Use Azure Multi-Factor Authentication Server to activate PAM or SSPR

Article
10/11/2023

The following document describes how to set up the Azure Multi-Factor Authentication Server as a second layer of security when your users activate roles in Privileged Access Management or Self-Service Password Reset.

Important

In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests. Customers of Azure Multi-Factor Authentication Server should plan to move to instead use either custom MFA providers or Windows Hello or smartcard-based authentication in AD. To use a different MFA provider, see the article on how to use Custom multifactor authentication API.

The article below outlines the configuration update and steps to enable existing deployments of MIM moving from MIM using the previous SDK to MIM using the Azure Multi-Factor Authentication Server.

Prerequisites

In order to migrate to use Azure Multi-Factor Authentication Server with MIM, you need:

Internet access from each MIM Service or Azure Multi-Factor Authentication Server providing PAM and SSPR, to contact the Microsoft Entra multifactor authentication service
An Azure subscription
Install is already using SDK from July 2019 or earlier
Microsoft Entra ID P1 or P2 licenses for candidate users
Phone numbers for all candidate users
MIM hotfix 4.5. or greater see version history for announcements

Azure Multi-Factor Authentication Server Configuration

Note

In the configuration you will need a valid SSL certificate installed for the SDK.

Step 1: Download Azure Multi-Factor Authentication Server from the Azure portal

Important

As of July 1, 2019, Microsoft no longer offers Azure Multi-Factor Authentication Server for new deployments.

Sign-in to the Azure portal and follow the instructions in Getting started with Azure Multi-Factor Authentication Server to download Azure Multi-Factor Authentication Server.

Azure portal Server settings

Step 2: Generate activation credentials

Use the Generate activation credentials to initiate use link to generate activation credentials. Once generated, save for later use.

Step 3: Install the Azure Multi-Factor Authentication Server

Once you've downloaded the server, install it. Your activation credentials will be required.

Step 4: Create your IIS Web Application that will host the SDK

Open IIS Manager
Create new Website called "MIM MFASDK", and link it to an empty directory.
Open the Multi-Factor Authentication Server Console and click on Web Service SDK.
Once wizard opens, click through config, and select "MIM MFASDK" and app pool.

Note

The wizard will require a admin group to be created. More information can be found on the Azure Multi-Factor Authentication Server documentation.
Next, import the MIM Service account. In the console, select "Users".

a. Click on "Import from Active Directory". b. Navigate to the service account, such as "contoso\mimservice". c. Click "Import" and "Close".
Edit the MIM Service account to enable it.
Update the IIS authentication on the "MIM MFASDK" website. First, disable the "Anonymous Authentication", then enable "Windows Authentication".
Final Step: Add the MIM service account to the "PhoneFactor Admins"

Configuring the MIM Service for Azure Multi-Factor Authentication Server

Step 1: Patch Server to 4.5.202.0

Step 2: Backup and Open the MfaSettings.xml located in the "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service"

Step 3: Update the following lines

Remove/Clear the following configuration entries lines
<LICENSE_KEY></LICENSE_KEY>
<GROUP_KEY></GROUP_KEY>
<CERT_PASSWORD></CERT_PASSWORD>
<CertFilePath></CertFilePath>
Update or add the following lines to the following to MfaSettings.xml
<Username>mimservice@contoso.com</Username>
<LOCMFA>true</LOCMFA>
<LOCMFASRV>https://CORPSERVICE.contoso.com:9999/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx</LOCMFASRV>
Restart MIM Service and test Functionality with Azure Multi-Factor Authentication Server.