65
Leverage Azure MFA Server with AD FS in Windows Server 2012 R2 Overview Technical Article Microsoft France Published: January 2014 (Updated: February 2017) Version: 1.2 Author: Philippe Beraud (Microsoft France) Contributors/Reviewers: Daniel Pasquier, Jean-Yves Grasset (Microsoft France), Philippe Maurent (Microsoft Corporation) For the latest information, please see www.windowsazure.com/en-us/services/multi-factor-authentication Copyright © 2017 Microsoft Corporation. All rights reserved. Abstract: With escalating IT security threats and a growing number of users, Software-as-a-Service (SaaS) applications, and devices, multi-factor authentication is becoming the new standard for securing access and how businesses ensure trust in a multi-device, mobile, cloud world. Passwords not enough strong can be easily compromised, and the consumerization of IT along with the Bring-Your-Own-Device (BYOD) trend have only increased the scope of vulnerability. Regulatory agencies agree and have mandated its use across a broad range of industries. Azure Multi-Factor Authentication (Azure MFA) helps reduce organizational risk and enable regulatory compliance by providing an extra layer of authentication in addition to a user’s account credentials. For that purpose, it leverages for additional authentication a convenient form factor that the users already have (and care about): their phone. During sign in, users must also authenticate using the mobile app or by responding to an automated phone call or text message before access is granted. An attacker would need to know the

Leverage Azure MFA Server with AD FS in Windows …€¦  · Web view20 Leverage Azure MFA Server with AD FS in ... how businesses ensure trust in a multi-device, mobile, cloud world

Embed Size (px)

Citation preview

Leverage Azure MFA Server with AD FS in Windows Server 2012 R2Overview Technical Article

Microsoft FrancePublished: January 2014 (Updated: February 2017) Version: 1.2

Author: Philippe Beraud (Microsoft France)Contributors/Reviewers: Daniel Pasquier, Jean-Yves Grasset (Microsoft France), Philippe Maurent (Microsoft Corporation)

For the latest information, please see www.windowsazure.com/en-us/services/multi-factor-authentication

Copyright © 2017 Microsoft Corporation. All rights reserved.

Abstract: With escalating IT security threats and a growing number of users, Software-as-a-Service (SaaS) applications, and devices, multi-factor authentication is becoming the new standard for securing access and how businesses ensure trust in a multi-device, mobile, cloud world.  Passwords not enough strong can be easily compromised, and the consumerization of IT along with the Bring-Your-Own-Device (BYOD) trend have only increased the scope of vulnerability. Regulatory agencies agree and have mandated its use across a broad range of industries.Azure Multi-Factor Authentication (Azure MFA) helps reduce organizational risk and enable regulatory compliance by providing an extra layer of authentication in addition to a user’s account credentials. For that purpose, it leverages for additional authentication a convenient form factor that the users already have (and care about): their phone. During sign in, users must also authenticate using the mobile app or by responding to an automated phone call or text message before access is granted. An attacker would need to know the user’s password and have in their possession of the user’s phone to sign in. As a solution for both cloud-based and on-premises applications, Azure MFA can notably be used as part of the Azure Active Directory authentication.

Table of ContentsINTRODUCTION..................................................................................................3

OBJECTIVES OF THIS PAPER................................................................................................5NON-OBJECTIVES OF THIS PAPER.........................................................................................7ORGANIZATION OF THIS PAPER............................................................................................7ABOUT THE AUDIENCE.......................................................................................................7

BUILDING A TEST LAB ENVIRONMENT..................................................................8CREATING AN AZURE AD/OFFICE 365 TEST TENANT...............................................................9BUILDING THE “ON-PREMISES” TEST LAB ENVIRONMENT...........................................................9

TESTING AND EVALUATING THE AZURE MFA SERVER..........................................15CREATING AN AZURE MFA PROVIDER................................................................................15DOWNLOADING THE AZURE MFA SERVER ON THE AD FS FARM.............................................17INSTALLING THE AZURE MFA SERVER ON THE AD FS FARM...................................................18CONFIGURING MULTI-FACTOR AUTHENTICATION ON THE AD FS FARM.......................................20INSTALLING THE MULTI-FACTOR AUTHENTICATION SDK ON THE AD FS FARM (OPTIONAL)............37DEPLOYING THE AZURE MFA SERVER USER PORTAL ON THE WAP FARM (OPTIONAL)..................43DEPLOYING THE AZURE MFA SERVER MOBILE APP WEB SERVICE ON THE WAP FARM (OPTIONAL). .49

2 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Introduction Today many organizations use on-premises multi-factor authentication systems to protect mission critical data in their file servers and their critical Line of Business (LOB) applications. As these workloads (or parts of them) move to the cloud, they need an effective and easy-to-use solution in the Cloud for protecting:

That data in the Microsoft services, such Office 365 and Dynamics 365, or other Software-as-a-Service (SaaS) they’ve subscribed to,

The custom cloud-based Line of Business (LOB) applications – on Azure or in other clouds -,

And the modern business applications1 they’ve created. Passwords in use that are often not enough strong and the consumerization of IT has only even increased the scope of vulnerability.Multi-factor authentication is becoming the new standard for securing access and how businesses ensure trust in a multi-device, mobile, cloud world. 

Note Not only do the above organizations need multi-factor authentication for their employees, but many of them are also increasingly opening their environment to their partners as part of their business-to-business relationships (B2B), and building cloud-based applications for consumers and citizens that require multi-factor authentication to ensure a high level of security.  These business-to-business B2C scenarios are growing rapidly and require easy end-user technology.

Furthermore, multi-factor authentication is no longer optional for many of the above organizations; many are required by various governing or regulatory agencies to strongly authenticate access to sensitive data and applications across a broad range of industries. In such a landscape, phone-based authentication constitutes a very compelling technical approach for multi-factor authentication as it provides enhanced security for businesses and consumers in a convenient form factor that the user already has: their phone.Azure Multi-Factor Authentication (Azure MFA)2 addresses user demand for a simple sign-in process while also helping address the organization's security and compliance standards. The service offers enhanced protection from malware threats, and real-time alerts notify your IT department of potentially compromised account credentials. Azure MFA helps to deliver strong security via a range of easy authentication options. Thus, in addition to entering a username and password during sign in, enabled users are also required to authenticate with a mobile app on their mobile device or via an automated phone call or a text message, allowing these users to choose the method that works best for them. Consequently, in order for an attacker to gain access to a user’s account, they would need to know the user’s login credentials AND be in possession of the user’s phone. Furthermore, support for the above multiple methods enables to support more scenarios such as offline (no carrier) scenarios.Azure MFA exists in different flavors:

Azure MFA stand-alone. Included in Azure AD Premium P1 and Premium P2 editions.

1 Modern business applications: https://www.microsoft.com/en-us/cloud-platform/mobile-application-development2 Azure Multi-Factor Authentication: http://azure.microsoft.com/en-us/services/multi-factor-authentication/

3 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

A subset of Azure MFA functionality included in Office 365 for both administrators and users.

Free for Azure administrators.Whilst Azure MFA is powered by a cloud service, the stand-alone version and well as the one included in Azure AD Premium support on-premises, cloud, and hybrid scenarios. The following solutions are indeed available for use with Azure MFA:

Adding Multi-Factor Authentication to Azure AD. Azure MFA works with any applications that use the Azure AD directory tenants. As such, Azure MFA can be rapidly enabled for Azure AD identities to help secure access:

The Azure portal, Microsoft Online Services like Office 365, Intune, and Dynamics 365, etc. Any custom LOB, third-party multi-tenant cloud-based, or modern business

applications that integrate with Azure AD for authentication, As well as thousands3 (2797 at the time of this writing) of cloud SaaS pre-

integrated applications like ADP, Concur, Google Apps, Salesforce.com and others.

Users will be prompted to set up additional verification the next time they sign in.

Note For more information, see article GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION IN THE CLOUD 4.

