Configure MFA Server settings

This article helps you to manage Azure MFA Server settings.

Important

In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent Azure MFA Server update. For more information, see Azure MFA Server Migration.

The following MFA Server settings are available:

Feature Description
Server settings Download MFA Server and generate activation credentials to initialize your environment
One-time bypass Allow a user to authenticate without performing multi-factor authentication for a limited time.
Caching rules Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress.
Server status See the status of your on-premises MFA servers including version, status, IP, and last communication time and date.

One-time bypass

Tip

Steps in this article might vary slightly based on the portal you start from.

The one-time bypass feature allows a user to authenticate a single time without performing multi-factor authentication. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.

To create a one-time bypass, complete the following steps:

  1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator.
  2. Browse to Protection > Multifactor authentication > One-time bypass.
  3. Select Add.
  4. If necessary, select the replication group for the bypass.
  5. Enter the username as username@domain.com. Enter the number of seconds that the bypass should last and the reason for the bypass.
  6. Select Add. The time limit goes into effect immediately. The user needs to sign in before the one-time bypass expires.

You can also view the one-time bypass report from this same window.

Caching rules

You can set a time period to allow authentication attempts after a user is authenticated by using the caching feature. Subsequent authentication attempts for the user within the specified time period succeed automatically.

Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress.

Note

The caching feature is not intended to be used for sign-ins to Microsoft Entra ID.

To set up caching, complete the following steps:

  1. Browse to Protection > Multifactor authentication > Caching rules.
  2. Select Add.
  3. Select the cache type from the drop-down list. Enter the maximum number of cache seconds.
  4. If necessary, select an authentication type and specify an application.
  5. Select Add.

Next steps

Additional MFA Server configuration options are available from the web console of the MFA Server itself. You can also configure Azure MFA Server for high availability.