If you have an organization federated with Azure AD you can use Azure Multi-Factor Authentication to secure on-premises and cloud resources. By activating Azure MFA you can eliminate the need for passwords and provide a more secure way to authenticate. With Windows Server 2016, you can have Azure MFA for primary authentication.
In Windows Server 2016, the Azure MFA adapter integrates with Azure AD for the entire MFA configuration. In Windows Server 2016, the MFA Server (Which is required with Windows Server 2012 R2) is not required because all of the configuration information is stored in Azure AD.
- An Azure subscription with Azure AD.
- Azure Multi-Factor Authentication.
- A Windows Server 2016 ADFS on-premises environment.
- On-premises environment is federated with Azure AD.
- Windows Azure AD Module for Windows PowerShell.
- Global administrator permissions on your instance of Azure AD to configure it using Azure AD PowerShell.
- Enterprise administrator credentials to configure the ADFS farm for Azure MFA.
Azure AD and Azure MFA are included in Azure AD Premium and Enterprise Mobility Suite (EMS). If you have either of these you don’t need individual subscriptions.
Configure the ADFS Servers:
In order to complete configuration for Azure MFA for ADFS, you need to configure each ADFS server in the farm.
- Generate a certificate for Azure MFA on each ADFS server using the New-AdfsAzureMfaTenantCertificate
The first thing you need to do is generate a certificate for Azure MFA to use. The certificate generated can be found in the local machines certificate store and is marked with a subject name containing the TenantID for your Azure AD.
The TenantID is the name of your directory in Azure AD. The following cmdlet generate a new certificate.
$certbase64 = New-AdfsAzureMfaTenantCertificate -TenantID <tenantID>
- Add the new credentials to Azure Multi-Factor Auth Client SPN
In order to enable the ADFS servers to communicate with the Azure MFA Auth Client, you need to add the credentials to the SPN for the Azure MFA Auth Client.
In order to complete the following steps you need to connect to your instance of Azure AD with PowerShell using Connect-MsolSerive.
Set the certificate as the new credential against the Azure MFA Client.
New-MsolServicePrincipalCredential -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -Type asymmetric -Usage verify -Value $certBase64
Here 981f26a1-7f43-403b-a875-f8b09b8cd720 is the guid for Azure Multi-Factor Auth Client.
- Configure the ADFS Farm.
The Set-AdfsAzureMfaTenant cmdlet needs to be executed only once for an ADFS farm.
(You will need to restart the ADFS service on each server in the farm before these changes take effect)
Set-AdfsAzureMfaTenant -TenantId <tenant ID> -ClientId 981f26a1-7f43-403b-a875-f8b09b8cd720
After this, you will see that Azure MFA is available as a primary authentication method for intranet and extranet use.