The white-paper LEVERAGE MULTI-FACTOR AUTHENTICATION WITH AZURE AD 5 describes how to enable, configure, and use Azure MFA with such cloud users in Azure AD for securing resource access in the Cloud.

Enabling Multi-Factor Authentication for on-premises applications and Windows Server. The Azure Multi-Factor Authentication Server (Azure MFA Server) works out-of-the-box with a wide range of on-premises applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems and much more. This includes:

Microsoft products and technologies like Microsoft VPN/RRAS, Remote Desktop Services and Remote Desktop Gateway, Universal Access Gateway, SharePoint, Outlook Web Access, etc.

As well as third party VPNs and virtual desktop system.The Azure MFA Server allows the administrator integrate with IIS authentication to secure Microsoft IIS web applications, RADIUS authentication, LDAP authentication, and Windows authentication. The Azure MFA Server can be run on-premises on your existing hardware - as a virtual machine (VM) or not -, or in the cloud for instance as an Azure Virtual Machine. Multiple, redundant servers can be configured for high availability and fail-over.

3 Azure Active Directory Applications: https://azure.microsoft.com/en-us/marketplace/active-directory/4 GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION IN THE CLOUD: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-cloud5 AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391

4 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Note For more information, see article GETTING STARTED WITH THE AZURE MULTI-FACTOR AUTHENTICATION SERVER 6.

Building Multi-Factor Authentication into custom applications. A Software Development Kit (SDK) is available for use for direct integration with custom cloud-based and on-premises applications. It enables to build Multi-Factor Authentication phone call and text message verification into the application’s sign-in or transaction processes and leverage the application’s existing user database.

Note For more information, see article BUILDING MULTI-FACTOR AUTHENTICATION INTO CUSTOM APPS (SDK) 7.

Objectives of this paperAs an addition to the aforementioned white-paper LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD, and for an organization that is federated with Azure AD, this paper aims at describing how to use Azure MFA Server with Active Directory Federation Services (AD FS) in Windows Server 2012 R2, and how to configure it to secure cloud resources such as Office 365 and Dynamics 365 so that so that federated users will be prompted to set up additional verification the next time they sign in on-premises.

Important note Integration between Azure MFA and AD FS in Windows Server 2016 doesn’t require the on-premises Azure MFA Server components. In Windows Server 2016, the Azure MFA adapter rather integrates directly with Azure AD for all the MFA configuration. For more information, see article CONFIGURE AD FS 2016 AND AZURE MFA 8.

Such a scenario typically complements the directory synchronization with single sign-on (SSO), a.k.a. identity federation scenario that can be achieved with the Azure AD Connect tool, and which aims at providing users with the one of the supported seamless sign-in experiences as they access Microsoft cloud services and/or other cloud-based applications while logged on to the corporate network.

Note For more information, see whitepaper AZURE AD/OFFICE SEAMLESS SIGN-IN 9.

This integration implies to configure the Azure MFA Server components to work with AD FS in Windows Server 2012 R2 so that multi-factor authentication is triggered on-premises, or in an Infrastructure-as-a-Service (IaaS) cloud environment such as Azure as per WHITE PAPER: OFFICE 365 ADAPTER - DEPLOYING OFFICE 365 SINGLE SIGN-ON USING AZURE VIRTUAL MACHINES 10.

6 CONFIGURE AD FS 2016 AND AZURE MFA: https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa7 BUILDING MULTI-FACTOR AUTHENTICATION INTO CUSTOM APPS (SDK): https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-sdk8 GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION AND ACTIVE DIRECTORY FEDERATION SERVICES: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs9 AZURE ACTIVE DIRECTORY/OFFICE 365 SEAMLESS SIGN-IN: https://www.microsoft.com/en-us/download/details.aspx?id=3639110 WHITE PAPER: OFFICE 365 ADAPTER - DEPLOYING OFFICE 365 SINGLE SIGN-ON USING AZURE VIRTUAL MACHINES: https://technet.microsoft.com/en-us/library/dn509539.aspx

5 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Note Such an integration is natively supported by AD FS in Windows Server 2012. For more information, see articles GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION AND ACTIVE DIRECTORY FEDERATION SERVICES 11 and SECURE YOUR CLOUD AND ON-PREMISES RESOURCES USING AZURE MULTI- FACTOR AUTHENTICATION SERVER WITH AD FS IN WINDOWS SERVER 2012 R2 12.

Beyond this integration, this scenario additionally implies directory synchronization between the on-premises identity infrastructure (based on Windows Server Active Directory (AD) or on other (LDAP-based) directories) and the Azure MFA Server to streamline user management and automated provisioning. This also supposes to deploy:

The on-premises Azure MFA Server user portal, which allows users to enroll in multi-factor authentication and maintain their accounts.

And optionally the Azure MFA Server mobile app web service, which is used in the Microsoft Authenticator mobile app activation process. The Microsoft Authenticator app offers an additional out-of-band authentication option.

Note For more information, see article MICROSOFT AUTHENTICATOR 13.

With all of the above, the enrolled federated users can use their on-premises corporate credentials (user name and password) and their existing phone for additional authentication to access Azure AD and any cloud-based application that is integrated into Azure AD as well as their existing on-premises resources.

Important note With the Azure MFA Server integration, only web browser based clients and Office clients that support modern authentication14 are supported. For clients that are not support such as legacy Office clients, Exchange active sync (i.e. native email clients on mobile devices), customers are encouraged to use the modern authentication equivalent.

Built on existing Microsoft documentation and knowledge base articles, this document provides a complete walkthrough to build a suitable test lab environment in Azure, test, and evaluate the above scenario. It provides additional guidance if any.

Note For more information, see article USING MULTI-FACTOR AUTHENTICATION WITH AZURE AD 15.

Non-objectives of this paperThis document doesn’t introduce Azure MFA. Such a presentation is provided in the aforementioned whitepaper LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD 16.This document doesn’t discuss either how to configure Azure MFA for cloud identities in Azure AD to secure cloud-based resources. This scenario is also covered in detail in the above whitepaper. This document doesn’t describe either how to configure the advanced

11 GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION AND ACTIVE DIRECTORY FEDERATION SERVICES: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs12 WALKTHROUGH GUIDE: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS: http://technet.microsoft.com/en-us/library/dn280946.aspx13 MICROSOFT AUTHENTICATOR: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to14 Modern authentication: https://aka.ms/modernauthga15 USING MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://technet.microsoft.com/en-us/library/jj713614.aspx16 LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391

6 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

settings and reports of the service. All of these are also covered in the above whitepaper. For more information, please refer to it.As already mentioned, the Azure MFA Server also works out-of-the-box with a wide range of on-premises applications, such as remote access VPNs, web applications, virtual desktops, single sign-on systems and much more. Those scenarios are not discussed in this document.

Note For more information, see links in section § NEXT STEPS of the article GETTING STARTED WITH THE AZURE MULTI-FACTOR AUTHENTICATION SERVER 17.

Organization of this paperTo cover the aforementioned objectives, this document is organized in the following two sections:

BUILDING A TEST LAB ENVIRONMENT. TESTING AND EVALUATING THE AZURE MFA SERVER.

These sections provide the information details necessary to (hopefully) successfully build a working environment for the Azure MFA Server. They must be followed in order.

About the audienceThis document is intended for system architects and IT professionals who are interested in understanding how to enable and configure the Azure MFA Server for Azure AD federated users to help secure access to cloud resources such as Office 365.

17 GETTING STARTED WITH THE AZURE MULTI-FACTOR AUTHENTICATION SERVER: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server

7 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Building a test lab environmentAs its title suggests, this section guides you through a set of instructions required to build a representative test lab environment that will be used in the next section to configure, test, and evaluate the multi-factor authentication in AD FS in Windows Server 2012 R2.Considering the involved services, products, and technologies that encompass such a cross-premises configuration, the test configuration should feature:

In the cloud, an Azure AD/Office 365 tenant, and cloud-based applications that leverage Azure AD for identity management and access control,

In the on-premises, Windows Server Active Directory, Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), and Internet Information Services (IIS), to name a few - and the related required configuration.

