In Part 1 and Part 2 of this series we have covered the migration from ADFS v3 to ADFS 2016. In this series we will continue our venture in configuring Azure MFA in ADFS 2016.
Azure MFA – What is it about?
It is a bit confusing when we mention that we need to enable Azure MFA on ADFS. Technically, this method is actually integrating Azure MFA with ADFS. MFA itself is authenticating on Azure AD, however, ADFS is prompting you enter an MFA code which will be verified with the Azure AD to sign you in.
In theory, this by itself is not a multi-factor authentication. When users choose to login with a multi-factor authentication on ADFS, they’re not prompted to enter a password, they simply will login with the six digit code they receive on their mobile devices.
Is this secure enough? Arguably. Of course users had to previously set up their MFA to be able to login by choosing this method, but if someone has control or possession of your device they could simply login with the six digit code. Assuming the device is not locked, or MFA is setup to receive calls or messages (on some phones message notifications will appear on the main display), almost anyone could login.
Technically, this is how Azure MFA will look once integrated with the ADFS server. I will outline the process below, and show you how we got this far.
Once you select Azure Multi-Factor Authentication you will be redirected to another page
And when you click on “Sign In” you will simply sign in to the Office or Azure Portal, without any other prompt.
The whole idea here is not much about security as much as it is about simplicity.
Integrating Azure MFA on ADFS 2016
Important note before you begin: Before integrating Azure MFA on ADFS 2016, please be aware that users should already have setup MFA using the Microsoft Authenticator mobile app. Or they can do it while first signing in, after being redirected to the ADFS page. The aim of this post is to use the six digit code generated by the mobile app.
If users have MFA setup to receive calls or texts, the configuration in this blog (making Azure MFA as primary) will not support that. To continue using SMS or a call, whilst using Azure MFA, the “Azure MFA” need to be configured as a secondary authentication method, under “Multi-Factor”, and “Azure MFA” under “Primary” should be disabled.
Integrating Azure MFA on ADFS 2016, couldn’t be any easier. All that is required, is running few PowerShell cmdlets and enabling the authentication method.
Before we do so however, let’s have a look at our current authentication methods.
As you have noticed, that we couldn’t enable Azure MFA without first configuring Azure AD Tenant.
The steps below are intended to be performed on all AD FS servers in the farm.
Step 1: Open PowerShell and connect to your tenant by running the following:
Step 2: Once connected, you need to run the follow cmdlets to configure the AAD tenant:
[code language=”PowerShell”]$cert = New-AdfsAzureMfaTenantCertificate -TenantID swayit.onmicrosoft.com[/code]
When successful, head to the Certificate snap in, and check that a certificate with the name of your tenant has been added in the Personal folder.
Step 3: In order to enable the AD FS servers to communicate with the Azure Multi-Factor Auth Client, you need to add the credentials to the SPN for the Azure Multi-Factor Auth Client. The certificate that we generated in a previsou step, will serve as these credentials.
To do so run the following cmdlet:
[code language=”PowerShell”]New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $cert[/code]
Note that the GUID 981f26a1-7f43-403b-a875-f8b09b8cd720 is not made up, and it is the GUID for the Azure Multi Factor Authentication client. So you basically can copy/paste the cmdlet as is.
Step 4: When you have completed the previous steps, you can now configure the ADFS Farm by running the following cmdlet:
[code language=”PowerShell”]Set-AdfsAzureMfaTenant -TenantId swayit.onmicrosoft.com -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720[/code]
Note how we used the same GUID from the previous step.
When that is complete, restart the ADFS service on all your ADFS farm servers.
net stop adfssrv
net start adfssrv
Head back to your ADFS Management Console and open the Authentication method and you will notice that Azure MFA has been enabled, and the message prompt disappeared.
If the Azure MFA Authentication methods were not enabled, then enable them manually and restart the services again (on all your ADFS servers in the farm).
Now that you have completed all the steps, when you try and access Office 365 or the Azure Portal you will be redirected to the pages posted above.
Choose Azure Multi-Factor Authentication
Enter the six digit code you have received.
And then you’re signed in.
By now you have completed migrating from ADFS v3 to ADFS 2016, and in addition have integrated Azure MFA authentication with your ADFS farm.
The last part in this series will be about WAP 2012 R2 upgrade to WAP 2016. So please make sure to come back tomorrow and check in details the upgrade process.
I hope you’ve enjoyed the posts so far. For any feedback or questions, please leave a comment below.