Configure MFA Server settings
This article helps you to manage Azure MFA Server settings in the Azure portal.
In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent Azure MFA Server update. For more information, see Azure MFA Server Migration.
The following MFA Server settings are available:
|Server settings||Download MFA Server and generate activation credentials to initialize your environment|
|One-time bypass||Allow a user to authenticate without performing multi-factor authentication for a limited time.|
|Caching rules||Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress.|
|Server status||See the status of your on-premises MFA servers including version, status, IP, and last communication time and date.|
The one-time bypass feature allows a user to authenticate a single time without performing multi-factor authentication. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource.
To create a one-time bypass, complete the following steps:
- Sign in to the Azure portal as an administrator.
- Search for and select Azure Active Directory, then browse to Security > MFA > One-time bypass.
- Select Add.
- If necessary, select the replication group for the bypass.
- Enter the username as
firstname.lastname@example.org. Enter the number of seconds that the bypass should last and the reason for the bypass.
- Select Add. The time limit goes into effect immediately. The user needs to sign in before the one-time bypass expires.
You can also view the one-time bypass report from this same window.
You can set a time period to allow authentication attempts after a user is authenticated by using the caching feature. Subsequent authentication attempts for the user within the specified time period succeed automatically.
Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress.
The caching feature is not intended to be used for sign-ins to Azure Active Directory (Azure AD).
To set up caching, complete the following steps:
- Browse to Azure Active Directory > Security > MFA > Caching rules.
- Select Add.
- Select the cache type from the drop-down list. Enter the maximum number of cache seconds.
- If necessary, select an authentication type and specify an application.
- Select Add.
Additional MFA Server configuration options are available from the web console of the MFA Server itself. You can also configure Azure MFA Server for high availability.