure the advanced settings and reports of the service. All of these are
also covered in the above whitepaper. For more information, please refer to it.
As already mentioned, the Multi-Factor Authentication Server also works out-of-the-box with a wide range
of on-premises applications, such as remote access VPNs, web applications, virtual desktops, single sign-on
systems and much more. Those scenarios are not discussed in this document.
Note
For more information, see Microsoft TechNet article ENABLING MULTI-FACTOR AUTHENTICATION
PREMISES APPLICATIONS AND WINDOWS SERVER16.
FOR
ON-
Organization of this paper
To cover the aforementioned objectives, this document is organized in the following two sections:

BUILDING A TEST LAB ENVIRONMENT.

TESTING AND EVALUATING THE MULTI-FACTOR AUTHENTICATION SERVER.
These sections provide the information details necessary to (hopefully) successfully build a working
environment for the Multi-Factor Authentication Server. They must be followed in order.
About the audience
This document is intended for system architects and IT professionals who are interested in understanding
how to enable and configure the Multi-Factor Authentication Server for Azure AD federated users to help
secure access to cloud resources such as Office 365.
14
USING MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://technet.microsoft.com/en-us/library/jj713614.aspx
15
LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391
ENABLING MULTI-FACTOR AUTHENTICATION FOR ON-PREMISES APPLICATIONS AND WINDOWS SERVER: http://technet.microsoft.com/enus/library/dn249467.aspx
16
7
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Building a test lab environment
As its title suggests, this section guides you through a set of instructions required to build a representative
test lab environment that will be used in the next section to configure, test, and evaluate the multi-factor
authentication in AD FS in Windows Server 2012 R2.
Considering the involved services, products, and technologies that encompass such a cross-premises
configuration, the test configuration should feature:

In the cloud, an Azure AD tenant, and cloud-based applications that leverage Azure AD for identity
management and access control,

In the on-premises, Windows Server Active Directory, Active Directory Certificate Services (AD CS),
Active Directory Federation Services (AD FS), and Internet Information Services (IIS), to name a few
- and the related required configuration.
The following diagram provides an overview of the overall test lab environment with the software and service
components that need to be deployed / configured.
DC1
Web Application Proxy (WAP)
Multi-Factor Authentication Users portal
Multi-Factor Authentication Server mobile app web service
Active Directory Domain Services (AD DS)
Domain Name Services (DNS)
EDGE1
Windows Azure AD/Office 365 tenant
External Virtual Network Switch
Internet
Internal Virtual Network Switch
Corpnet
Active Directory Certificates Services (AD CS)
Active Directory Federation Services (AD FS)
Azure Active Directory Connect Tool (Azure AD Connect)
Multi-Factor Authentication Server
Multi-Factor Authentication SDK
ADFS1
We have tried to streamline and to ease as much as possible the way to build a suitable test lab environment,
to consequently reduce the number of instructions that tell you what servers to create, how to configure the
operating systems and core platform services, and how to install and configure the required core services,
products and technologies, and, at the end, to reduce the overall effort that is needed for such an
environment.
We hope that the provided experience will enable you to see all of the components and the configuration
steps both on-premises and in the cloud that go into such a multi-products and services solution.
Creating an Azure AD test tenant
The easiest way to provision both an Azure AD tenant and application workloads for the purpose of the test
lab certainly consists in signing up to a Microsoft Office 365 Enterprise17 tenant. Azure AD is indeed the
directory used to store user identities and other tenant properties by Office 365 (and other Microsoft services
such as Dynamics CRM Online, and Windows Intune).
17
8
Office 365 Enterprise: http://office.microsoft.com/en-us/business/office-365-enterprise-e3-business-software-FX103030346.aspx
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
To sign up to a free 30-day Microsoft Office 365 Enterprise E3 trial, follow the instructions at
http://office.microsoft.com/en-us/business/redir/XT104175934.aspx.
Note
For more information, see the article SIGN IN TO OFFICE 36518.
For the course of this walkthrough, we’ve provisioned an Office 365 Enterprise (E3) tenant:
litware369.onmicrosoft.com. You will have to choose in lieu of a tenant domain name of your choice
whose name is currently not in used. Whenever a reference to litware369.onmicrosoft.com is made
in a procedure, it has been replaced by the tenant domain name of your choice to reflect accordingly
the change in naming.
Building the on-premises test lab environment
A challenge in creating a useful on-premises test lab environment is to enable their reusability and
extensibility. Because creating a test lab can represent a significant investment of time and resources, your
ability to reuse and extend the work required to create the test lab is important. An ideal test lab environment
would enable you to create a basic lab configuration, save that configuration, and then build out multiple
test lab scenarios in the future by starting with the base configuration.
Moreover, another challenge people is usually facing with relates to the hardware configuration needed to
run such a base configuration that involves several (virtual) machines.
For these reasons and considering the above objectives, this document will leverage the Microsoft Azure
environment along with the Azure PowerShell cmdlets to build the on-premises test lab environment to test
and evaluate Multi-Factor Authentication Server.
Adding an Azure trial to the Office 365 account
Once you have signed up19 and established your organization with an account in Office 365 Enterprise E3,
you can then add an Azure trial subscription to your Office 365 account. This can be achieved by accessing
the Azure Sign Up page at https://account.windowsazure.com/SignUp with your Office 365 global
administrator account. You need to select Sign in with your organizational account for that purpose.
Note
You can log into the Office 365 administrator portal and go to the Azure Signup page or go directly
to the signup page, select sign in with an organizational account and log in with your Office 365 global administrator
credentials. Once you have completed your trial tenant signup you will be redirected to the Azure account portal20
and can proceed to the Azure management portal by clicking Portal at the top right corner of your screen.
18
SIGN IN TO OFFICE 365: http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637600.aspx
19
Office 365 Enterprise E3 Trial: http://office.microsoft.com/en-us/business/redir/XT104175934.aspx
20
Azure account portal: https://account.windowsazure.com/Subscriptions
9
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
This enables you to empower21 your Office 365 subscription with the access management and security
features that Azure AD is offering. While there are and will be ongoing investments in the Office 365 management
portal22, rich identity and access management capabilities are and will be exposed through the Active Directory
section in the Azure management portal23 first. For example, the Application Access Enhancements for Azure AD24,
which provides an streamlined access to thousands25 of cloud SaaS pre-integrated applications like Box,
GoToMeeting, Salesforce.com and others, (and even and more in the coming months,) can be only managed today
by accessing the directory through the Azure management portal.