The following diagram provides an overview of the overall test lab environment with the software and service components that need to be deployed / configured.

AD DS Forest

Internal-sn Subnet(10.0.0.0/24)

DC1(10.0.0.101)

DC2 (10.0.0.102)

AD FS Farm

ADFS1 (10.0.0.201)

ADFS2 (10.0.0.202)

internal load balancer

(10.0.0.200)

DMZ-sn Subnet(10.0.1.0/24)

WAP Farm

Internet load balancer(IP public address)

WAP1 (10.0.1.101)

WAP2 (10.0.1.102)

Corporate boundary

AD DSAzure AD Connect

AD DSAD CS

AD FS

AD FS

WAP

WAP

Firewall Firewall

Perimeter networkInternet corporate network

Internet

Office 365Azure

Active Directory

We have tried to streamline and to ease as much as possible the way to build a suitable test lab environment, to consequently reduce the number of instructions that tell you what servers to create, how to configure the operating systems and core platform services, and how to install and configure the required core services, products and technologies, and, at the end, to reduce the overall effort that is needed for such an environment.We hope that the provided experience will enable you to see all of the components and the configuration steps both on-premises and in the cloud that go into such a multi-products and services solution.

Creating an Azure AD/Office 365 test tenantThe easiest way to provision both an Azure AD/Microsoft Office 365 Enterprise18 tenant and related Office application workloads for the purpose of the test lab certainly consists in signing up to a free 30-day trial. To sign-up for such a tenant, follow the instructions at https://go.microsoft.com/fwlink/p/?LinkID=403802&culture=en-US&country=US.

18 Office 365 Enterprise: https://products.office.com/en-us/business/office-365-enterprise-e3-business-software

8 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

For the course of this walkthrough, we’ve provisioned an Office 365 Enterprise (E3) tenant: litware369.onmicrosoft.com. You will have to choose in lieu of a tenant domain name of your choice whose name is currently not in used. Whenever a reference to litware369.onmicrosoft.com is made in a procedure, it has to be replaced by the tenant domain name of your choice to reflect accordingly the change in naming.

Building the “on-premises” test lab environmentA challenge in creating a useful on-premises test lab environment is to enable their reusability and extensibility. Because creating a test lab can represent a significant investment of time and resources, your ability to reuse and extend the work required to create the test lab is important. An ideal test lab environment would enable you to create a basic lab configuration, save that configuration, and then build out multiple test lab scenarios in the future by starting with the base configuration. Moreover, another challenge people is usually facing with relates to the hardware configuration needed to run such a base configuration that involves several (virtual) machines.For these reasons and considering the above objectives, this document will leverage the Microsoft Azure environment along with the Azure PowerShell cmdlets to build the on-premises test lab environment to test and evaluate Multi-Factor Authentication Server.

Signing up for an Azure trialIf you do not already have an Azure account, you can sign up for a free one-month trial19.

Note If you have an MSDN Subscription, see article AZURE BENEFIT FOR MSDN SUBSCRIBERS 20.

Note Once you have completed your trial tenant signup, you will be redirected to the Azure account portal21 and can proceed to the Azure portal by clicking Portal at the top right corner of your screen.

Adding the Azure trial to the Office 365 accountOnce you have signed up and established your organization with an account in Office 365 Enterprise E3, you can then add an Azure trial subscription to your Office 365 account. This can be achieved by accessing the Azure Sign Up page at https://account.windowsazure.com/SignUp with your Office 365 global administrator account. You need to select Sign in with your organizational account for that purpose.

Note You can log into the Office 365 administrator portal and go to the Azure Signup page or go directly to the signup page, select sign in with an organizational account and log in with your Office 365 global administrator credentials. Once you have completed your trial tenant signup you will be redirected to the Azure account portal and can proceed to the Azure portal by clicking Portal at the top right corner of your screen.

At this stage, you should have an Office 365 Enterprise E3 trial subscription with an Azure trial subscription.19 CREATE YOUR FREE AZURE ACCOUNT TODAY: https://azure.microsoft.com/en-us/free/20 MONTHLY AZURE CREDIT FOR VISUAL STUDIO SUBSCRIBERS: https://azure.microsoft.com/en-us/pricing/member-offers/msdn-benefits-details/21 Azure account portal: https://account.windowsazure.com/Subscriptions

9 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Setting up the Azure-based lab environmentThe Part 4 or Part 4bis of the whitepaper AZURE AD/OFFICE 365 SEAMLESS SIGN-IN 22 fully depict the setup of such an environment. In order not to “reinvent the wheels”, this document leverages the instrumented end-to-end walkthrough provided in the above whitepaper to rollout a working single sign-on configuration for Azure AD/Office 365 with AD FS by featuring the Azure AD Connect23 tool.

Note Azure AD Connect provides a single and unified wizard that streamlines the overall onboarding process for directory synchronization (single or multiple directories), password sync and/or single sign-on, and that automatically performs the following steps: download and setup of all the prerequisites, download, setup and guided configuration of the synchronization, activation of the sync in the Azure AD tenant, setup, and/or configuration of AD FS – AD FS being the preferred STS, etc. Azure AD Connect is the one stop shop for connecting your on-premises directories to Azure AD, whether you are evaluating, piloting, or in production.For more information, see blog post AZURE AD CONNECT & CONNECT HEALTH IS NOW GA! 24, and article CONNECT ACTIVE DIRECTORY WITH AZURE ACTIVE DIRECTORY 25.

By following the instructions outlined in this whitepaper along with the provided Azure/Windows PowerShell scripts, you should be able to successfully prepare your Azure-based lab environment based on virtual machines (VMs) running in Azure to later deploy and configure the Azure MFA Server environment, install and configure it with AD FS in Windows Server 2012 R2, etc. and start evaluating/using it.

Important note Individual virtual machines (VMs) are needed to separate the services provided on the network and to clearly show the desired functionality. This being said, the suggested configuration to later evaluate the Azure MFA Server is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab networking environment. Any modifications that you make to the configuration details provided in the rest of this document may affect or limit your chances of successfully setting up the on-premises collaboration environment that will serve as the basis for the integration with the Azure MFA service in the Cloud. Microsoft has successfully built the suggested environment with Azure IaaS, and Windows Server 2012 R2 virtual machines.

Once completed the aforementioned whitepaper’s walkthrough, you’ll have in place an environment with a federated domain in the Azure AD tenant (e.g. litware369.onmicrosoft.com), the whitepaper has opted to configure the domain litware369.com (LITWARE369). You will have to choose in lieu of a domain name of your choice whose DNS domain name is currently not in used on the Internet. For checking purpose, you can for instance use the domain search capability provided by several popular domain name registrars. Whenever a reference to litware369.com is made in a procedure later in this document, it has to be replaced by the DNS domain name of your choice to reflect

22 AZURE AD/OFFICE 365 SEAMLESS SIGN-IN: http://www.microsoft.com/en-us/download/details.aspx?id=3639123 Azure Active Directory Connect: http://www.microsoft.com/en-us/download/details.aspx?id=4759424 AZURE AD CONNECT & CONNECT HEALTH IS NOW GA!: https://blogs.technet.microsoft.com/enterprisemobility/2015/06/24/azure-ad-connect-connect-health-is-now-ga/25 CONNECT ACTIVE DIRECTORY WITH AZURE ACTIVE DIRECTORY: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect

10 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

accordingly the change in naming. Likewise, any reference to LITWARE369 should be substituted by the NETBIOS domain name of your choice.The Azure-based test lab infrastructure consists of the following components:

Azure

addc-as Availability set

Internal-sn Subnet

(10.0.0.0/24)

VM

dc1Virtual machine

(10.0.0.101)

