locked
ADFS 2016 and on-premises Azure MFA RRS feed

  • Question

  • It is unfortunate that Microsoft naming nomenclature makes it hard to distinguish between Azure MFA (running on-premises) and Azure MFA (running as the cloud service).  Much has been posted around how you configure ADFS 2016 to work with the cloud version of MFA.

    I think that is great unless you already have an existing on-premises MFA deployment for securing other on-premises resources like VPN, etc. that use the on-premises MFA as a Radius server.  For me, I would like to continue to use the MFA server infrastructure that is on-premises.  I don't want the user to have to try and configure two different accounts in the Azure Authenticator mobile app.

    While I can find plenty of information about the steps to integrate ADFS 2016 with the cloud version of Azure MFA, I can't seem to find any information about how to integrate ADFS 2016 with the on-premises version of Azure MFA.

    Anyone facing a similar scenario?

    Monday, March 6, 2017 1:32 PM

All replies

  • What do you mean by Azure MFA (running on-premises)?

    Are you referring to Azure Stack?

    Monday, March 6, 2017 5:41 PM
  • This is the Azure Multi-Factor authentication server that is hosted on-premises.  It does not have anything to do with Azure Stack.  Truly an unfortunate product name that leads to much confusion.

    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server

    Monday, March 6, 2017 5:50 PM
  • On the same boat and surely done on purpose to drive membership sales
    thanks to marketing team and mobile first, cloud first strategy.


    Tuesday, May 23, 2017 1:10 AM
  • I am confused. Maybe I am doing the wrong thing. I want to avoid building a MFA server on prem. So I want to use the cloud version. Perhaps you or some other helpful person can clarify:

    I have ADFS 2016, published with WAP 2016.

    I have added Azure MFA in the Authentication methods on my ADFS server. (when I go to https://mydomain.com/adfs/ls/idpinitiatedsignon.aspx I can chose Azure Multifactor authentication as an option).

    I have followed this article to prepare my tenant

    https://blog.kloud.com.au/2017/01/24/adfs-v-3-0-2012-r2-migration-to-adfs-4-0-2016-mfa-part-3/

    I get the choice of authentication methods when visiting https://mydomain.com(adfs/ls/ispinitiatedsignon.aspx

    I have configured Azure authenticator for my account on my phone, but the code from authenticator is never recognised by the ADFS logon.

    How do I diagnose?

    I have this information :
    ActivityId: 00000000-0000-0000-0200-0080000000c3
    ContextId: d97b6f23-d9ac-41fb-a121-32f791daa8b0
    Timestamp: 2017-05-26T16:11:23.686Z


    CarolChi

    Friday, May 26, 2017 4:16 PM
  • I am also looking to use the on-premise MFA with ADFS server 2016 and cannot find any documentation on how this should be setup, any information would be appreciated.

    regards,

    Paul.

    Saturday, March 31, 2018 9:51 AM
  • Most of the documentation and troubleshooting steps are available online, from the Azure AD portal (although it is on-prem Azure MFA server, there is still "Azure" in it and it is subject to licenses).


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, April 1, 2018 12:02 AM
  • Were you able to check what the ADFS servers log in the EventLog at that point in time, when the error occurs? From your error description, I understand that MFA is invoked and you can see the UI that ADFS displays on the logon page changes and waits for the six digit PIN?

    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Monday, April 2, 2018 9:21 AM
  • Can I ask - what are your drivers behind using the on-premises MFA server and integrate it with ADFS, rather than use Azure MFA?

    Thanks,

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Monday, April 2, 2018 9:22 AM
  • Just POC at the moment so not completely decided/invesgtergated but I am looking at RDS Gateway, VPN, laptops (not looked into yet) & salesforce SSO through ADFS. Do you think all these can be accomplished with Azure MFA?
    Monday, April 2, 2018 11:13 AM
  • Good question.

    Just to make sure we are all at the same page... A quick reminder here.

    Azure MFA Server, you manage the server on-prem. It used to be called PhoneFactor. It has more module than just ADFS integration. It can do MFA with LDAP, Radius, custom website. You pick and store the phone number in your DB, the secret questions if you want to use them, integrate with other OTP etc...

    Azure MFA, is a MFA as a Service. It is fully integrated with Azure AD (so can be used for conditional access to any Office 365 applications or any SaaS integrated with Azure AD). It can integrate on-prem too (with ADFS and an NPS connector). You do not manage the server side of it. 

    Both require licenses to be used. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, April 2, 2018 12:37 PM