At this stage, you should have an Office 365 Enterprise E3 trial subscription with a Azure trial
subscription.
Setting up the Azure-based lab environment
The whitepaper AZURE AD/OFFICE 365 SINGLE SIGN-ON WITH AD FS IN WINDOWS SERVER 2012 R2 - PART
2BIS26 fully depicts the setup of such an environment.
In order not to “reinvent the wheels”, this document leverages the instrumented end-to-end
walkthrough provided in the above whitepaper to rollout a working single sign-on configuration for
Azure AD/Office 365 with AD FS by featuring the now be available Azure Active Directory Connect
(Azure AD Connect)27 tool.
Note
Azure AD Connect provides a single and unified wizard that streamlines the overall onboarding
process for directory synchronization (single or multiple directories), password sync and/or single sign-on, and that
automatically performs the following steps: download and setup of all the prerequisites, download, setup and
guided configuration of the synchronization, activation of the sync in the Azure AD tenant, setup, and/or
configuration of AD FS – AD FS being the preferred STS, etc. Azure AD Connect is the one stop shop for
connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.
For additional information, see the blog post AZURE AD CONNECT & CONNECT HEALTH IS NOW GA!28, and the Microsoft
articles INTEGRATING YOUR ON-PREMISES IDENTITIES WITH AZURE ACTIVE DIRECTORY29 and AZURE ACTIVE DIRECTORY CONNECT30.
USING YOUR OFFICE 365 AZURE AD TENANT WITH APPLICATION ACCESS ENHANCEMENTS FOR WINDOWS AZURE AD:
http://blogs.technet.com/b/ad/archive/2013/09/10/empower-your-office-365-subscription-identity-management-with-applicationaccess-enhancements-for-windows-azure-ad.aspx
21
22
Office 365 management portal: https://portal.microsoftonline.com
23
Azure management portal: https://manage.windowsazure.com
24
APPLICATION ACCESS ENHANCEMENTS FOR AZURE AD: http://technet.microsoft.com/en-us/library/dn308588.aspx
25
WINDOWS AZURE ACTIVE DIRECTORY APPLICATIONS: http://azure.microsoft.com/en-us/marketplace/active-directory/
AZURE AD/OFFICE 365 SINGLE SIGN-ON WITH AD FS IN WINDOWS SERVER 2012 R2 – PART 2: http://www.microsoft.com/enus/download/details.aspx?id=36391
26
27
Azure Active Directory Connect: http://www.microsoft.com/en-us/download/details.aspx?id=47594
AZURE AD CONNECT & CONNECT HEALTH IS NOW GA!: http://blogs.technet.com/b/ad/archive/2015/06/24/azure-ad-connect-ampconnect-health-is-now-ga.aspx
28
INTEGRATING YOUR ON-PREMISES IDENTITIES WITH AZURE ACTIVE DIRECTORY: https://azure.microsoft.com/enus/documentation/articles/active-directory-aadconnect/
29
30
AZURE ACTIVE DIRECTORY CONNECT: https://msdn.microsoft.com/en-us/library/azure/dn832695.aspx
10
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
With the central use of Azure AD Connect tool, this walkthrough should be considered as a more upto-date walkthrough compared to the one initially released via the first version of the second part entitled AZURE
AD/OFFICE 365 SINGLE SIGN-SIGN WITH AD FS IN WINDOWS SERVER 2012 R2 – PART 231, and should thus be preferred over
it unless you’ve specific reasons to deal with the former DirSync tool and the manual configuration of the AD FS
farm.
By following the instructions outlined in this whitepaper along with the provided Azure/Windows PowerShell
scripts, you should be able to successfully prepare your Azure-base lab environment based on virtual
machines (VMs) running in Azure to later deploy and configure the Multi-Factor Authentication Server
environment, install and configure it with Active Directory Federation Services (AD FS) in Windows Server
2012 R2, etc. and start evaluating/using it.
Important note
Individual virtual machines (VMs) are needed to separate the services provided on the
network and to clearly show the desired functionality. This being said, the suggested configuration to later evaluate
the Multi-Factor Authentication Server is neither designed to reflect best practices nor does it reflect a desired or
recommended configuration for a production network. The configuration, including IP addresses and all other
configuration parameters, is designed only to work on a separate test lab networking environment.
Any modifications that you make to the configuration details provided in the rest of this document may affect or
limit your chances of successfully setting up the on-premises collaboration environment that will serve as the basis
for the integration with the Azure MFA service in the Cloud.
Microsoft has successfully built the suggested environment with Azure IaaS, and Windows Server 2012 R2 virtual
machines.
Once completed the aforementioned whitepaper’s walkthrough, you’ll have in place an environment
with a federated domain in the Azure AD tenant (e.g. litware369.onmicrosoft.com), the whitepaper
has opted to configure the domain litware369.com (LITWARE369). You will have to choose in lieu of
a domain name of your choice whose DNS domain name is currently not in used on the Internet. For
checking purpose, you can for instance use the domain search capability provided by several popular
domain name registrars.
Whenever a reference to litware369.com is made in a procedure later in this document, it has to be
replaced by the DNS domain name of your choice to reflect accordingly the change in naming.
Likewise, any reference to LITWARE369 should be substituted by the NETBIOS domain name of your
choice.
The Azure-based test lab infrastructure consists of the following components:

One computer running Windows Server 2012 R2 (named DC1 by default) that is configured as a
domain controller with a test user and group accounts, and Domain Name System (DNS) server.

One intranet member server running Windows Server 2012 R2 (named ADFS1 by default) that is
configured as an enterprise root certification authority (PKI server), and an AD FS federation server.

One Internet-facing member server running Windows Server 2012 R2 (named EDGE1 by default)
that is configured as a Web Application Proxy (WAP) server for the intranet ADFS1 federation server.