VM

dc2 Virtual machine

(10.0.0.102)

adfs-as Availability set

VM

adfs1 Virtual machine

(10.0.0.201)

VM

adfs2 Virtual machine

(10.0.0.202)

adfs-lb internal load

balancer(10.0.0.200)

Internal-sn-nsg Network Security Group

DMZ-sn Subnet

(10.0.1.0/24)

adfs-as Availability set

wap-lb Internet load

balancer(wapLbPip IP public address)

DMZ-sn-nsg Network Security Group

VM

wap1 Virtual machine

(10.0.1.101)

VM

wap2 Virtual machine

(10.0.1.102)

adfs-infra-vnet Virtual Network

(10.0.0.0/16)

Two computers running Windows Server 2012 R2 (or Windows Server 2016) (named DC1 respectively DC2 by default) that will be configured as a domain controller with a test user and group accounts, and Domain Name System (DNS) servers. DC1 will host Azure AD Connect for the sync between the Azure-based test lab infrastructure and the Azure AD/Office 365 subscription. Alternatively, DC2 will be configured as an enterprise root certification authority (PKI server),

Two intranet member server running Windows Server 2012 R2 (or Windows Server 2016) (named ADFS1 respectively ADFS2 by default) that will be configured as an AD FS farm.

Two Internet-facing member server running Windows Server 2012 R2 (or Windows Server 2016) (named WAP1 respectively WAP2 by default) that is configured as Web servers for the Web Application Proxy (WAP) farm.

Note Windows Server 2012 R2 offers businesses and hosting providers a scalable, dynamic, and multitenant-aware infrastructure that is optimized for the cloud. For more information, see the Microsoft TechNet Windows Server 2012 R2 homepage26.

For the sake of simplicity, the same password “Pass@word1!?” is used throughout the configuration. This is neither mandatory nor recommended in a real world scenario.To perform all the tasks in this guide, we will use the LITWARE369 domain Administrator account AzureAdmin for each Windows Server 2012 R2 VM, unless instructed otherwise.The base configuration should now be completed at this stage if you’ve followed the whitepaper’s walkthrough.

26 WINDOWS SERVER 2012 R2: http://technet.microsoft.com/en-US/windowsserver/hh534429

11 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

To avoid spending your credit when you don’t work on the test lab, you can shut down the 6 VMs (DC1, DC2, ADFS1, ADFS2, WAP1 and WAP2) when you don’t work on the test lab.To shut down the VMs of the test lab environment, proceed with the following steps:

1. Open a browsing session and navigate to the Azure portal at https://portal.azure.com.2. Sign in with your administrative credentials to your Azure subscription in which

you’ve deployed the test lab environment. 3. On the left pane of the Azure portal, click virtual machines.

4. On the virtual machine page, select wap1. A new blade opens up.

5. Click Stop. A dialog pops up.

12 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

6. Click Yes to confirm the shutdown.7. Repeat steps 4 to 6 with wap2, adfs2, adfs1, dc2, and then dc1.

To resume working on the test lab environment, you will then need to start the six VMs that constitute it.To start the VMs of the test lab environment, proceed with the following steps:

1. From the Azure portal, click virtual machines.2. On the virtual machine page, select dc1. A new blade opens up.3. Click Start.

4. Repeat steps 2 to 3 with dc2, adfs1, adfs2, wap1, and then wap2.

Note for more information, see article MANAGE VIRTUAL MACHINES USING AZURE RESOURCE MANAGER AND POWERSHELL 27.

27 MANAGE VIRTUAL MACHINES USING AZURE RESOURCE MANAGER AND POWERSHELL: https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-ps-manage

13 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

You are now in a position to install and configure the Azure MFA Server environment on your on-premises test lab environment.

14 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Testing and evaluating the Azure MFA ServerThis walkthrough provides instructions for configuring multi-factor authentication in AD FS in Windows Server 2012 R2. It is based on the “on-premises” test lab environment deployed in Azure as per previous section.

Note For the purpose of this document, it leverages the existing walkthrough as part of the article MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS 28, adapt it to the Office 365 context in lieu of the sample application ClaimApp, and extend it to illustrate the deployment of additional Azure MFA components, namely the Users portal, the SDK, and the Mobile Application web service. For more information, see article.

It consists in the following seven steps that must be followed in order:1. Creating an Azure MFA provider.2. Downloading the Azure MFA Server on the AD FS farm.3. Installing the Azure MFA Server on the AD FS farm.4. Configuring multi-factor authentication on the AD FS farm.5. Installing the Multi-Factor Authentication SDK on the AD FS farm (optional).6. Deploying the Azure MFA Server user portal on the WAP farm (optional).7. Deploying the Azure MFA Server mobile app web service on the WAP farm (optional).

The following subsections describe in the context of our test lab environment each of these steps.

Creating an Azure MFA provider To create an Azure MFA provider via the classic Azure portal, proceed with the following steps:

1. Open a browsing session from your local machine and navigate to the classic Azure portal at https://manage.windowsazure.com.

2. Sign in with your administrative credentials. 3. On the left pane of the Azure portal, click ACTIVE DIRECTORY.4. On the active directory page, at the top, click MULTI-FACTOR AUTH PROVIDERS.

1. Click CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER or click NEW in the tray at the bottom, and then select APP SERVICES, ACTIVE DIRECTORY, MULTI-FACTOR AUTH PROVIDER, and then QUICK CREATE.

28 OVERVIEW: MANAGE RISK WITH ADDITIONAL MULTI-FACTOR AUTHENTICATION FOR SENSITIVE APPLICATIONS: http://technet.microsoft.com/en-us/library/dn280949.aspx

15 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

2. Fill in the following fields and click CREATE.a. Name. The name of the Azure MFA provider, for example “Litware369 Auth”.b. Usage Model. The usage model of the Azure MFA provider.

Per Authentication. This purchasing model charges per authentication, and is typically used for scenarios that use Azure MFA in a consumer-facing application.

Per Enabled User. This purchasing model charges per enabled user, and is typically used for employee-facing scenarios.

Note For more information on usage model, see MULTI-FACTOR AUTHENTICATION PRICING DETAILS 29.

c. Directory. The Azure AD tenant that the Azure MFA provider is associated with. This is optional as the provider does not have to be linked to Azure AD when securing on-premises resources. Ensure Do not link a directory is selected.

3. Once you click CREATE, the Azure MFA provider will be created and you should see a message stating: “Successfully created Multi-Factor Authentication Provider”. Click OK.

Note For more information, see article GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION IN THE CLOUD 30.

Next, you must download the Azure MFA Server. You can do this by launching the Azure MFA portal through the Azure portal.

29 MULTI-FACTOR AUTHENTICATION PRICING DETAILS: https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/30 GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION IN THE CLOUD: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-cloud

16 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Downloading the Azure MFA Server on the AD FS farmThe instructions below should be done on the ADFS1 and the ADFS2 computers. To download the Azure MFA Server on the AD FS farm, proceed with the following steps:

1. Open a remote desktop connection as LITWARE369\AzureAdmin on the ADFS1 computer.

2. Open a browsing session and navigate to the Azure portal at https://manage.windowsazure.com.

3. Sign in with your administrative credentials. 4. On the left pane of the Azure portal, click ACTIVE DIRECTORY.5. On the active directory page, at the top, click MULTI-FACTOR AUTH PROVIDERS.

6. Click on the Azure MFA provider you’ve just created in the section above. Then click MANAGE at the tray of the bottom. This launches the Azure Multi-Factor Authentication portal at https://pfweb.phonefactor.net/framefactory.

7. Click Server under DOWNLOADS. You navigate to a Downloads Server page.

17 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

8. Click Download to download the setup file

(MultiFactorAuthenticationServerSetup.exe) for Azure MFA Server.

9. Click Save to save the setup file.10. Open a remote desktop connection as LITWARE369\AzureAdmin on the ADFS2

computer.11. Repeat step 2 to 9.

