Share via

Install Azure MFA Server On-Premises

Kani 61 Reputation points
2020-08-31T00:19:13.07+00:00

I am trying to configure MFA server on-premises as a proof of concept. We are using Sharepoint 2016 and we have both form-based and windows based users. And all these users reside in on-premise AD and Database.

I need to check how MFA works with our current implementations before acquiring any licenses. For this, I have installed MFA server but I don't find the Activation details in the Azure portal.

Is this doable with a free license? Any idea whether this scenario is doable without migrating to online?

Thanks

Microsoft 365 and Office SharePoint Server Development
Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. AmanpreetSingh-MSFT 56,866 Reputation points Moderator
    2020-11-23T09:05:51.873+00:00

    Hi @Kani · If you want to use Azure App Proxy to leverage Azure MFA for your SharePoint on-premises instance, the users' requests should go to External URL so that the request reaches Azure App proxy. App proxy should be configured to perform pre-authentication, as part of which users will do MFA. After successful pre-auth, App Proxy translates the external url to internal url, so that users can connect to on-prem application. You need to keep below points in mind:

    1. Configure SSO as mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-config-sso-how-to
    2. If you want to enforce MFA for users who are accessing SharePoint site from your on-premises environment, they need to use External URL. If they use internal url, request will not be sent to App Proxy and they won't be enforced to do pre-auth with MFA.
      ---------
      Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,866 Reputation points Moderator
    2020-08-31T07:28:21.187+00:00

    Hello @Kani

    On-Premises MFA Server is deprecated in favor of Azure MFA Service. Microsoft does not support MFA server for new deployments, Existing implementations of MFA server would still work but can no longer get the Activation details in the Azure portal for new deployments.

    Since you want to protect On-premises SharePoint 2016 server with MFA, you can configure Azure Application Proxy with AAD Pre-authentication and implement MFA via Azure MFA service. You can also leverage Conditional Access and Azure AD Identity protection for this purpose as well. Please refer to below diagram:

    21501-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
  2. Jerry Xu-MSFT 7,961 Reputation points
    2020-08-31T06:57:23.25+00:00

    As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers who would like to require multi-factor authentication (MFA) from their users should use cloud-based Azure Multi-Factor Authentication.

    To get started with cloud-based MFA, see Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication.

    Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. The following steps only work if you were an existing MFA Server customer.

    And please check the Prerequisites for deploying Azure MFA. If you have a no plan for a Hybrid environment, I assume you will need to deploy remote access to SharePoint with Azure AD Application Proxy.
    21448-image.png

    For MFA billing, have a check here: https://azure.microsoft.com/en-us/pricing/details/active-directory/. The available features vary for different licenses.

    FAQ for Azure MFA:https://learn.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-faq#:~:text=If%20your%20directory%20has%20a,MFA%20through%20the%20MFA%20provider.

    0 comments
  3. Kani 61 Reputation points
    2020-12-07T14:05:52.55+00:00

    Hi @AmanpreetSingh-MSFT ,

    Many thanks to the Answer and the guidance you have given. Finally, I was able figure it out this. :) 45728-20201207-232142.jpg

    I have three questions on this.

    1) We have forms based authentication and it seems user has to login twice. i.e. First to the Microsoft account , Second to the internal portal (FBA). Is there a way to have a single sign on for this.
    2) Is it possible to define a job to sync users created in on premise DB with Azure public users using a daily sync up job?
    3) How would the Microsoft licensing to migrate around 20000 public users and to enable MFA to the site.

    Thank you again.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.