Implementing Azure Multi-Factor Authentication (MFA) Server On-premises with High Availability (HA)

Multi-Factor Authentication Overview

Azure Multi-Factor Authentication (MFA) is Microsoft’s two-step verification solution. Using administrator approved authentication methods, Azure MFA helps safeguard your access to data and applications, while meeting the demand for a simple sign-in process.

How it works: Azure Multi-Factor Authentication

The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the additional authentication method.

It works by requiring two or more of the following authentication methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

License requirements

Multi-Factor Authentication comes as part of the following offerings:

  • Azure Active Directory Premium or Microsoft 365 Business – Full featured use of Azure Multi-Factor Authentication using Conditional Access policies to require multi-factor authentication.
  • Azure AD Free, Azure AD Basic, or standalone Office 365 licenses – Use pre-created Conditional Access baseline protection policies to require multi-factor authentication for your users and administrators.
  • Azure Active Directory Global Administrators – A subset of Azure Multi-Factor Authentication capabilities are available as a means to protect global administrator accounts.

Prepare your environment

To achieve high-availability with your Azure Server MFA deployment, you need to deploy multiple MFA servers.

DC: Domain Controller with Server 2019

The two Azure MFA Servers (MFA1 and MFA2) 

The Azure MFA Server and User Portal servers have several prerequisites and must have connectivity to the Internet.

MFA1: (MFA) Server with Server 2019

MFA2: (MFA) Server with Server 2019

An MFA Server is a Windows Server that has the Azure Multi-Factor Authentication software installed. The MFA Server instance must be activated by the MFA Service in Azure to function. More than one MFA Server can be installed on-premises.

The first MFA Server that is installed is the master MFA Server upon activation by the Azure MFA Service by default. The master MFA server has a writeable copy of the PhoneFactor.pfdata database. Subsequent installations of instances of MFA Server are known as subordinates. The MFA subordinates have a replicated read-only copy of the PhoneFactor.pfdata database. MFA servers replicate information using Remote Procedure Call (RPC). All MFA Severs must collectively either be domain joined or standalone to replicate information.

Make sure the server that you’re using for Azure Multi-Factor Authentication meets the following requirements:

Azure Multi-Factor Authentication Server Requirements Description
Hardware 200 MB of hard disk space
 x32 or x64 capable processor

1 GB or greater RAM
Software Windows Server 2019
 Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 R2

Windows Server 2008, SP1, SP2

Windows Server 2003 R2

Windows Server 2003, SP1, SP2

Windows 10

Windows 8.1, all editions

Windows 8, all editions

Windows 7, all editions

Windows Vista, all editions, SP1, SP2

Microsoft .NET 4.0 Framework

IIS 7.0 or greater if installing the user portal or web service SDK
Permissions Domain Administrator or Enterprise Administrator account to register with Active Directory

Azure MFA Server Components

There are three web components that make up Azure MFA Server:

  • Web Service SDK – Enables communication with the other components and is installed on the Azure MFA application server
  • User Portal – An IIS web site that allows users to enroll in Azure Multi-Factor Authentication (MFA) and maintain their accounts.
  • Mobile App Web Service – Enables using a mobile app like the Microsoft Authenticator app for two-step verification.

All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Azure MFA application server and the User Portal and Mobile App Web Service are installed on an internet-facing server.

Azure Multi-Factor Authentication Server firewall requirements

Each MFA server must be able to communicate on port 443 outbound to the following addresses:

If outbound firewalls are restricted on port 443, open the following IP address ranges:

IP Subnet

Netmask

IP Range

134.170.116.0/25

255.255.255.128

134.170.116.1 – 134.170.116.126

134.170.165.0/25

255.255.255.128

134.170.165.1 – 134.170.165.126

70.37.154.128/25

255.255.255.128

70.37.154.129 – 70.37.154.254

If you aren’t using the Event Confirmation feature, and your users aren’t using mobile apps to verify from devices on the corporate network, you only need the following ranges:

IP Subnet

Netmask

IP Range

134.170.116.72/29

255.255.255.248

134.170.116.72 – 134.170.116.79

134.170.165.72/29

255.255.255.248

134.170.165.72 – 134.170.165.79

70.37.154.200/29

255.255.255.248

70.37.154.201 – 70.37.154.206

Install and configure the MFA Server

Download the MFA Server

Follow these steps to download the Azure Multi-Factor Authentication Server from the Azure portal:

Sign in to the Azure portal as an administrator.

Select Azure Active Directory > Manage MFA Server, Select Server settings.

Select Download and follow the instructions on the download page to save the installer.

Now that you have downloaded the server you can install and configure it.

Double-click the executable.

On the Select Installation Folder screen, make sure that the folder is correct and click Next.

Once the installation is complete, click Finish. The configuration wizard launches.

Back on the page that you downloaded the server from, click the Generate Activation Credentials button.

Copy this information into the Azure MFA Server in the boxes provided.


Enter your activation credentials and click Activate.

Click Activate. If these do not work generate new credentials as they appear to only be valid for a short period of time.  

Enter your MFA Group Name, Click Ok


Click Yes to enable and configure replication


Click Next to enable replication between servers


Click Next


Click Next


Click Finish to Reboot


 Adding additional server to the MFA replication group

Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit.
Follow the same procedures for installing the primary MFA server software for each additional server.

Remember that each server must be activated.

Select Existing MFA Group “GITS-MFA-Group” than click Ok


Now you can see our two MFA Servers.


3 thoughts on “Implementing Azure Multi-Factor Authentication (MFA) Server On-premises with High Availability (HA)

  1. Pingback: Getting started with the Azure Multi-Factor Authentication Server (MFA) | Abou Conde's Blog
  2. Pingback: Implementing RADIUS Authentication with Remote Desktop Services | Abou Conde's Blog

  3. Hi, In configured MFA server on prem on a windows server 2019 and all tests work 100%, but when I RDP to the server that has MFA server installed, I do not get a phone call or SMS/OTP, did I miss something?

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s