AZURE AD/OFFICE 365 SINGLE SIGN-SIGN WITH AD FS IN WINDOWS SERVER 2012 R2 – PART 1: http://www.microsoft.com/enus/download/details.aspx?id=36391
31
11
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
Windows Server 2012 R2 offers businesses and hosting providers a scalable, dynamic, and
multitenant-aware infrastructure that is optimized for the cloud. For more information, see the Microsoft TechNet
Windows Server 2012 R2 homepage32.
The above VMs expose one public endpoint for remote desktop (RDP) and another one for remote Windows
PowerShell (WinRMHTTPS) as illustrated hereafter.
The EDGE1 VM exposes in addition a public endpoint for HTTPS (HttpsIn).
These VMs will enable you to create snapshots so that you can easily return to a desired configuration for
further learning and experimentation.
The integrated test lab consists of:

A first subnet (10.0.1.0/24) that will expose the test lab resources that require Internet
connectivity/endpoint(s). It is separated from a second subnet that hosts the corporate intranet
resources. The computer on this subnet is EDGE1.

A second subnet (10.0.2.0/24) that simulates a private intranet. Computers on the Subnet2 subnet
are DC1 and ADFS1.
For the sake of simplicity, the same password “pass@word1” is used throughout the configuration. This is
neither mandatory nor recommended in a real world scenario.
To perform all the tasks in this guide, we will use the LITWARE369 domain Administrator account
AzureAdmin for each Windows Server 2012 R2 VM, unless instructed otherwise.
The base configuration should now be completed at this stage if you’ve followed the whitepaper’s
walkthrough.
32
WINDOWS SERVER 2012 R2: http://technet.microsoft.com/en-US/windowsserver/hh534429
12
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
To avoid spending your credit when you don’t work on the test lab, you can shut down the 3 VMs
(DC1, ADFS1, and EDGE1) when you don’t work on the test lab.
To shut down the VMs of the test lab environment, proceed with the following steps:
1.
From within the Azure management portal, select VIRTUAL MACHINES on the left pane.
2.
Under VIRTUAL MACHINE INSTANCES, select edge1 and then click SHUTDOWN at the tray of
the bottom.
3.
Repeat step 2 with adfs1, and then dc1.
4.
Once all the allocated resources will be deallocated, the status of the VMs will then change to
Stopped (Deallocated).
To resume working on the test lab, you will then need to start in order the DC1 computer, then the ADFS1
one, and finally EDGE1.
To start the VMs of the test lab environment, proceed with the following steps:
13
1.
From within the Azure management portal, select VIRTUAL MACHINES on the left pane.
2.
Under VIRTUAL MACHINE INSTANCES, select dc1 and then click START at the tray of the bottom.
3.
Click dc1, and then select DASHBOARD.
4.
Verify under quick glance that the INTERNAL IP ADDRESS is set to 10.0.2.4 in our configuration.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
5.
Select adfs1 on the left and then click START at the tray of the bottom.
6.
Repeat step 5 with edge1.
You are now in a position to install and configure the Multi-Factor Authentication Server
environment on your on-premises test lab environment.
14
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Testing and evaluating the Multi-Factor
Authentication Server
This walkthrough provides instructions for configuring multi-factor authentication in AD FS in Windows
Server 2012 R2. It is based on the “on-premises” test lab environment deployed in Azure as per previous
section.
Note
For the purpose of this document, it leverages the existing walkthrough WALKTHROUGH GUIDE: MANAGE
RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS33, adapt it to the Office 365 context in lieu
of the sample application ClaimApp, and extend it to illustrate the deployment of additional Azure MFA
components, namely the Users portal, the SDK, and the Mobile Application web service. For more information, see
the Microsoft TechNet article OVERVIEW: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE
APPLICATIONS34.
It consists in the following seven steps that must be followed in order:
1.
Creating a Multi-Factor Authentication Provider via the Azure Portal.
2.
Downloading the Multi-Factor Authentication Server.
3.
Installing the Multi-Factor Authentication Server on the federation server.
4.
Configuring multi-factor authentication on the federation server.
5.
Installing the Multi-Factor Authentication SDK (optional).
6.
Deploying the Multi-Factor Authentication User portal (optional).
7.
Deploying the Multi-Factor Authentication Server Mobile App Web service (optional).
The following subsections describe in the context of our test lab environment each of these steps.
Creating a Multi-Factor Authentication Provider via the Azure
Portal
To create a Multi-Factor Authentication Provider via the Azure management portal, proceed with the
following steps:
1.
Open a browsing session from your local machine and navigate to the Azure management portal at
https://manage.windowsazure.com.
2.
Sign in with your administrative credentials.
WALKTHROUGH GUIDE: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS:
http://technet.microsoft.com/en-us/library/dn280946.aspx
33
OVERVIEW: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS: http://technet.microsoft.com/enus/library/dn280949.aspx
34
15
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
3.
On the left pane of the Azure management portal, click ACTIVE DIRECTORY.
4.
On the active directory page, at the top, click MULTI-FACTOR AUTH PROVIDERS.
1.
Click CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER or click NEW in the tray at
the bottom, and then select APP SERVICES, ACTIVE DIRECTORY, MULTI-FACTOR AUTH
PROVIDER, and then QUICK CREATE.
2.
Fill in the following fields and click CREATE.
a.
Name. The name of the Multi-Factor Auth Provider, for example “Litware369 Auth”.
b. Usage Model. The usage model of the Multi-Factor Authentication Provider.
Note
Per Authentication. This purchasing model charges per authentication, and is
typically used for scenarios that use Azure MFA in a consumer-facing application.

Per Enabled User. This purchasing model charges per enabled user, and is typically
used for employee-facing scenarios.
For more information on usage model, see MULTI-FACTOR AUTHENTICATION PRICING DETAILS35.
c.
35

Directory. The Azure AD tenant that the Multi-Factor Authentication Provider is associated
with. This is optional as the provider does not have to be linked to Azure AD when securing
on-premises resources. Ensure Do not link a directory is selected.
MULTI-FACTOR AUTHENTICATION PRICING DETAILS: http://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/
16
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
3.
