Use Azure AD Multi-Factor Authentication Server to activate PAM or SSPR
The following document describes how to set up the Azure AD Multi-Factor Authentication Server as a second layer of security when your users activate roles in Privileged Access Management or Self-Service Password Reset.
In September 2022, Microsoft announced deprecation of Azure AD Multi-Factor Authentication Server. Beginning September 30, 2024, Azure AD Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests. Customers of Azure AD Multi-Factor Authentication Server should plan to move to instead use either custom MFA providers or Windows Hello or smartcard-based authentication in AD. To use a different MFA provider, see the article on how to use Custom Multi-Factor Authentication API.
The article below outlines the configuration update and steps to enable existing deployments of MIM moving from MIM using the previous SDK to MIM using the Azure AD Multi-Factor Authentication Server.
In order to migrate to use Azure AD Multi-Factor Authentication Server with MIM, you need:
- Internet access from each MIM Service or MFA Server providing PAM and SSPR, to contact the Azure AD Multi-Factor Authentication Service
- An Azure subscription
- Install is already using SDK from July 2019 or earlier
- Azure Active Directory Premium licenses for candidate users
- Phone numbers for all candidate users
- MIM hotfix 4.5. or greater see version history for announcements
Azure AD Multi-Factor Authentication Server Configuration
In the configuration you will need a valid SSL certificate installed for the SDK.
Step 1: Download Azure AD Multi-Factor Authentication Server from the Azure portal
As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments.
Sign-in to the Azure portal and follow the instructions in Getting started with MFA Server to download the Azure AD Multi-Factor Authentication Server.
Step 2: Generate activation credentials
Use the Generate activation credentials to initiate use link to generate activation credentials. Once generated, save for later use.
Step 3: Install the Azure AD Multi-Factor Authentication Server
Once you've downloaded the server, install it. Your activation credentials will be required.
Step 4: Create your IIS Web Application that will host the SDK
- Open IIS Manager
- Create new Website called "MIM MFASDK", and link it to an empty directory.
- Open Multi-Factor Authentication Console and click on Web Service SDK.
- Once wizard opens, click through config, and select "MIM MFASDK" and app pool.
The wizard will require a admin group to be created. More information can be found on the Azure AD Multi-Factor Authentication Server documentation.
Next, import the MIM Service account. In the console, select "Users".
a. Click on "Import from Active Directory". b. Navigate to the service account, such as "contoso\mimservice". c. Click "Import" and "Close".
Edit the MIM Service account to enable it.
Update the IIS authentication on the "MIM MFASDK" website. First, disable the "Anonymous Authentication", then enable "Windows Authentication".
Final Step: Add the MIM service account to the "PhoneFactor Admins"
Configuring the MIM Service for Azure AD Multi-Factor Authentication Server
Step 1: Patch Server to 18.104.22.168
Step 2: Backup and Open the MfaSettings.xml located in the "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service"
Step 3: Update the following lines
Remove/Clear the following configuration entries lines
Update or add the following lines to the following to MfaSettings.xml
Restart MIM Service and test Functionality with Azure AD Multi-Factor Authentication Server.
To revert setting replace MfaSettings.xml with your backup file in step 2
Submit and view feedback for