MFA for onprem SMB shares

Chris Glasier 1 Reputation point
2020-08-07T20:27:55.243+00:00

I see MS Used to have (or rather still does but not for new activations) Azure MFA server, the note I saw during download state as or last years they will no longer allow new activations but will continue to support the existing activated clients of Azure MFA. Does anyone know what its required? or even how its set up. My research says I need a Azure P1 or P2 license to do this? and if this is correct, how is it done? (can you even secure on prem resources with Azure mfa?)

Thanks,
Chris

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,382 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. T. Kujala 8,711 Reputation points
    2020-08-08T05:58:52.65+00:00

    Hi ChrisGlasier-9286,

    You are right. Microsoft does not support MFA servers for new deployments.

    For new deployments you can use NPS extension and Azure MFA for On-Premises application.

    https://video2.skills-academy.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-rdg

    Read the answer by MarileeTurscak.

    https://video2.skills-academy.com/en-us/answers/questions/10804/mfa-on-premise.html

    Azure AD Premium P1 or P2 is required for Azure Multi-Factor Authentication.

    0 comments
  2. Sander Berkouwer 166 Reputation points
    2020-09-01T05:39:04.067+00:00

    Does anyone know what its required?

    To continue to use Azure MFA Server, you will need to have a pre-existing MFA Server infrastructure. This means you need to have Azure MFA Server already deployed and functioning within your organization and configured with the Azure AD tenant. Without this, you can download and install but cannot activate Azure MFA Server.

    or even how its set up.

    I have described how to setup Azure MFA Server here.
    I use Azure MFA Server version 8.0.1.1 for the write-up, but Microsoft released version 8.0.5.1 last week.

    My research says I need a Azure P1 or P2 license to do this? and if this is correct, how is it done?

    Yes.
    MFA Server connects to Azure AD for licensing, Authenticator App integration and the Phone Call and text message authentication methods. Without Premium licenses for each of the user objects using the functionality, you will be incompliant.

    Contact Microsoft directory or a license reseller to acquire the required licenses. Licenses can be installed in the Azure AD tenant for you, or you may have to activate the licenses in the Licenses pane in the Azure Active Directory Portal.

    can you even secure on prem resources with Azure mfa?

    You can secure access to many on-premises resources with Azure MFA Server.
    When the authentication mechanism to these resources uses RADIUS, a web interface or AD FS, then MFA is built-in to Azure MFA Server. Third party solutions may be integrated using the MFA Server SDK.

    For SMB access, you can achieve Multi-factor Authentication when you deploy Work Folders with AD FS.
    However, when using AD FS with Windows Server 2016, or newer versions of Windows Server, you could more easily achieve MFA through the Azure MFA Adapter built-in to AD FS. In that scenario you won't need to deploy Azure MFA Server; the AD FS servers connect to the Azure AD tenant themselves. You do still need the Premium licenses. Alternatively, you could connect Work Folders as a single sign-in application to Azure AD. Then, through Conditional Access you can require multi-factor authentication. Premium licenses are required in this scenario also.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.