Once you click CREATE, the Multi-Factor Authentication Provider will be created and you should
see a message stating: “Successfully created Multi-Factor Authentication Provider”. Click OK.
Note
For more information, see Microsoft TechNet article ADMINISTERING AZURE MULTI-FACTOR AUTHENTICATION
PROVIDERS36.
Next, you must download the Multi-Factor Authentication Server. You can do this by launching the MultiFactor Authentication Portal through the Azure management portal.
Downloading the Multi-Factor Authentication Server
All the instructions below should be done on the ADFS1 computer.
To download the Multi-Factor Authentication Server, proceed with the following steps:
1.
Open a remote desktop connection as LITWARE369\AzureAdmin on the ADFS1 computer.
2.
Open a browsing session and
https://manage.windowsazure.com.
3.
Sign in with your administrative credentials.
4.
On the left pane of the Azure management portal, click ACTIVE DIRECTORY.
5.
On the active directory page, at the top, click MULTI-FACTOR AUTH PROVIDERS.
6.
Click on the Multi-Factor Authentication Provider you’ve just created in the section above. Then click
MANAGE at the tray of the bottom.
navigate
to
the
Azure
management
portal
This launches the Azure Multi-Factor Authentication portal.
7.
36
Click DOWNLOADS. You navigate to a Downloads Server page.
ADMINISTERING AZURE MULTI-FACTOR AUTHENTICATION PROVIDERS: http://technet.microsoft.com/en-us/library/dn376346.aspx
17
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
at
8.
Click Download to download the setup file (MultiFactorAuthenticationServerSetup.exe) for MultiFactor Authentication Server.
9.
Click Save to save the setup file.
Note
For more information, see Microsoft TechNet article NEW INSTALLATION
AUTHENTICATION SERVER37.
OF
AZURE MULTI-FACTOR
You are now ready to install on the ADFS1 computer the above setup file for the Multi-Factor Authentication
Server.
Installing the Multi-Factor Authentication Server on the
federation server
All the instructions below should be done on the ADFS1 computer.
To install the Multi-Factor Authentication Server on the ADFS1 computer, which is the federation server in
our test lab, proceed with the following steps:
1.
37
Whilst still being remotely logged on the ADFS1 computer as LITWARE369\AzureAdmin, doubleclick the downloaded setup file (MultiFactorAuthenticationServerSetup.exe) to begin the installation.
A Multi-factor Authentication Server setup wizard brings up.
NEW INSTALLATION OF AZURE MULTI-FACTOR AUTHENTICATION SERVER: http://technet.microsoft.com/en-us/library/dn394280.aspx
18
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
2.
Ensure that the destination folder is correct and click Next.
3.
Once the installation complete, click Finish. As indicated, this launches the Multi-Factor
Authentication Server Authentication Configuration wizard to configure it.
This is the topic of the next section.
Note
For more information, see Microsoft TechNet article NEW INSTALLATION
AUTHENTICATION SERVER38.
OF
AZURE MULTI-FACTOR
You are now ready to configure the Multi-Factor Authentication Server Agent as an additional authentication
method in AD FS in Windows Server 2012 R2 for the course of this walkthrough.
38
NEW INSTALLATION OF AZURE MULTI-FACTOR AUTHENTICATION SERVER: http://technet.microsoft.com/en-us/library/dn394280.aspx
19
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Configuring multi-factor authentication on the federation
server
The configuration of multi-factor authentication in AD FS in Windows Server 2012 R2 consists in two parts
as follows:
1.
Configuring Azure MFA as an additional authentication method.
2.
Setting up the multi-factor authentication policy.
Unless noticed otherwise, all the instructions below should be done on the ADFS1 computer.
Configuring Azure Multi-Factor Authentication as an additional
authentication method
To configure Azure MFA as an additional authentication method on the ADFS1 computer, proceed with the
following steps:
20
1.
The completion of the installation of the Multi-Factor Authentication Server launches the MultiFactor Authentication Server Authentication Configuration wizard.
2.
On the Welcome page, check Skip using the Authentication Configuration Wizard, and click
Next. This closes the wizard as expected and the Multi-Factor Authentication Server user
interface (MultiFactorAuthUI) brings up.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
21
3.
To activate the Multi-Factor Authentication Server, go back to the Downloads Server page in the
Multi-Factor Authentication management portal where you’ve downloaded the setup file for the
Multi-Factor Authentication Server and click Generate Activation Credentials. Credentials valid for
10 minutes are then displayed underneath.
4.
Back in the Multi-Factor Authentication Server user interface, enter the credentials that were
generated and click Activate. A Join Group dialog appears.
5.
Click OK. Next, the Multi-Factor Authentication Server user interface prompts you to run the
Multi-Server Configuration Wizard.
6.
Select No.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Important note
You can skip completing the Multi-Server Configuration Wizard given the lab environment
with only one federation server (e.g. adfs1.litware369.com) that is used to complete this walkthrough. However, if
your environment contains (a farm of) several federation servers, you must install the Multi-Factor Authentication
Server and complete the Multi-Server Configuration Wizard on each federation server in order to enable
replication between the Multi-Factor Authentication servers running on your federation servers.
7.
22
In the Multi-Factor Authentication Server user interface, select Company Settings and set your
options, most of these you will leave as the default:
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
You can see in User defaults the support for a variety of options like phone call, one-way text
message with One Time Passwords (OTPs), two-way text messaging, mobile app, third-party OATH
token, etc.
8.
Now select Users on the left pane.
9.
Click Import from Active Directory. An Import from Active Directory window brings up.
10. Expand litware369.com, and then select Users underneath.
23
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
11. Select the Robert Hatley test account to provision it in Azure MFA, and then click Import. An
Import from Active Directory dialog brings up.
12. Click OK, and then click Close.
13. Back in the Users list, select the Robert Hatley test account, and click Edit. An Edit User window
brings up.
14. Select the appropriate country code in Country Code and provide a cell phone number of this
account in Phone, make sure Enabled is checked, click Apply, and then Close.
15. Back in the Users list, select the Robert Hatley test account, and click Test. A Test User dialog
brings up.
16. Provide the credentials (e.g. “pass@word1”) for the Robert Hatley test account and click Test. When
the cell phone rings, press “#” to complete the account verification. An information dialog confirms
the successful authentication.
