On Premise ADFS 2013 R2 + Azure Multi-Factor Authentication

So in one of my last posts we looked at the Multi-Factor Authentication using Azure Services. I will post the second blog about that shortly. This post however is about using ADFS 2013 R2 (ADFS 3.0) internally but wanting to use the Multi-Factor Services from Windows Azure as part of that. To achieve this firstly setup ADFS 3.0, I won’t document those steps as Microsoft have done a great job for this:

http://technet.microsoft.com/en-US/library/dn280939.aspx

Now we have our new ADFS and Domain setup we now need to access our Windows Azure Subscription and click the “Active Directory” link.

Then select the “Multi-Factor Auth Providers” link at the top.

Select to “Add” a new one and follow the structure below:

Make sure you choose a valid name, I then selected the “Per Enabled User” licensing, and you could choose what you need. Then make sure you “DO NOT LINK A DIRECTORY“.

Once it is created we need to now manage this Auth Provider. Select it from the page and choose the “Manage” link at the bottom.

You are then navigated to the configuration page where you can download the components needed. Click the “Downloads” link. There are two things that need to be done here, firstly click the “Download” link, the small link in gray. Then also click the “Generate Activation Credentials” which will be needed later.

Now run the installation for the Multi-Factor Authentication installation. You may get this error, if so download the correct .NET components, install and continue.

Complete the required .NET installation and follow the installation wizard.

Once installed the application will launch automatically:

Check the option to “Skip using the Authentication Configuration Wizard“.

The core console will then be loaded as shown below.

Access the Windows Azure portal and then manage the MFA and get the activation credentials and use those in the Activation screen, then click “Activate“.

It will then communicate with Azure MFA services for validation.

Select the desired group or create a new Group. I am choosing a new group.

When prompted do not run the wizard.

The console should then show the current status.

We now need to import active directory users from the current domain ready so we can assign Multi-Factor Authentication to them. To do this click the “Users” link on the left and then select the “Import form Active Directory” option at the bottom.

We are now presented with a new console for selecting the accounts we wish to import. You can from there expand the Active Directory and then select the accounts you want to import.

There are multiple options, for setting languages for the Phone Call, Text or Mobile Application access. I have set mine to use “Text Message“.

Select the accounts and choose to import with the desired settings.

Once completed the user accounts should be displayed with various details that you chose to import.

The first thing to do is to enable the accounts by editing each one and choosing “Enabled“.

Now we can test them b using the “Test” button in the console.

This will send a text to the number that is configured which you need to reply to with that one time code.

Now we need to install the ADFS components and connect it all together. Select the “ADFS” link in the left navigation.

Select “Allow User Enrollment” plus any other settings you wish to use, then select the “Install ADFS Adapter” button.

Follow the install wizard.

Once that is completed now we need to run a PowerShell script to register this in the federation platform. From a PowerShell window run the following: (if C: is where you installed it)

C:\Program Files\Multi-Factor Authentication Server\”

Once completed restart the ADFS Server.

Now we have this we can now enable this within ADFS and also set the policy we need. Open the ADFS management console and select the “Authentication Policies” and then “Edit Global Multi-Factor Authentication” option from the right.

Now we need to set the core policy, from the current blank one.

You can now test it by accessing the following URL.

https://{adfs-url}/adfs/ls/idpinitiatedsignon.aspx

When you click “Continue” a text will be sent to you again, which you reply to and then you should be authenticated.

As you can see it is fairly easy to setup Multi-Factor Authentication with the new ADFS 3.0 using Server 2012 R2 and the Windows Azure Services. When my ADFS is connected to SharePoint we now get true multi factor authentication. If we modify the policy to allow questions as a fail over then when the text is not responded too or incorrect the user is presented with the questions instead.

This is a great platform that is very extensible and can be used for anything that can be authenticated by ADFS.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...