Use Azure Multi-Factor Authentication Server to activate PAM or SSPR
The following document describes how to set up the Azure Multi-Factor Authentication Server as a second layer of security when your users activate roles in Privileged Access Management or Self-Service Password Reset.
Important
In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests. Customers of Azure Multi-Factor Authentication Server should plan to move to instead use either custom MFA providers or Windows Hello or smartcard-based authentication in AD. To use a different MFA provider, see the article on how to use Custom multifactor authentication API.
The article below outlines the configuration update and steps to enable existing deployments of MIM moving from MIM using the previous SDK to MIM using the Azure Multi-Factor Authentication Server.
Prerequisites
In order to migrate to use Azure Multi-Factor Authentication Server with MIM, you need:
- Internet access from each MIM Service or Azure Multi-Factor Authentication Server providing PAM and SSPR, to contact the Microsoft Entra multifactor authentication service
- An Azure subscription
- Install is already using SDK from July 2019 or earlier
- Microsoft Entra ID P1 or P2 licenses for candidate users
- Phone numbers for all candidate users
- MIM hotfix 4.5. or greater see version history for announcements
Azure Multi-Factor Authentication Server Configuration
Note
In the configuration you will need a valid SSL certificate installed for the SDK.
Step 1: Download Azure Multi-Factor Authentication Server from the Azure portal
Important
As of July 1, 2019, Microsoft no longer offers Azure Multi-Factor Authentication Server for new deployments.
Sign-in to the Azure portal and follow the instructions in Getting started with Azure Multi-Factor Authentication Server to download Azure Multi-Factor Authentication Server.
Step 2: Generate activation credentials
Use the Generate activation credentials to initiate use link to generate activation credentials. Once generated, save for later use.
Step 3: Install the Azure Multi-Factor Authentication Server
Once you've downloaded the server, install it. Your activation credentials will be required.
Step 4: Create your IIS Web Application that will host the SDK
Open IIS Manager
Create new Website called "MIM MFASDK", and link it to an empty directory.
Open the Multi-Factor Authentication Server Console and click on Web Service SDK.
Once wizard opens, click through config, and select "MIM MFASDK" and app pool.
Note
The wizard will require a admin group to be created. More information can be found on the Azure Multi-Factor Authentication Server documentation.
Next, import the MIM Service account. In the console, select "Users".
a. Click on "Import from Active Directory". b. Navigate to the service account, such as "contoso\mimservice". c. Click "Import" and "Close".
Edit the MIM Service account to enable it.
Update the IIS authentication on the "MIM MFASDK" website. First, disable the "Anonymous Authentication", then enable "Windows Authentication".
Final Step: Add the MIM service account to the "PhoneFactor Admins"
Configuring the MIM Service for Azure Multi-Factor Authentication Server
Step 1: Patch Server to 4.5.202.0
Step 2: Backup and Open the MfaSettings.xml located in the "C:\Program Files\Microsoft Forefront Identity Manager\2010\Service"
Step 3: Update the following lines
Remove/Clear the following configuration entries lines
<LICENSE_KEY></LICENSE_KEY>
<GROUP_KEY></GROUP_KEY>
<CERT_PASSWORD></CERT_PASSWORD>
<CertFilePath></CertFilePath>Update or add the following lines to the following to MfaSettings.xml
<Username>mimservice@contoso.com</Username>
<LOCMFA>true</LOCMFA>
<LOCMFASRV>https://CORPSERVICE.contoso.com:9999/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx</LOCMFASRV>
Restart MIM Service and test Functionality with Azure Multi-Factor Authentication Server.
Note
To revert setting replace MfaSettings.xml with your backup file in step 2
See also
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for