24
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
17. Click OK and click Close.
18. Back in the Multi-Factor Authentication Server user interface, select the AD FS icon.
19. Make sure that Allow user enrollment, Allow users to select method (including Phone call, Text
message, and Mobile app), Use security questions for fallback and Enable logging are checked,
click Install AD FS Adapter. An Install ADFS Adapter installation wizard brings up.
20. In the Active Directory page, click Next.
25
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
21. In the Launch installer page, click Next. A Multi-Factor Authentication ADFS Adapter installation
wizard brings up.
22. Click Next.
23. In the Installation Complete, click Close.
26
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
The Multi-Factor Authentication AD FS Adapter installation wizard creates a security group called
PhoneFactor Admins in litware369.com AD and then adds the AD FS service account of your federation service to
this group.
It is recommended that you verify on your domain controller that the PhoneFactor Admins group is indeed
created and that the AD FS service account is a member of this group. If necessary, add the AD FS service account
to the PhoneFactor Admins group on your domain controller manually. For additional details on installing the AD
FS Adapter, click the Help link in the top right corner of the Multi-Factor Authentication Server.
24. To register the adapter in the federation service on the ADFS1 computer, open a Windows
PowerShell command prompt, and run the following commands:
PS C:\Users\AzureAdmin.LITWARE369> cd “C:\Program Files\Multi-Factor Authentication Server"
PS C:\Program Files\Multi-Factor Authentication Server> .\Register-MultiFactorAuthenticationAdfsAdapter.ps1
WARNING: PS0114: The authentication provider was successfully registered with the policy store. To enable this
provider, you must restart the AD FS Windows Service on each server in the farm.
PS C:\Program Files\Multi-Factor Authentication Server>
The adapter is now registered as WindowsAzureMultiFactorAuthentication (see below). As
indicated, you must restart the Active Directory Federation Services service (adfssrv) for the
registration to take effect.
25. Run the following command to restart the:
PS C:\Program Files\Multi-Factor Authentication Server> Restart-Service adfssrv
WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...
WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...
WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...
27
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
WARNING: Waiting for service 'Active Directory Federation
WARNING: Waiting for service 'Active Directory Federation
WARNING: Waiting for service 'Active Directory Federation
WARNING: Waiting for service 'Active Directory Federation
PS C:\Program Files\Multi-Factor Authentication Server>
Services
Services
Services
Services
(adfssrv)'
(adfssrv)'
(adfssrv)'
(adfssrv)'
to
to
to
to
stop...
start...
start...
start...
26. Close the Windows PowerShell command prompt and launch the AD FS Management console
from the Tools menu of the Server Manager to finally configure Azure MFA as the additional
authentication method.
27. Navigate to the Authentication Policies node, scroll down in the middle pane to the Multi-factor
Authentication section.
28. Click Edit next to the Global Settings sub-section. An Edit Global Authentication Policy window
brings up.
28
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
29. Select WindowsAzureMultiFactorAuthentication as an additional authentication method, and
then click OK.
Note
You can customize the name and description of the Azure MFA method, as well as any configured
third-party authentication method, as it appears in your AD FS UI, by running the SetAdfsAuthenticationProviderWebContent cmdlet. For more information, see the Microsoft TechNet article SETADFSAUTHENTICATIONPROVIDERWEBCONTENT39.
Setting up the multi-factor authentication policy
To set up the multi-factor authentication policy, proceed with the following steps:
1.
Open an elevated Windows PowerShell command prompt and run the following command to
retrieve the Office 365 relying party:
PS C:\Users\AzureAdmin.LITWARE369> $rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
PS C:\Users\AzureAdmin.LITWARE369>
2.
Run the following command to specify the claim rule:
PS C:\Users\AzureAdmin.LITWARE369> $groupMfaClaimTriggerRule = 'c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i) S-1-5-21-2309203066-2729394637456832893-3109$"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value =
"http://schemas.microsoft.com/claims/multipleauthn");'
PS C:\Users\AzureAdmin.LITWARE369>
39
SET-ADFSAUTHENTICATIONPROVIDERWEBCONTENT: http://technet.microsoft.com/en-us/library/dn479401.aspx
29
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
3.
Run the following command to set the claim rule on the Office 365 relying party:
PS C:\Users\AzureAdmin.LITWARE369> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules
$groupMfaClaimTriggerRule
PS C:\Users\AzureAdmin.LITWARE369>
Note
Make sure to replace S-1-5-21-2309203066-2729394637-456832893-3109 with the value of the SID
of your AD group Finance.
Setting the MFA Default (Optional)
The default multi-factor authentication behavior for federated Azure AD/Office 365 tenants has been
recently set to occur in the cloud where in the past it was set to occur on-premises. Operations has backfilled
to ensure customers that were using multi-factor authentication on-premises will continue to use their onpremises MFA Server.
You can affect this behavior by downloading latest version of the Azure Active Directory Module for
Windows PowerShell (64-bit version)40 and running the below commands.
Note
The Azure AD Module is regularly updated with new features and functionality. The above link should
always point to the most current version of the module. For more information, see the Microsoft Wiki article
MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY41.
To perform multi-factor authentication on-premises for litware369.com, run the following command:
PS C:\Users\AzureAdmin.LITWARE369> Set-MsolDomainFederationSettings -DomainName litware369.com -SupportsMFA $true
Where SupportsMFA as true means that Azure AD will redirected the user to AD FS for multi-factor
authentication
if
multi-factor
authentication
is
required
and
a
claim
of
type
“http://schemas.microsoft.com/claims/authnmethodsreferences”
with
the
value
“http://schemas.microsoft.com/claims/multipleauthn”, which is so-called the MFA claim, is missing.
40
Azure Active Directory Module for Windows PowerShell (64-bit version): http://go.microsoft.com/fwlink/p/?linkid=236297
MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY:
http://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-versionrelease-history.aspx
41
30
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
To perform multi-factor authentication in the cloud for litware369.com, run the following command:
PS C:\Users\AzureAdmin.LITWARE369> Set-MsolDomainFederationSettings -DomainName litware369.com -SupportsMFA $false
Where SupportsMFA as false means that Azure AD does multi-factor authentication natively (again assuming
multi-factor authentication is required and MFA claim is missing). If flag is not set, it is assumed to be false.