Note For more information, see article GETTING STARTED WITH THE AZURE MULTI-FACTOR AUTHENTICATION SERVER 31.

You are now ready to install the above setup file for Azure MFA Server on the ADFS1 and ADFS2 computers.

Installing the Azure MFA Server on the AD FS farm The instructions below should be done on the ADFS1 and ADFS2 computers as instructed.

Installing the Azure MFA Server on the AD FS farm To install the Azure MFA on the AD FS farm, proceed with the following steps:

1. Whilst still being remotely logged on the ADFS1 computer as LITWARE369\AzureAdmin, double-click the downloaded setup file (MultiFactorAuthenticationServerSetup.exe) to begin the installation.

31 GETTING STARTED WITH THE AZURE MULTI-FACTOR AUTHENTICATION SERVER: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server

18 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

2. The installation requires the Windows Server 2012 R2 Update (KB2919355) Windows Server 2012 R2 Update32, i.e. a cumulative set of security updates, critical updates and updates.

Note For more information, see article WINDOWS RT 8.1, WINDOWS 8.1, AND WINDOWS SERVER 2012 R2 UPDATE: APRIL 2014 33.

Click OK to proceed. A new dialog invites you to install Visual C++ runtime libraries updates.

3. Click Install and proceed with the installation.4. A Multi-factor Authentication Server setup wizard eventually brings up.

5. Ensure that the destination folder is correct and click Next.

32 Windows Server 2012 R2 Update (KB2919355) Windows Server 2012 R2 Update: http://www.microsoft.com/downloads/details.aspx?familyid=373b1bb0-6d55-462e-98b7-6cb7d9ef144833 WINDOWS RT 8.1, WINDOWS 8.1, AND WINDOWS SERVER 2012 R2 UPDATE: APRIL 2014: https://support.microsoft.com/en-us/help/2919355/windows-rt-8.1,-windows-8.1,-and-windows-server-2012-r2-update-april-2014

19 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

6. Once the installation complete, click Finish. As indicated, this launches the Multi-Factor Authentication Server Authentication Configuration wizard to configure it. This will be the topic of the next section.

7. Open a remote desktop connection as LITWARE369\AzureAdmin on the ADFS2 computer.

8. Repeat step 1 to 9 on the ADFS2 computer.You are now ready to configure the Azure MFA Server agent as an additional authentication method in AD FS in Windows Server 2012 R2 for the course of this walkthrough.

Configuring multi-factor authentication on the AD FS farmThe configuration of multi-factor authentication in AD FS in Windows Server 2012 R2 consists in:

1. Configuring Azure MFA Server on the primary federation server. 2. Configuring Azure MFA Server on the secondary federation server.3. Setting up the multi-factor authentication policy. 4. Setting the MFA default behavior (Optional).5. Verifying the multi-factor authentication mechanism.

Configuring Azure MFA Server on the primary federation serverUnless noticed otherwise, all the instructions below should be done on the ADFS1 computer. To configure Azure MFA Server on the ADFS1 computer, proceed with the following steps:

1. The completion of the installation of the Azure MFA Server launches the Multi-Factor Authentication Server Authentication Configuration wizard.

2. On the Welcome page, check Skip using the Authentication Configuration Wizard, and click Next. This closes the wizard as expected and the Multi-Factor Authentication Server user interface (MultiFactorAuthUI) brings up.

20 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

3. To activate the Azure MFA Server, go back to the Downloads Server page in the Azure MFA portal where you’ve downloaded the setup file for the Azure MFA Server and click Generate Activation Credentials. Credentials valid for 10 minutes are then displayed underneath.

4. Back in the Azure MFA Server user interface, enter the credentials that were generated and click Activate. A Join Group dialog appears.

5. Click OK. Next, the Multi-Factor Authentication Server user interface prompts you to run the Multi-Server Configuration Wizard.

6. Select Yes. Since the test lab environment contains a farm of two federation servers, you must install the Azure MFA Server and complete the Multi-Server

21 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Configuration Wizard on each federation server in order to enable replication between the Azure MFA servers running on your AD FS servers.

7. Click Next.

8. Leave Active Directory and Certificates selected, and then click Next.

9. Leave all the options selected, and then click Next.

22 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Note The Multi-Server Configuration wizard will create a security group called PhoneFactor Admins in litware369.com AD and then adds the ADFS1 computer account and AzureAdmin global administrator to this group. It is recommended that you verify on your domain controller that the PhoneFactor Admins group is indeed created and that the above accounts are members of this group. If necessary, add these accounts to the PhoneFactor Admins group on your domain controller manually. For more details on installing the AD FS Adapter, click the Help link in the top right corner of the Azure MFA Server.

10. Click Next.

11. Click Finish. The ADFS1 computer restarts.12. Once the reboot completes, launch Multi-Factor Authentication Server

(MultiFactorAuthUI.exe). The file is located under C:\Program Files\Multi-Factor Authentication Server.A Multi-Factor Authentication Server opens.

23 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

13. In the Multi-Factor Authentication Server user interface, select Company Settings and set your options, most of these you will leave as the default.

You can see in User defaults the support for a variety of options like phone call, one-way text message with One Time Passwords (OTPs), two-way text messaging, mobile app, third-party OATH token, etc.

14. Now select Users on the left pane.

24 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

15. Click Import from Active Directory. An Import from Active Directory window brings up.

16. Expand litware369.com, and then select Users underneath. 17. Select the Robert Hatley test account to provision it in Azure MFA, and then click

Import. An Import from Active Directory dialog brings up.

25 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

18. Click OK, and then click Close.19. Back in the Users list, select the Robert Hatley test account, and click Edit. An Edit

User window brings up.

20. Select the appropriate country code in Country Code and provide a cell phone number of this account in Phone, make sure Enabled is checked, click Apply, and then Close.

21. Back in the Users list, select the Robert Hatley test account, and click Test. A Test User dialog brings up.

22. Provide the credentials (e.g. “Pass@word1!?”) for the Robert Hatley test account and click Test. When the cell phone rings, press “#” to complete the account verification. An information dialog confirms the successful authentication.

23. Click OK and click Close.

26 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

24. Back in the Multi-Factor Authentication Server user interface, select the AD FS icon.

25. Make sure that Allow user enrollment, Allow users to select method (including Phone call, Text message, and Mobile app), Use security questions for fallback and Enable logging are checked, click Install AD FS Adapter. An Install ADFS Adapter installation wizard brings up.

26. In the Active Directory page, click Next.

27 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

27. In the Launch installer page, click Next. A Multi-Factor Authentication ADFS Adapter installation wizard brings up.

28. Click Next.

29. In the Installation Complete page, click Close.30. To register the adapter in the federation service on the ADFS1 computer, open a

Windows PowerShell command prompt, and run the following commands:

PS C:\> cd "C:\Program Files\Multi-Factor Authentication Server"PS C:\> .\Register-MultiFactorAuthenticationAdfsAdapter.ps1WARNING: PS0114: The authentication provider was successfully registered with the policy store. To enable thisprovider, you must restart the AD FS Windows Service on each server in the farm.PS C:\>

28 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

The adapter is now registered as WindowsAzureMultiFactorAuthentication (see below).  As indicated, you must restart the AD FS service (adfssrv) for the registration to take effect.

31. Run the following command to restart the:

PS C:\> Restart-Service adfssrvWARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to stop...WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to start...WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to start...WARNING: Waiting for service 'Active Directory Federation Services (adfssrv)' to start...PS C:\>

32. Close the Windows PowerShell command prompt and launch the AD FS Management console from the Tools menu of the Server Manager to finally configure Azure MFA as the additional authentication method.

29 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

33. Navigate to the Authentication Policies node, scroll down in the middle pane to the Multi-factor Authentication section.