Users won't be double MFA'd. If multi-factor authentication was already done at AD FS as part of login, the
MFA claim will be present and Azure AD won't ask for multi-factor authentication again.
Verifying the multi-factor authentication mechanism
To verify the multi-factor authentication policy, proceed with the following steps:
1.
Close the current remote desktop connection if any on the Internet-facing EDGE1 computer and
open a new one as LITWARE369\RobertH with “pass@word1” as password.
2.
Open a browsing session and add https://adfs.litware369.com to the Local Intranet zone as
previously done with Janet Schorr when testing the single sign-on with Office 365.
3.
Navigate to the Microsoft Online Portal at https://portal.microsoftonline.com.
4.
Log on with the Robert Hatley test account credentials:
Username: roberth@litware369.com
You should be automatically redirected to the ADFS1 computer. At this point, after a successful
seamless authentication with your local user credentials (thanks to the Windows Integrated
Authentication), you are prompted to undergo additional authentication because of the previously
configured multi-factor authentication policy.
31
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
The default message text is For security reasons, we require additional information to verify
your account. However, this text is fully customizable.
Note
For more information about how to customize the sign-in experience, see the Microsoft TechNet
article CUSTOMIZING THE AD FS SIGN-IN PAGES42.
Note
The text also states that A call will be placed to your phone to complete your authentication. For
more information about signing in with Azure MFA and using various options for the preferred method of
verification, see AZURE MULTI-FACTOR AUTHENTICATION OVERVIEW43.
5.
Click Continue. When the cell phone rings, press “#” to complete the account verification.
6.
Since we’ve previously set Use security questions for fallback when installing the AD FS adapter
and because this is the first time you log on after we set the multi-factor authentication policy,
you’re now invited to set four questions and provide an answer for each of them.
42
CUSTOMIZING THE AD FS SIGN-IN PAGES: http://technet.microsoft.com/en-us/library/dn280950.aspx
43
AZURE MULTI-FACTOR AUTHENTICATION OVERVIEW: http://technet.microsoft.com/en-us/library/dn249479.aspx
32
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
7.
Set your questions, type an answer, and then click Continue when ready.
8.
You are then redirected back to the portal after a successful authentication with both your local user
credentials (thanks to the Windows Integrated Authentication) and the multi-factor authentication.
At the end of the process, you should have a seamless access to the signed in user settings in Office
365.
This is expected for the test user as in fact you have not assigned a license to the test user.
At this stage, you have successfully deployed the Multi-Factor Authentication Server in your
environment.
33
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
You can optionally deployed the Multi-Factor Authentication User portal and the Multi-Factor
Authentication Server Mobile App Web service.
The Multi-Factor Authentication User portal is an Internet Information Services (IIS) web site which allows
on-premises users to enroll in Azure MFA and maintain their on-premises accounts. A user may change their
phone number, change their PIN, or bypass Azure MFA during their next sign on.
Users will log in to the Multi-Factor Authentication User portal using their normal on-premises username
and password and will either complete an Azure MFA call or answer security questions to complete the
authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time
they log in to the Multi-Factor Authentication User portal.
The corporate administrators may be set up and granted permission to add new users and update existing
users.
The Multi-Factor Authentication Server Mobile App Web service enable the users to install the Multi-Factor
Authentication Server Mobile App on their smartphone from the Multi-Factor Authentication User portal.
In our configuration, this supposes to first install the Multi-Factor Authentication SDK.
Installing the Multi-Factor Authentication SDK (optional)
All the instructions should be done on the ADFS1 computer.
To install the Multi-Factor Authentication SDK, proceed with the following steps:
34
1.
Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.
2.
Open the Multi-Factor Authentication Server.
3.
Click the Web Service SDK icon.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
4.
Click Install Web Service SDK. An Install Web Service SDK installation wizard brings up. Follow
the instructions presented.
Note
Instead of step 2 to 4, you can navigate to the folder where the Multi-Factor Authentication Server is
installed (e.g. C:\Program Files\Windows Azure Multi-Factor Authentication) and double-click the
MultiFactorAuthenticationWebServiceSdkSetup64.msi installation file (64-bit version).
35
5.
Click Next.
6.
ASP.NET 3.5 is already installer on the ADFS1 computer. Click Next.
7.
Click Next. If the prerequisites are satisfied, the Select Installation Address page is displayed.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
8.
Click Next.
9.
Click Close.
The Web Service SDK (PfWsSdk) is configured to be secured with an SSL certificate. We thus need to
configure HTTPS on the default web site. We already issued an adfs.litware369.com SSL certificate for the
AD FS configuration.
Configuring HTTPS on the default web site
To configure HTTPS on the default web site on the ADFS1 computer, proceed with the following steps:
1.
Open an elevated Windows PowerShell command prompt if none, and run the following command
to add a SSL binding to the default web Site:
PS C:\users\AzureAdmin.LITWARE369> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https
PS C:\users\AzureAdmin.LITWARE369>
36
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
2.
Run the following commands to associate the already issued adfs.litware369.com SSL certificate
to the newly created SSL binding:
PS C:\users\AzureAdmin.LITWARE369> Get-ChildItem cert:\LocalMachine\MY | where { $_.Subject -match
"CN\=adfs.litware369.com" } | select -First 1 | New-Item IIS:\SslBindings\0.0.0.0!443
IP Address
---------0.0.0.0
Port
---443
Host Name
---------
Store
----MY
Sites
----Default Web Site
PS C:\Users\AzureAdmin.LITWARE369>
3.
Open a browsing session and navigate to the Web Service SDK (PfWsSdk) at
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx. A Windows Security
brings up.
4.
Provide the credentials for the LITWARE369\AzureAdmin administrator account such as:
Username: AzureAdmin
Password: pass@word1
5.
37
Click OK. The collection of operations supported by the Web Service SDK (PfWsSdk) should now be
listed in the .asmx page.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Deploying
(optional)
the
Multi-Factor
Authentication
User
portal
Unless noticed otherwise, all the instructions should be done on the Internet-facing EDGE1 computer.
To install and configure the Multi-Factor Authentication User portal, proceed with the following steps:
38
1.
Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.
2.
Open a remote desktop connection on EDGE1 if needed and log on as LITWARE369\AzureAdmin.
3.
Open Windows Explorer on the ADFS1 computer and navigate to the folder where Multi-Factor
Authentication Server is installed (e.g. C:\Program Files\Windows Azure Multi-Factor Authentication).
Choose the MultiFactorAuthenticationUserPortalSetup64.msi installation file as appropriate (64-bit
version) for the EDGE1 computer that the Multi-Factor Authentication Users portal will be installed
on. Copy the installation file to the EDGE1 computer.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
4.
On the EDGE1 computer, the setup file must be run with administrator rights. Open an elevated
command prompt as an administrator and navigate to the location where the installation file was
copied, for example the Desktop in our illustration.
PS C:\Users\AzureAdmin.LITWARE369> cd .\Desktop
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
5.
Run the MultiFactorAuthenticationUserPortalSetup64.msi installation file.
PS C:\Users\AzureAdmin.LITWARE369\Desktop> .\MultiFactorAuthenticationUserPortalSetup64.msi
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
A Multi-Factor Authentication User Portal installation wizard brings up.
39
6.
Click Next.
7.
Click Close.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
8.
After finishing the install of the MultiFactorAuthenticationUserPortalSetup64.msi file, browse to
C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name)
and edit the web.config file.
9.
Locate the appSettings section in the web.config file.
<?xml version="1.0"?>
<configuration>
<configSections>
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089">
<section name="pfup.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/>
</sectionGroup>
</configSections>
<appSettings>
<add
<add
<add
<add
<add
<add
key="USE_WEB_SERVICE_SDK" value="false"/>
key="WEB_SERVICE_SDK_AUTHENTICATION_USERNAME" value=""/>
key="WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD" value=""/>
key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PATH" value=""/>
key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PASSWORD" value=""/>
key="OVERRIDE_PHONE_APP_WEB_SERVICE_URL" value=""/>
</appSettings>
…
</configuration>
10. Set the value of the following keys as follows:
a.
USE_WEB_SERVICE_SDK: true
b. WEB_SERVICE_SDK_AUTHENTICATION_USERNAME: LITWARE369\AzureAdmin
c.
WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD: pass@word1
d. OVERRIDE_PHONE_APP_WEB_SERVICE_URL: https://www.litware369.com/PA (see later in
this document)
Note
The username must be a member of the PhoneFactor Admins security group. Be sure to enter the
Username and Password in between the quotation marks at the end of the line, (value=""/>). It is recommended to
use a qualified username (e.g. domain\username).
11. Locate the pfup_pfwssdk_PfWsSdk setting.
<?xml version="1.0"?>
<configuration>
…
<applicationSettings>
<pfup.Properties.Settings>
<setting name="pfup_pfwssdk_PfWsSdk" serializeAs="String">
<value>http://localhost:4898/PfWsSdk.asmx</value>
</setting>
</pfup.Properties.Settings>
</applicationSettings>
</configuration>
Change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK
that
is
running
on
ADFS1,
e.g.
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration.
40
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
Since SSL is used for this connection, you must reference the Web Service SDK by server name and
not IP address since the SSL certificate will have been issued for the server name and the URL used must match the
name on the certificate. In our configuration, the adfs.litware369.com server name does resolve to an IP address
from the Internet-facing server EDGE1. You should otherwise add an entry to the hosts file on that server to map
the name of the Multi-Factor Authentication Server server to its IP address.
Note
The root certification authority litware369-ADFS1-CA certificate is imported into the Trusted Root
Certification Authorities store of the EDGE1 computer that will be our Mobile App Web Service web server. Thus, it
will trust the adfs.litware369.com certificate when initiating the SSL connection.
12. Save the web.config file after changes have been made.
Important note
It is helpful to open a browsing session on EDGE1 and navigate to the URL of the Web Service
SDK
that
was
entered
into
the
web.config
file,
e.g.
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration. If the browser can
get to the web service successfully, it should prompt you for credentials as previously illustrated. Enter the username
and password that were entered into the web.config file exactly as it appears in the file. Ensure that no certificate
warnings or errors are displayed.
To test the User portal, proceed with the following steps:
41
1.
Open a browser session and navigate to https://www.litware369.com/MultiFactorAuth/.
2.
Provide the credentials (e.g. “roberth” and “pass@word1”) for the Robert Hatley test account and
click Log In. When the cell phone rings, press “#” to complete the account verification. After a
successful authentication, you can now manage the account settings.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Note
For more information, see the Microsoft TechNet articles INSTALLING
AUTHENTICATION USERS PORTAL44 and USER ENROLLMENT AND SELF-MANAGEMENT45.
THE
AZURE MULTI-FACTOR
Deploying the Multi-Factor Authentication Server Mobile App
Web service (optional)
Installing the Mobile App Web Service
To deploy the Multi-Factor Authentication Mobile App Web Service on the Internet-facing EDGE1 computer,
proceed with the following steps:
1.
Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.
2.
Open a remote desktop connection on EDGE1 if needed and log on as LITWARE369\AzureAdmin.
3.
Open Windows Explorer on the ADFS1 computer and navigate to the folder where the Multi-Factor
Authentication Server is installed (e.g. C:\Program Files\Windows Azure Multi-Factor Authentication).
Choose the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi installation file as
appropriate (64-bit version) for the EDGE1 computer that Mobile App Web Service will be installed
on. Copy the installation file to the EDGE1 computer.
44
INSTALLING THE AZURE MULTI-FACTOR AUTHENTICATION USERS PORTAL: http://technet.microsoft.com/en-us/library/dn394290.aspx
45
USER ENROLLMENT AND SELF-MANAGEMENT: http://technet.microsoft.com/en-us/library/dn394292.aspx
42
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
4.
On EDGE1, the above installation file must be run with administrator rights. The easiest way to do
this is to open a command prompt as an administrator and navigate to the location where the
installation file was copied, for example the Desktop in our illustration.