30 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

34. Click Edit next to the Global Settings sub-section. An Edit Global Authentication Policy window brings up.

35. Select Azure Multi-factor Authentication Server as an additional authentication method, and then click OK.

31 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Note You can customize the name and description of the Azure MFA method, as well as any configured third-party authentication method, as it appears in your AD FS UI, by running the Set-AdfsAuthenticationProviderWebContent cmdlet. For more information, see article SET- ADFSAUTHENTICATIONPROVIDERWEBCONTENT 34.

Configuring Azure MFA Server on the secondary federation serverTo configure Azure MFA Server on the ADFS2 computer, proceed with the following steps:

1. Repeat steps 1 to 6 of the previous section on the ADFS2 computer. The Multi-Server Configuration Wizard opens.

2. Complete it on the ADFS2 computer in order to enable replication between the Azure MFA servers running on your AD FS servers.

3. Restart the ADFS2 computer when invited to do so.4. Once the reboot completes, launch Multi-Factor Authentication Server

(MultiFactorAuthUI.exe). The file is located under C:\Program Files\Multi-Factor Authentication Server.The following dialog may bring up.

5. Click Yes.6. Once the reboot completes, relaunch Multi-Factor Authentication Server.

34 SET-ADFSAUTHENTICATIONPROVIDERWEBCONTENT: https://technet.microsoft.com/en-us/library/dn479401.aspx

32 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

The ADFS1 and ADFS2 computes should be both listed as illustrated above.

Setting up the multi-factor authentication policyTo set up the multi-factor authentication policy, proceed with the following steps on the ADFS1 computer:

1. Open an elevated Windows PowerShell command prompt and run the following command to retrieve the Office 365 relying party:

PS C:\> $rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"

2. Run the following command to specify the claim rule:

PS C:\> $groupMfaClaimTriggerRule = 'c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i) S-1-5-21-2309203066-2729394637-456832893-3109$"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

3. Run the following command to set the claim rule on the Office 365 relying party:

PS C:\> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules $groupMfaClaimTriggerRule

33 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Note Make sure to replace S-1-5-21-2766110245-3868540559-1908332702-2111 with the value of the SID of your AD group Finance.

Setting the MFA default behavior (Optional)The default multi-factor authentication behavior for federated Azure AD/Office 365 tenants is set to occur in the cloud where in the past it was set to occur on-premises.You can affect this behavior by downloading latest version of the Azure AD PowerShell V135 module tool (e.g. version 1.1.166.0 as of this writing), a.k.a. the Microsoft Online (MSOL) library, and running the below commands.

Note The Azure AD PowerShell V1 module is regularly updated with new features and functionality. The above link should always point to the most current version of the module. For more information, see the Microsoft Wiki article MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY 36.

Important note The Azure AD PowerShell V1 module is going to be progressively replaced by the Active Directory V2 PowerShell module currently in public preview. For more information, see blog post IN CASE YOU MISSED IT: #AZUREAD POWERSHELL V2.0 IS NOW IN PUBLIC PREVIEW! 37 and eponym article AZURE ACTIVE DIRECTORY V2 POWERSHELL MODULE 38.

To perform multi-factor authentication on-premises for litware369.com, run the following command on the ADFS1 computer:

PS C:\> Set-MsolDomainFederationSettings -DomainName litware369.com -SupportsMFA $true

Where SupportsMFA as true means that Azure AD will redirected the user to AD FS for multi-factor authentication if multi-factor authentication is required and a claim of type “http://schemas.microsoft.com/claims/authnmethodsreferences” with the value “http://schemas.microsoft.com/claims/multipleauthn”, which is so-called the MFA claim, is missing.

35 Azure AD PowerShell V1: http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=5918536 MICROSOFT AZURE ACTIVE DIRECTORY POWERSHELL MODULE VERSION RELEASE HISTORY: https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx37 IN CASE YOU MISSED IT: #AZUREAD POWERSHELL V2.0 IS NOW IN PUBLIC PREVIEW!: https://blogs.technet.microsoft.com/enterprisemobility/2016/10/13/in-case-you-missed-it-azuread-powershell-v2-0-is-now-in-public-preview/38 AZURE ACTIVE DIRECTORY V2 POWERSHELL MODULE: https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory

34 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

To perform multi-factor authentication in the cloud for litware369.com, run the following command:

PS C:\> Set-MsolDomainFederationSettings -DomainName litware369.com -SupportsMFA $false

Where SupportsMFA as false means that Azure AD does multi-factor authentication natively (again assuming multi-factor authentication is required and MFA claim is missing). If flag is not set, it is assumed to be false. Users won't be double MFA'd. If multi-factor authentication was already done at AD FS as part of login, the MFA claim will be present and Azure AD won't ask for multi-factor authentication again.

Note For more information, see article GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION AND ACTIVE DIRECTORY FEDERATION SERVICES 39.

Verifying the multi-factor authentication mechanismTo verify the multi-factor authentication policy, proceed with the following steps:

1. Close the current remote desktop connection if any on the Internet-facing WAP1 computer and open a new one as LITWARE369\RobertH with “Pass@word1!?” as password.

2. Open a browsing session and add https://adfs.litware369.com to the Local Intranet zone.

3. Navigate to the Office 365 portal at https://portal.office.com.

4. Log on with the Robert Hatley test account credentials: Username: [email protected]

39 GETTING STARTED WITH AZURE MULTI-FACTOR AUTHENTICATION AND ACTIVE DIRECTORY FEDERATION SERVICES: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs

35 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

You should be automatically redirected to the ADFS farm. At this point, after a successful seamless authentication with your local user credentials (thanks to the Windows Integrated Authentication), you are prompted to undergo additional authentication because of the previously configured multi-factor authentication policy.

5. When the cell phone rings, press “#” to complete the account verification. 6. You are then redirected back to the portal after a successful authentication with both

your local user credentials (thanks to the Windows Integrated Authentication (WIA)) and the multi-factor authentication. At the end of the process, you should have a seamless access to the signed in user settings in Office 365.

At this stage, you have successfully deployed the Azure MFA Server in your environment. You can optionally deploy the Azure MFA Server user portal and the Azure MFA server mobile app Web service.The Azure MFA Server user portal is an Internet Information Services (IIS) web site which allows on-premises users to enroll in Azure MFA and maintain their on-premises accounts. A user may change their phone number, change their PIN, or bypass Azure MFA during their next sign on.Users will log in to the Azure MFA Server user portal using their normal on-premises username and password and will either complete an Azure MFA call or answer security questions to complete the authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the Azure MFA Server user portal.The corporate administrators may be set up and granted permission to add new users and update existing users.The Azure MFA Server mobile app web service enable the users to install the Microsoft Authenticator app on their smartphone from the Azure MFA Server user portal. In our configuration, this supposes to first install the Multi-Factor Authentication SDK.

Installing the Multi-Factor Authentication SDK on the AD FS farm (optional)The installation of the Multi-Factor Authentication SDK consists in:

1. Installing the Multi-Factor Authentication SDK on the primary federation server. 2. Installing the Multi-Factor Authentication SDK on the secondary federation server.3. .

Installing the Multi-Factor Authentication SDK on the primary federation serverAll the instructions should be done on the ADFS1 computer.

Installing the prerequisitesTo install the Web Server (IIS) service role, proceed with the following steps:

36 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

1. Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.

2. Launch Server Manager.3. Click Manage, and then select Add Roles and Features. An eponym wizard opens.

4. Click Next.

5. Leave Role-based or feature-based installation selected, and click Next.

37 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

6. Click Next.

7. Under Web Server (IIS), select ASP.NET 4.5 under Application Development, IIS 6 Metabase Compatibility under Management Tools, and Basic Authentication under Security. Accept the installation of all the depedencies.

8. Click Next, and then proceed with the installation.Once complete, you can then install the Multi-Factor Authentication SDK

Installing the Multi-Factor Authentication SDKTo install the Multi-Factor Authentication SDK, proceed with the following steps:

1. Open the Multi-Factor Authentication Server. 2. Click the Web Service SDK icon.

38 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

3. Click Install Web Service SDK. An Multi-Factor Authentication Web Service SDK installation wizard brings up. If the above prerequisites are satisfied, the Select Installation Address page is displayed.

4. Click Next.

39 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

5. Click Close.The Web Service SDK (PfWsSdk) is configured to be secured with an SSL certificate. We thus need to configure HTTPS on the default web site. We already issued an adfs.litware369.com SSL certificate for the AD FS configuration.

Configuring HTTPS on the default web siteTo configure HTTPS on the default web site, proceed with the following steps:

1. Open an elevated Windows PowerShell command prompt if none, and run the following command to add a SSL binding to the default web Site:

PS C:\> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

2. Run the following commands to associate the already issued adfs.litware369.com SSL certificate to the newly created SSL binding:

PS C:\> Get-ChildItem cert:\LocalMachine\MY | where { $_.Subject -match "CN\=adfs.litware369.com" } | select -First 1 | New-Item IIS:\SslBindings\0.0.0.0!443

IP Address Port Host Name Store Sites---------- ---- --------- ----- -----0.0.0.0 443 MY Default Web Site

PS C:\Users\AzureAdmin.LITWARE369>

40 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Installing the Multi-Factor Authentication SDK on the secondary federation serverRepeat all the steps outlined in section § INSTALLING THE MULTI-FACTOR AUTHENTICATION SDK ONTHE PRIMARY FEDERATION SERVER on the ADFS2 computer.

Error: Reference source not foundTo test the Multi-Factor Authentication SDK configuration, proceed with the following steps:

1. Close the current remote desktop connection if any on the Internet-facing WAP1 computer and open a new one as LITWARE369\AzureAdmin with “Pass@word1!?” as password.

2. Open a browsing session and navigate to the Web Service SDK (PfWsSdk) at https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx. A Windows Security brings up.

3. Provide the credentials for the LITWARE369\AzureAdmin administrator account such as:Username: AzureAdminPassword: Pass@word1!?

4. Click OK. The collection of operations supported by the Web Service SDK (PfWsSdk) should now be listed in the .asmx page.

41 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Deploying the Azure MFA Server user portal on the WAP farm (optional)The deployment of the Azure MFA Server user portal on the WAP farm consists in installing and configuring it on the two servers of the farm.

Installing the Azure MFA Server user portal on the first server in the WAP farmUnless noticed otherwise, all the instructions should be done on the Internet-facing WAP1 computer.Before installing the Azure MFA Server user portal, ensure in Server Manager that, under Web Server (IIS),

ASP.NET 4.5 under Application Development, IIS 6 Metabase Compatibility under Management Tools, and Basic Authentication under Security

are installed.If this isn’t case, install them via the Server Manager tool, see section § INSTALLING THEPREREQUISITES .To install and configure the Azure MFA Server user portal, proceed with the following steps:

1. Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.

2. Open a remote desktop connection on WAP1 if needed and log on as LITWARE369\AzureAdmin.

42 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

3. Open Windows Explorer on the ADFS1 computer and navigate to the folder where Azure MFA Server is installed (e.g. C:\Program Files\Windows Azure Multi-Factor Authentication). Choose the MultiFactorAuthenticationUserPortalSetup64.msi installation file as appropriate (64-bit version) for the WAP1 computer that the Azure MFA Server user portal will be installed on. Copy the installation file to the WAP1 computer.

4. On the WAP1 computer, the setup file must be run with administrator rights. Open an elevated command prompt as an administrator and navigate to the location where the installation file was copied, for example the Desktop in our illustration.

PS C:\> cd .\Desktop

5. Run the MultiFactorAuthenticationUserPortalSetup64.msi installation file.

PS C:\> .\MultiFactorAuthenticationUserPortalSetup64.msi

A dialog pops up inviting you to install a Visual C++ redistributable x86 update.

6. Click Yes.

43 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

7. Click Save. Rename the file vc_redist.x86.exe, and the execute it.8. Another dialog pops up inviting you to install a Visual C++ redistributable x64 update.

Repeat above step 7.9. Rerun the MultiFactorAuthenticationUserPortalSetup64.msi installation file. A Multi-

Factor Authentication User Portal installation wizard eventually brings up.

10. Click Next.

11. Click Close.

44 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

12. After finishing the install of the MultiFactorAuthenticationUserPortalSetup64.msi file, browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the web.config file with the editor of your choice.

13. Locate the appSettings section in the web.config file.<?xml version="1.0"?><configuration> <configSections> <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <section name="pfup.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/> </sectionGroup> </configSections> <appSettings>

<add key="USE_WEB_SERVICE_SDK" value="false"/> <add key="WEB_SERVICE_SDK_AUTHENTICATION_USERNAME" value=""/> <add key="WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD" value=""/> <add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PATH" value=""/> <add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PASSWORD" value=""/> <add key="OVERRIDE_PHONE_APP_WEB_SERVICE_URL" value=""/>

</appSettings>…</configuration>

14. Set the value of the following keys as follows:a. USE_WEB_SERVICE_SDK: trueb. WEB_SERVICE_SDK_AUTHENTICATION_USERNAME: LITWARE369\

AzureAdminc. WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD: Pass@word1!?d. OVERRIDE_PHONE_APP_WEB_SERVICE_URL:

https://www.litware369.com/MultiFactorAuthMobileAppWebService (see later in this document)

Note The username must be a member of the PhoneFactor Admins security group. Be sure to enter the Username and Password in between the quotation marks at the end of the line, (value=""/>). It is recommended to use a qualified username (e.g. domain\username).

15. Locate the pfup_pfwssdk_PfWsSdk setting. <?xml version="1.0"?><configuration> … <applicationSettings> <pfup.Properties.Settings>

<setting name="pfup_pfwssdk_PfWsSdk" serializeAs="String"> <value>http://localhost:4898/PfWsSdk.asmx</value>

</setting> </pfup.Properties.Settings> </applicationSettings></configuration>

Change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the ADFS farm, e.g. https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration.

45 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Note Since SSL is used for this connection, you must reference the Web Service SDK by server name and not IP address since the SSL certificate will have been issued for the server name and the URL used must match the name on the certificate. In our configuration, the adfs.litware369.com server name does resolve to an IP address from the Internet-facing WAP farms. You should otherwise add an entry to the hosts file on that servers to map the name of the Azure MFA Server computers to its IP address.

Note The root certification authority litware369-DC2-CA certificate is imported into the Trusted Root Certification Authorities store of the WAP1 computer that will be our Azure MFA mobile app web service web server. Thus, it will trust the adfs.litware369.com certificate when initiating the SSL connection.

16. Save the web.config file after changes have been made. Important note It is helpful to open a browsing session on WAP1 and navigate to the URL of the Web Service SDK that was entered into the web.config file, e.g. https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration. If the browser can get to the web service successfully, it should prompt you for credentials as previously illustrated. Enter the username and password that were entered into the web.config file exactly as it appears in the file. Ensure that no certificate warnings or errors are displayed.

Error: Reference source not foundTo test the Azure MFA Server user portal, proceed with the following steps:

1. Close the current remote desktop connection if any on the Internet-facing WAP1 computer and open a new one as LITWARE369\AzureAdmin with “Pass@word1!?” as password.

2. Open a browser session and navigate to https://www.litware369.com/MultiFactorAuth/.

46 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

1. Provide the credentials (e.g. “roberth” and “Pass@word1!?”) for the Robert Hatley test account and click Log In. When the cell phone rings, press “#” to complete the account verification. After a successful authentication, and once the security questions answered, you can now manage the account settings.

Note For more information, see article DEPLOY THE USER PORTAL FOR THE AZURE MULTI-FACTOR AUTHENTICATION SERVER 40.

Installing the Azure MFA Server user portal on the second server in the WAP farmRepeat all the steps outlined in section § INSTALLING THE AZURE MFA SERVER USER PORTAL ON THEFIRST SERVER IN THE WAP FARM on the WAP2 computer.

40 DEPLOY THE USER PORTAL FOR THE AZURE MULTI-FACTOR AUTHENTICATION SERVER: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal

47 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Deploying the Azure MFA Server mobile app web service on the WAP farm (optional)The deployment of the Azure MFA Server mobile app web service on the WAP farm consists in installing and configuring it on the two servers of the farm.

Installing the Azure MFA Server mobile app web service on the first server of the WAP farmTo deploy the Azure MFA mobile app web service on the Internet-facing WAP1 computer, proceed with the following steps:

1. Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.

2. Open a remote desktop connection on WAP1 if needed and log on as LITWARE369\AzureAdmin.

3. Open Windows Explorer on the ADFS1 computer and navigate to the folder where the Azure MFA Server is installed (e.g. C:\Program Files\Windows Azure Multi-Factor Authentication). Choose the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi installation file as appropriate (64-bit version) for the WAP1 computer that Azure MFA Server mobile app web service will be installed on. Copy the installation file to the WAP1 computer.

4. On WAP1, the above installation file must be run with administrator rights. The easiest way to do this is to open a command prompt as an administrator and navigate to the location where the installation file was copied, for example the Desktop in our illustration.

PS C:\Users\AzureAdmin.LITWARE369> cd .\Desktop PS C:\Users\AzureAdmin.LITWARE369\Desktop>

5. Run the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi installation file.

PS C:\Users\AzureAdmin.LITWARE369\Desktop> .\MultiFactorAuthenticationMobileAppWebServiceSetup64.msi PS C:\Users\AzureAdmin.LITWARE369\Desktop>

A Multi-Factor Authentication User Portal installation wizard brings up.

48 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

6. Change the Site if desired and change the Virtual directory to a short name such as “PA”. A short virtual directory name is recommended since users must enter the Azure MFA Server mobile app web service URL into the mobile device during activation. Click Next.

7. Click Close. 8. After finishing the installation of the

MultiFactorAuthenticationMobileAppWebServiceSetup64.msi file, browse to C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService (or appropriate directory based on the virtual directory name) and edit the web.config file.

9. Locate the appSettings section in the web.config file.

<?xml version="1.0"?><configuration> <configSections> <sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"> <section name="pfup.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/> </sectionGroup> </configSections> <appSettings>

<add key="WEB_SERVICE_SDK_AUTHENTICATION_USERNAME" value=""/><add key="WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD" value=""/><add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PATH" value=""/><add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_FILE_PASSWORD" value=""/>

</appSettings>…</configuration>

10. Set the value of the following keys as follows:a. WEB_SERVICE_SDK_AUTHENTICATION_USERNAME: LITWARE369\

AzureAdminb. WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD: Pass@word1!?

Note The username must a member of the PhoneFactor Admins security group. Be sure to enter the Username and Password in between the quotation marks at the end of the line, (value=""/>). It is recommended to use a qualified username (e.g. domain\username).

49 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

11. Locate the pfpaws_pfwssdk_PfWsSdk setting.

<?xml version="1.0"?><configuration> … <applicationSettings> <pfpaws.Properties.Settings>

<setting name="pfpaws_pfwssdk_PfWsSdk" serializeAs="String"> <value>http://localhost:4898/PfWsSdk.asmx</value>

</setting> </pfpaws.Properties.Settings> </applicationSettings> </configuration>

Change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the ADFS farm, e.g. https://adfs.litware369.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx in our configuration.

12. Save the web.config file after changes have been made.

Note Since the Azure MFA Server user portal is already installed on the farms, i.e. WAP1 and WAP2 computers, the username, password and URL to the Web Service SDK can be copied from the User Portal’s web.config file.

Installing the Azure MFA Server mobile app web service on the second server of the WAP farmRepeat all the steps outlined in section § INSTALLING THE AZURE MFA SERVER MOBILE APP WEBSERVICE ON THE SECOND SERVER OF THE WAP FARM on the WAP2 computer.

Validating the configuration of Azure MFA Server mobile app web serviceTo validate the configuration of the Azure MFA Server mobile app web service, open a browsing session from any computer connected to the Internet and navigate to the URL where Azure MFA Server mobile app web service was installed (e.g. https://www.litware369.com/MultiFactorAuthMobileAppWebService/). Ensure that no certificate warnings or errors are displayed as illustrated hereafter.

50 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

Configuring the mobile app settings in the Azure MFA Server All the instructions should be done on the ADFS1 computer. To configure the mobile app Settings in the Azure MFA Server, proceed with the following steps:

1. Open a remote desktop connection on ADFS1 if needed and log on as LITWARE369\AzureAdmin.

2. Launch the Multi-Factor Authentication Server.3. Click on the User Portal icon.

51 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

1. On the Settings tab, type the Azure MFA Server user portal URL, for example “https://www.litware369.com/MultiFactorAuth” in our configuration.

2. Check Allow user enrollment.3. Check Allow users to select method. Under Allow users to select method,

check Mobile app. Without this feature enabled, end users will be required to contact the Help Desk to complete activation for the Mobile App. Also check Phone call and Text message.

4. Check Allow users to activate mobile app.5. Click on the Mobile App icon.

52 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

6. In Mobile App Web Service URL, type the URL being used with the virtual directory which was created when installing the MultiFactorAuthenticationMobileAppWebServiceSetup64.msi file, for example “https://www.litware369.com/MultiFactorAuthMobileAppWebService” in our configuration.

7. In Account name, an account name may be entered in the space provided. This company name will display in the mobile application. If left blank, the name of your MFA provider created in the Azure portal will be displayed, for example “Litware369 Auth” in our configuration. Type “Litware369 Inc.” for example.

Activating the Microsoft Authenticator app for end usersTo activate the Mobile App, proceed with the following steps:

1. Download the Microsoft Authenticator application from your app store. This application is available for Windows Phone41, Android42, and iOS43. Once the Microsoft Authenticator app has been downloaded and is installed, you can activate it for multiple accounts.

Note For more information, see article MICROSOFT AUTHENTICATOR 44.

2. Open a browsing session from any computer connected to the Internet and navigate to the Azure MFA Server user portal at https://www.litware369.com/MultiFactorAuth.

41 Microsoft Authenticator on Windows Phone Store: http://go.microsoft.com/fwlink/?Linkid=82507142 Microsoft Authenticator app on Google Play: http://go.microsoft.com/fwlink/?Linkid=82507243 Microsoft Authenticator app on iTunes: http://go.microsoft.com/fwlink/?Linkid=82507344 MICROSOFT AUTHENTICATOR: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to

53 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

3. Provide the credentials (e.g. “roberth” and “Pass@word1!?”) for the Robert Hatley test account and click Log In. When the cell phone rings, press “#” to complete the account verification.

4. Under My Account on the left, click Activate Mobile App.

5. Click Generate Activation Code. (You can instead contact an administrator who will generate an activation code for them.)

54 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

6. Switch to your mobile device7. Open the Multi-Factor Authentication application.8. In the mobile app, click New (+).

Note The interface will differ slightly between mobile OS apps.

9. Activate the Microsoft Authenticator app by entering the above activation code and URL or by scanning the barcode picture.

10. Switch the authentication method to Mobile App or contact an administrator who will change it for them

Note For more information, see article GETTING STARTED THE MFA SERVER MOBILE APP WEB SERVICE 45.

This concludes the guided tour of Azure MFA Server in the context of Azure AD federated users as well as this paper. For the configuration of the advanced settings and reports of the service, please refer to the aforementioned whitepaper LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD 46.

45 GETTING STARTED THE MFA SERVER MOBILE APP WEB SERVICE: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice46 LEVERAGE AZURE MULTI-FACTOR AUTHENTICATION WITH AZURE AD: http://www.microsoft.com/en-us/download/details.aspx?id=36391

55 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

56 Leverage Azure MFA Server with AD FS in Windows Server 2012 R2

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.© 2017 Microsoft Corporation. All rights reserved.The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.