PS C:\Users\AzureAdmin.LITWARE369> cd .\Desktop
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
5.
Run the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi installation file.
PS C:\Users\AzureAdmin.LITWARE369\Desktop> .\MultiFactorAuthenticationMobileAppWebServiceSetup64.msi
PS C:\Users\AzureAdmin.LITWARE369\Desktop>
A Multi-Factor Authentication User Portal installation wizard brings up.
6.
Change the Site if desired and change the Virtual directory to a short name such as “PA”. A short
virtual directory name is recommended since users must enter the Mobile App Web Service URL
into the mobile device during activation. Click Next.
7.
Click Close.
8.
After finishing the installation of the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi
file, browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory
name) and edit the web.config file.
9.
Locate the appSettings section in the web.config file.
<?xml version="1.0"?>
43
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
<configuration>
<configSections>
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089">
<section name="pfup.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/>
</sectionGroup>
</configSections>
<appSettings>
<add key="WEB_SERVICE_SDK_AUTHENTICATION_USERNAME" value=""/>
<add key="WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD" value=""/>
<add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PATH" value=""/>
<add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PASSWORD" value=""/>
</appSettings>
…
</configuration>
10. Set the value of the following keys as follows:
a.
WEB_SERVICE_SDK_AUTHENTICATION_USERNAME: LITWARE369\AzureAdmin
b. WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD: pass@word1
Note
The username must a member of the PhoneFactor Admins security group. Be sure to enter the
Username and Password in between the quotation marks at the end of the line, (value=""/>). It is recommended to
use a qualified username (e.g. domain\username).
11. Locate the pfpaws_pfwssdk_PfWsSdk setting.
<?xml version="1.0"?>
<configuration>
…
<applicationSettings>
<pfpaws.Properties.Settings>
<setting name="pfpaws_pfwssdk_PfWsSdk" serializeAs="String">
<value>http://localhost:4898/PfWsSdk.asmx</value>
</setting>
</pfpaws.Properties.Settings>
</applicationSettings>
</configuration>
Change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK
that
is
running
on
ADFS1,
e.g.
https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration.
12. Save the web.config file after changes have been made.
Note
Since the Multi-Factor Authentication User Portal is already installed on the EDGE1 computer, the
username, password and URL to the Web Service SDK can be copied from the User Portal’s web.config file.
13. Open a browsing session and navigate to the URL where Mobile App Web Service was installed (e.g.
https://www.litware369.com/PA/). Ensure that no certificate warnings or errors are displayed as
illustrated hereafter.
44
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
Configuring the Mobile App Settings in the Multi-Factor Authentication
Server
All the instructions should be done on the ADFS1 computer.
To configure the Mobile App Settings in the Multi-Factor Authentication Server, proceed with the following
steps:
45
1.
Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.
2.
Launch the Multi-Factor Authentication Server.
3.
Click on the User Portal icon.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
46
1.
On the Settings tab, type the Multi-Factor Authentication User portal URL, for example
“https://www.litware369.com/MultiFactorAuth” in our configuration.
2.
Check Allow user enrollment.
3.
Check Allow users to select method. Under Allow users to select method, check Mobile app.
Without this feature enabled, end users will be required to contact the Help Desk to complete
activation for the Mobile App. Also check Phone call and Text message.
4.
Check Allow users to activate mobile app.
5.
Click on the Mobile App icon.
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
6.
In Mobile App Web Service URL, type the URL being used with the virtual directory which was
created when installing the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi file, for
example “https://www.litware369.com/PA” in our configuration.
7.
In Account name, an account name may be entered in the space provided. This company name will
display in the mobile application. If left blank, the name of your Multi-Factor Auth Provider created
in the Azure management portal will be displayed, for example “Litware369 Auth” in our
configuration. Type “Litware369 Inc.” for example.
Activating the Azure Multi-Factor Authentication App for End Users
To activate the Mobile App, proceed with the following steps:
1.
Download the Multi-Factor Authentication application from your app store. This application is
available for Windows Phone46, iOS47, and Android48. Once the Multi-Factor Authentication app has
been downloaded and is installed, you can activate it for multiple accounts.
2.
Open a browsing session from any computer connected to the Internet and navigate to the MultiFactor Authentication Users Portal at https://www.litware369.com/MultiFactorAuth.
3.
Provide the credentials (e.g. “roberth” and “pass@word1”) for the Robert Hatley test account and
click Log In. When the cell phone rings, press “#” to complete the account verification.
Multi-Factor Authentication app on Windows Phone Store: http://www.windowsphone.com/enus/store/app/phonefactor/0a9691de-c0a1-44ee-ab96-6807f8322bd1
46
47
Multi-Factor Authentication app on iTunes: https://itunes.apple.com/us/app/phonefactor/id475844606?mt=8
48
Multi-Factor Authentication app on Google Play: https://play.google.com/store/apps/details?id=com.phonefactor.phonefactor
47
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
48
4.
Under My Account on the left, click Activate Mobile App.
5.
Click Generate Activation Code. (You can instead contact an administrator who will generate an
activation code for them.)
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
6.
Switch to your mobile device
7.
Open the Multi-Factor Authentication application.
8.
In the mobile app, click New (+).
Note
9.
The interface will differ slightly between mobile OS apps.
Activate the Multi-Factor Authentication App by entering the above activation code and URL or by
scanning the barcode picture.
10. Switch the authentication method to Mobile App or contact an administrator who will change it for
them
Note
For more information, see Microsoft TechNet article DEPLOYING THE AZURE MULTI-FACTOR AUTHENTICATION
SERVER MOBILE APP WEB SERVICE49.
This concludes the guided tour of Multi-Factor Authentication Server in the context of Azure AD federated
users as well as this paper.
For the configuration of the advanced settings and reports of the service, please refer to the aforementioned
whitepaper LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD50.
DEPLOYING THE AZURE MULTI-FACTOR AUTHENTICATION SERVER MOBILE APP WEB SERVICE: http://technet.microsoft.com/enus/library/dn394277.aspx
49
50
LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391
49
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this
document.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or
for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
© 2015 Microsoft Corporation. All rights reserved.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious. No association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be inferred.
Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective
owners.
50
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS