diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3316c480cf7..45356bbbf6e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,5 +1,90 @@ { "redirections": [ + { + "source_path": "docs/identity/authentication/howto-mfaserver-deploy.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-deploy", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfa-nps-extension-errors.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfa-nps-extension-errors", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-nps-vpn.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-nps-vpn", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-nps-rdg.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-nps-rdg", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-adfs-2.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-adfs-2", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-adfs-windows-server.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-adfs-windows-server", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-dir-ad.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-dir-ad", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-dir-radius.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-dir-radius", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-dir-ldap.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-dir-ldap", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-iis.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-iis", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-windows.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-windows", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-deploy-upgrade-pf.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-deploy-upgrade-pf", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-deploy-upgrade.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-deploy-upgrade", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfa-server-settings.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfa-server-settings", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-deploy-mobileapp.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-deploy-mobileapp", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-deploy-userportal.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-deploy-userportal", + "redirect_document_id": false + }, + { + "source_path": "docs/identity/authentication/howto-mfaserver-deploy-ha.md", + "redirect_url": "/previous-versions/entra/identity/authentication/howto-mfaserver-deploy-ha", + "redirect_document_id": false + }, { "source_path_from_root": "/docs/identity/domain-services/delete-aadds.md", "redirect_url": "/entra/identity/domain-services/delete", @@ -1361,6 +1446,31 @@ "source_path_from_root": "/docs/identity/enterprise-apps/one-click-sso-tutorial.md", "redirect_url": "/docs/identity/enterprise-apps/what-is-application-management", "redirect_document_id": false + }, + { + "source_path_from_root": "/docs/identity/saas-apps/omnissa-identity-service-provisioning-tutorial.md", + "redirect_url": "/entra/identity/saas-apps/tutorial-list", + "redirect_document_id": false + }, + { + "source_path_from_root": "/docs/identity/saas-apps/bersin-tutorial.md", + "redirect_url": "/entra/identity/saas-apps/tutorial-list", + "redirect_document_id": false + }, + { + "source_path_from_root": "/docs/identity/saas-apps/lines-elibrary-advance-tutorial.md", + "redirect_url": "/entra/identity/saas-apps/tutorial-list", + "redirect_document_id": false + }, + { + "source_path_from_root": "/docs/identity/saas-apps/soonr-tutorial.md", + "redirect_url": "/entra/identity/saas-apps/tutorial-list", + "redirect_document_id": false + }, + { + "source_path_from_root": "/docs/identity/saas-apps/work-com-tutorial.md", + "redirect_url": "/entra/identity/saas-apps/tutorial-list", + "redirect_document_id": false } ] -} \ No newline at end of file +} diff --git a/docs/id-governance/licensing-fundamentals.md b/docs/id-governance/licensing-fundamentals.md index a708a98fe42..e2a49d37c12 100644 --- a/docs/id-governance/licensing-fundamentals.md +++ b/docs/id-governance/licensing-fundamentals.md @@ -93,7 +93,7 @@ Users don't need to be assigned a Microsoft Entra ID Governance license, but the All users who are in scope of Microsoft Entra ID Governance features, including business guests such as contractors, partners, and external collaborators, need a license. We're creating a new Microsoft Entra ID Governance license for business guests. This license operates on a monthly active usage (MAU) model. Customers are able to acquire licenses matching their anticipated business guest MAU. -We anticipate making these licenses available in late 2024. In the interim, organizations that govern the identities of their employees with Microsoft Entra ID Governance can govern the identities of their business guests for no additional cost. At this time, existing customers of Microsoft Entra ID P1 or P2 with Microsoft Entra External ID can continue using the subset of features that are included in P1 or P2 with their business guests through their Microsoft Entra External ID license. +We anticipate making these licenses available in the second quarter (Q2) of 2025. In the interim, organizations that govern the identities of their employees with Microsoft Entra ID Governance can govern the identities of their business guests for no additional cost. At this time, existing customers of Microsoft Entra ID P1 or P2 with Microsoft Entra External ID can continue using the subset of features that are included in P1 or P2 with their business guests through their Microsoft Entra External ID license. For more information, see: [Microsoft Entra ID Governance licensing for business guests](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-id-governance-licensing-for-business-guests/ba-p/3575579). diff --git a/docs/identity/authentication/TOC.yml b/docs/identity/authentication/TOC.yml index b1c14550e1e..0bd76c63169 100644 --- a/docs/identity/authentication/TOC.yml +++ b/docs/identity/authentication/TOC.yml @@ -5,7 +5,6 @@ - name: What is authentication? href: overview-authentication.md - name: Tutorials - expanded: true items: - name: Enable self-service password reset href: tutorial-enable-sspr.md @@ -21,17 +20,17 @@ href: tutorial-risk-based-sspr-mfa.md - name: Enable security notifications href: tutorial-enable-security-notifications-for-audit-logs.md -- name: Concepts expanded: true +- name: Concepts items: - name: Authentication methods items: - name: Accessibility - href: ./accessibility/authentication-methods-accessibility.md displayName: Accessibility, Special People, MFA Accessibility + href: ./accessibility/authentication-methods-accessibility.md - name: Overview href: concept-authentication-methods.md - - name: Manage + - name: Manage href: concept-authentication-methods-manage.md - name: Temporary Access Pass href: howto-authentication-temporary-access-pass.md @@ -81,11 +80,11 @@ items: - name: How MFA works href: concept-mfa-howitworks.md - - name: Default protection + - name: Default protection href: concept-authentication-default-enablement.md - - name: System-preferred MFA + - name: System-preferred MFA href: concept-system-preferred-multifactor-authentication.md - - name: Mandatory MFA + - name: Mandatory MFA href: concept-mandatory-multifactor-authentication.md - name: External MFA provider href: concept-authentication-external-method-provider.md @@ -105,7 +104,7 @@ href: multi-factor-authentication-faq.yml - name: Password protection items: - - name: Combined password policy check + - name: Combined password policy check href: concept-password-ban-bad-combined-policy.md - name: Eliminate weak passwords in the cloud href: concept-password-ban-bad.md @@ -117,102 +116,103 @@ href: concept-resilient-controls.md - name: Web browser cookies href: concept-authentication-web-browser-cookies.md + expanded: true - name: How-to guides items: - name: Manage authentication methods - href: how-to-authentication-methods-manage.md + href: how-to-authentication-methods-manage.md - name: Temporary Access Pass href: howto-authentication-temporary-access-pass.md - name: Passwordless - items: - - name: Plan phishing-resistant passwordless authentication - items: - - name: Get started - href: how-to-plan-prerequisites-phishing-resistant-passwordless-authentication.md - - name: Plan and deploy - href: how-to-deploy-phishing-resistant-passwordless-authentication.md - - name: Persona guidance - href: how-to-plan-persona-phishing-resistant-passwordless-authentication.md - - name: Passkey (FIDO2) authentication - items: - - name: Enable passkeys for an organization - href: how-to-enable-passkey-fido2.md - - name: Register passkey - href: how-to-register-passkey.md - - name: Register passkey with a mobile device - href: how-to-register-passkey-mobile.md - - name: Sign in with passkey - href: how-to-sign-in-passkey.md - - name: Passkey (FIDO2) compatibility matrix - href: concept-fido2-compatibility.md - - name: Become a FIDO2 security key vendor - href: concept-fido2-hardware-vendor.md - - name: Microsoft Authenticator - items: - - name: Enable passkeys in Authenticator - href: how-to-enable-authenticator-passkey.md - - name: Support passkeys in Authenticator - href: how-to-support-authenticator-passkey.md - - name: Register passkeys in Authenticator - href: how-to-register-passkey-authenticator.md - - name: Sign in with passkeys in Authenticator - href: how-to-sign-in-passkey-authenticator.md - - name: Passkeys in Authenticator FAQs - href: passkey-authenticator-faq.yml - - name: Enable Authenticator authentication method - href: howto-authentication-passwordless-phone.md - - name: How number matching works - href: how-to-mfa-number-match.md - - name: Use additional context - href: how-to-mfa-additional-context.md - - name: Use Authenticator Lite - href: how-to-mfa-authenticator-lite.md - - name: Hybrid + items: + - name: Plan phishing-resistant passwordless authentication + items: + - name: Get started + href: how-to-plan-prerequisites-phishing-resistant-passwordless-authentication.md + - name: Plan and deploy + href: how-to-deploy-phishing-resistant-passwordless-authentication.md + - name: Persona guidance + href: how-to-plan-persona-phishing-resistant-passwordless-authentication.md + - name: Passkey (FIDO2) authentication + items: + - name: Enable passkeys for an organization + href: how-to-enable-passkey-fido2.md + - name: Register passkey + href: how-to-register-passkey.md + - name: Register passkey with a mobile device + href: how-to-register-passkey-mobile.md + - name: Sign in with passkey + href: how-to-sign-in-passkey.md + - name: Passkey (FIDO2) compatibility matrix + href: concept-fido2-compatibility.md + - name: Become a FIDO2 security key vendor + href: concept-fido2-hardware-vendor.md + - name: Microsoft Authenticator + items: + - name: Enable passkeys in Authenticator + href: how-to-enable-authenticator-passkey.md + - name: Support passkeys in Authenticator + href: how-to-support-authenticator-passkey.md + - name: Register passkeys in Authenticator + href: how-to-register-passkey-authenticator.md + - name: Sign in with passkeys in Authenticator + href: how-to-sign-in-passkey-authenticator.md + - name: Passkeys in Authenticator FAQs + href: passkey-authenticator-faq.yml + - name: Enable Authenticator authentication method + href: howto-authentication-passwordless-phone.md + - name: How number matching works + href: how-to-mfa-number-match.md + - name: Use additional context + href: how-to-mfa-additional-context.md + - name: Use Authenticator Lite + href: how-to-mfa-authenticator-lite.md + - name: Hybrid + items: + - name: Register passkey with a security key + href: how-to-register-passkey-with-security-key.md + - name: Enable security key sign-in to Windows + href: howto-authentication-passwordless-security-key-windows.md + - name: SSO to on-premises resources + href: howto-authentication-passwordless-security-key-on-premises.md + - name: Hybrid FAQs + href: howto-authentication-passwordless-faqs.md + - name: Troubleshoot hybrid + href: howto-authentication-passwordless-troubleshoot.md + - name: Certificate-based authentication + items: + - name: Microsoft Entra CBA items: - - name: Register passkey with a security key - href: how-to-register-passkey-with-security-key.md - - name: Enable security key sign-in to Windows - href: howto-authentication-passwordless-security-key-windows.md - - name: SSO to on-premises resources - href: howto-authentication-passwordless-security-key-on-premises.md - - name: Hybrid FAQs - href: howto-authentication-passwordless-faqs.md - - name: Troubleshoot hybrid - href: howto-authentication-passwordless-troubleshoot.md - - name: Certificate-based authentication + - name: Overview + href: concept-certificate-based-authentication.md + - name: How Microsoft Entra CBA works + href: concept-certificate-based-authentication-technical-deep-dive.md + - name: Configure Microsoft Entra CBA + href: how-to-certificate-based-authentication.md + - name: Configure certificate authorities + href: how-to-configure-certificate-authorities.md + - name: Windows smart card sign-in + href: concept-certificate-based-authentication-smartcard.md + - name: Apple devices + href: concept-certificate-based-authentication-mobile-ios.md + - name: Android devices + href: concept-certificate-based-authentication-mobile-android.md + - name: Certificate user IDs + href: concept-certificate-based-authentication-certificateuserids.md + - name: Migrate federated users + href: concept-certificate-based-authentication-migration.md + - name: FAQ + href: certificate-based-authentication-faq.yml + - name: Federated CBA with Microsoft Entra ID items: - - name: Microsoft Entra CBA - items: - - name: Overview - href: concept-certificate-based-authentication.md - - name: How Microsoft Entra CBA works - href: concept-certificate-based-authentication-technical-deep-dive.md - - name: Configure Microsoft Entra CBA - href: how-to-certificate-based-authentication.md - - name: Configure certificate authorities - href: how-to-configure-certificate-authorities.md - - name: Windows smart card sign-in - href: concept-certificate-based-authentication-smartcard.md - - name: Apple devices - href: concept-certificate-based-authentication-mobile-ios.md - - name: Android devices - href: concept-certificate-based-authentication-mobile-android.md - - name: Certificate user IDs - href: concept-certificate-based-authentication-certificateuserids.md - - name: Migrate federated users - href: concept-certificate-based-authentication-migration.md - - name: FAQ - href: certificate-based-authentication-faq.yml - - name: Federated CBA with Microsoft Entra ID - items: - - name: Configure CBA with federation - href: certificate-based-authentication-federation-get-started.md - - name: Use on Android Devices - href: certificate-based-authentication-federation-android.md - - name: Use on iOS Devices - href: certificate-based-authentication-federation-ios.md + - name: Configure CBA with federation + href: certificate-based-authentication-federation-get-started.md + - name: Use on Android Devices + href: certificate-based-authentication-federation-android.md + - name: Use on iOS Devices + href: certificate-based-authentication-federation-ios.md - name: Use SMS-based authentication - items: + items: - name: Manage href: howto-authentication-sms-signin.md - name: Supported apps for SMS-based authentication @@ -221,7 +221,7 @@ href: how-to-authentication-two-way-sms-unsupported.md - name: Use email address sign-in href: howto-authentication-use-email-signin.md - - name: Use Microsoft managed settings + - name: Use Microsoft managed settings href: concept-authentication-default-enablement.md - name: Security info registration items: @@ -247,7 +247,7 @@ href: howto-mfa-mfasettings.md - name: Configure users href: howto-mfa-userdevicesettings.yml - - name: Verify mandatory MFA + - name: Verify mandatory MFA href: how-to-mandatory-multifactor-authentication.md - name: Federate MFA setup href: how-to-mfa-expected-inbound-assertions.md @@ -322,47 +322,10 @@ - name: Migrate to Azure MFA with Federation href: how-to-migrate-mfa-server-to-mfa-with-federation.md - name: Migration Utility - href: how-to-mfa-server-migration-utility.md - - name: Deploy MFA on-premises - href: howto-mfaserver-deploy.md - - name: Install the user portal - href: howto-mfaserver-deploy-userportal.md - - name: Mobile App Web Service - href: howto-mfaserver-deploy-mobileapp.md - - name: Configure settings - href: howto-mfa-server-settings.md - - name: Configure high availability - href: howto-mfaserver-deploy-ha.md - - name: Upgrade MFA Server - href: howto-mfaserver-deploy-upgrade.md - - name: Upgrade from PhoneFactor - href: howto-mfaserver-deploy-upgrade-pf.md - - name: Windows Authentication - href: howto-mfaserver-windows.md - - name: IIS web apps - href: howto-mfaserver-iis.md + href: how-to-mfa-server-migration-utility.md - name: Directory Integration - items: - - name: LDAP Authentication - href: howto-mfaserver-dir-ldap.md - - name: RADIUS Authentication - href: howto-mfaserver-dir-radius.md - - name: Active Directory - href: howto-mfaserver-dir-ad.md - name: Directory Federation - items: - - name: Use AD FS 2.0 - href: howto-mfaserver-adfs-2.md - - name: Use Windows Server AD FS - href: howto-mfaserver-adfs-windows-server.md - name: RADIUS Integration - items: - - name: Remote Desktop Gateway - href: howto-mfaserver-nps-rdg.md - - name: Advanced VPN Configurations - href: howto-mfaserver-nps-vpn.md - - name: NPS extension errors - href: howto-mfa-nps-extension-errors.md - name: Troubleshoot items: - name: Self-service password reset (SSPR) @@ -373,8 +336,6 @@ href: passwords-faq.yml - name: MFA FAQ href: multi-factor-authentication-faq.yml - - name: NPS extension - href: howto-mfa-nps-extension-errors.md - name: Reference items: - name: MFA user guide @@ -385,7 +346,7 @@ href: /powershell/azure/ - name: Authentication methods APIs - Microsoft Graph href: /graph/api/resources/authenticationmethods-overview - - name: Authentication strengths APIs - Microsoft Graph + - name: Authentication strengths APIs - Microsoft Graph href: /graph/api/resources/authenticationstrengths-overview - name: Authentication methods policy APIs - Microsoft Graph href: /graph/api/resources/authenticationmethodspolicies-overview diff --git a/docs/identity/authentication/howto-mfa-nps-extension-errors.md b/docs/identity/authentication/howto-mfa-nps-extension-errors.md deleted file mode 100644 index e64e48d19a5..00000000000 --- a/docs/identity/authentication/howto-mfa-nps-extension-errors.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: Troubleshooting Microsoft Entra multifactor authentication NPS extension -description: Get help resolving issues with the NPS extension for Microsoft Entra multifactor authentication - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: troubleshooting -ms.date: 01/08/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jupetter -ms.custom: ---- -# Resolve error messages from the NPS extension for Microsoft Entra multifactor authentication - -If you encounter errors with the NPS extension for Microsoft Entra multifactor authentication, use this article to reach a resolution faster. NPS extension logs are found in Event Viewer under **Applications and Services Logs** > **Microsoft** > **AzureMfa** > **AuthN** > **AuthZ** on the server where the NPS Extension is installed. - -## Troubleshooting steps for common errors - -| Error code | Troubleshooting steps | -| ---------- | --------------------- | -| **CONTACT_SUPPORT** | [Contact support](#contact-microsoft-support), and mention the list of steps for collecting logs. Provide as much information as you can about what happened before the error, including tenant ID, and user principal name (UPN). | -| **CLIENT_CERT_INSTALL_ERROR** | There could be an issue with how the client certificate was installed or associated with your tenant. Follow the instructions in [Troubleshooting the MFA NPS extension](howto-mfa-nps-extension.md#troubleshooting) to investigate client cert problems. | -| **ESTS_TOKEN_ERROR** | Follow the instructions in [Troubleshooting the MFA NPS extension](howto-mfa-nps-extension.md#troubleshooting) to investigate client cert and security token problems. | -| **HTTPS_COMMUNICATION_ERROR** | The NPS server is unable to receive responses from Microsoft Entra multifactor authentication. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and that TLS 1.2 is enabled (default). If TLS 1.2 is disabled, user authentication fails and event ID 36871 with source SChannel is entered in the System log in Event Viewer. To verify TLS 1.2 is enabled, see [TLS registry settings](/windows-server/security/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings). | -| **HTTP_CONNECT_ERROR** | On the server that runs the NPS extension, verify that you can reach `https://adnotifications.windowsazure.com` and `https://login.microsoftonline.com/`. If those sites don't load, troubleshoot connectivity on that server. | -| **NPS Extension for Microsoft Entra multifactor authentication (AccessReject):**
NPS Extension for Microsoft Entra multifactor authentication only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessReject, ignoring request. | This error usually reflects an authentication failure in AD or that the NPS server is unable to receive responses from Microsoft Entra ID. Verify that your firewalls are open bidirectionally for traffic to and from `https://adnotifications.windowsazure.com` and `https://login.microsoftonline.com` using ports 80 and 443. It's also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to "control access through NPS Network Policy". This error can also trigger if the user isn't assigned a license. | -| **NPS Extension for Microsoft Entra multifactor authentication (AccessChallenge):**
NPS Extension for Microsoft Entra multifactor authentication only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessChallenge, ignoring request. | This response is used when additional information is required from the user to complete the authentication or authorization process. The NPS server sends a challenge to the user, requesting further credentials or information. It usually precedes an Access-Accept or Access-Reject response. | -| **REGISTRY_CONFIG_ERROR** | A key is missing in the registry for the application, which might be the case if the [PowerShell script](howto-mfa-nps-extension.md#install-the-nps-extension) wasn't run after installation. The error message should include the missing key. Make sure you have the key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa. | -| **REQUEST_FORMAT_ERROR**
Radius Request missing mandatory Radius userName\Identifier attribute. Verify that NPS is receiving RADIUS requests | This error usually reflects an installation issue. The NPS extension must be installed in NPS servers that can receive RADIUS requests. NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. NPS Extension doesn't work when installed over such installations and errors out since it can't read the details from the authentication request. | -| **REQUEST_MISSING_CODE** | Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. **PAP** supports all the authentication methods of Microsoft Entra multifactor authentication in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. **CHAPV2** and **EAP** support phone call and mobile app notification. | -| **USERNAME_CANONICALIZATION_ERROR** | Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. If you use forest trusts, [contact support](#contact-microsoft-support) for further help. | -| **Challenge requested in Authentication Ext for User** | Organizations using a RADIUS protocol other than PAP see user VPN authorization failing with these events appearing in the AuthZOptCh event log of the NPS Extension server. You can configure the NPS Server to support PAP. If PAP isn't an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE to fall back to Approve/Deny push notifications. For further help, please check [Number matching using NPS Extension](how-to-mfa-number-match.md#nps-extension). | - -### Alternate login ID errors - -| Error code | Error message | Troubleshooting steps | -| ---------- | ------------- | --------------------- | -| **ALTERNATE_LOGIN_ID_ERROR** | Error: userObjectSid lookup failed | Verify that the user exists in your on-premises Active Directory instance. If you use forest trusts, [contact support](#contact-microsoft-support) for further help. | -| **ALTERNATE_LOGIN_ID_ERROR** | Error: Alternate LoginId lookup failed | Verify that LDAP_ALTERNATE_LOGINID_ATTRIBUTE is set to a [valid active directory attribute](/windows/win32/adschema/attributes-all).

If LDAP_FORCE_GLOBAL_CATALOG is set to True, or LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that you configured a Global Catalog and that the AlternateLoginId attribute is added to it.

If LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that the value is correct. If there's more than one forest name, the names must be separated with semi-colons, not spaces.

If these steps don't fix the problem, [contact support](#contact-microsoft-support) for more help. | -| **ALTERNATE_LOGIN_ID_ERROR** | Error: Alternate LoginId value is empty | Verify that the AlternateLoginId attribute is configured for the user. | - -## Errors your users may encounter - -| Error code | Error message | Troubleshooting steps | -| ---------- | ------------- | --------------------- | -| **AccessDenied** | Caller tenant doesn't have access permissions to do authentication for the user | Check whether the tenant domain and the domain of the user principal name (UPN) are the same. For example, make sure that user@contoso.com is trying to authenticate to the Contoso tenant. The UPN represents a valid user for the tenant in Azure. | -| **AuthenticationMethodNotConfigured** | The specified authentication method wasn't configured for the user | Have the user add or verify their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). | -| **AuthenticationMethodNotSupported** | Specified authentication method isn't supported. | Collect all your logs that include this error, and [contact support](#contact-microsoft-support). When you contact support, provide the username and the secondary verification method that triggered the error. | -| **BecAccessDenied** | MSODS Bec call returned access denied, probably the username isn't defined in the tenant | The user is present in Active Directory on-premises but isn't synced into Microsoft Entra ID by AD Connect. Or, the user is missing for the tenant. Add the user to Microsoft Entra ID and have them add their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). | -| **InvalidFormat** or **StrongAuthenticationServiceInvalidParameter** | The phone number is in an unrecognizable format | Have the user correct their verification phone numbers. | -| **InvalidSession** | The specified session is invalid or might be expired | The session has taken more than three minutes to complete. Verify that the user is entering the verification code, or responding to the app notification, within three minutes of initiating the authentication request. If that doesn't fix the problem, check that there are no network latencies between client, NAS Server, NPS Server, and the Microsoft Entra multifactor authentication endpoint. | -| **NoDefaultAuthenticationMethodIsConfigured** | No default authentication method was configured for the user | Have the user add or verify their verification methods according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). Verify that the user has chosen a default authentication method, and configured that method for their account. | -| **OathCodePinIncorrect** | Wrong code and pin entered. | This error isn't expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. | -| **ProofDataNotFound** | Proof data wasn't configured for the specified authentication method. | Have the user try a different verification method, or add a new verification method according to the instructions in [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). If the user continues to see this error after you confirmed that their verification method is set up correctly, [contact support](#contact-microsoft-support). | -| **SMSAuthFailedWrongCodePinEntered** | Wrong code and pin entered. (OneWaySMS) | This error isn't expected in the NPS extension. If your user encounters this, [contact support](#contact-microsoft-support) for troubleshooting help. | -| **TenantIsBlocked** | Tenant is blocked | [Contact support](#contact-microsoft-support) with the *Tenant ID* from the Microsoft Entra properties page in the Microsoft Entra admin center. | -| **UserNotFound** | The specified user wasn't found | The tenant is no longer visible as active in Microsoft Entra ID. Check that your subscription is active and you have the required first party apps. Also make sure the tenant in the certificate subject is as expected and the cert is still valid and registered under the service principal. | - -## Messages your users may encounter that aren't errors - -Sometimes, your users might receive messages from multifactor authentication because their authentication request failed. These aren't errors in the product of configuration, but are intentional warnings explaining why an authentication request was denied. - -| Error code | Error message | Recommended steps | -| ---------- | ------------- | ----------------- | -| **OathCodeIncorrect** | Wrong code entered\OATH Code Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. | -| **SMSAuthFailedMaxAllowedCodeRetryReached** | Maximum allowed code retry reached | The user failed the verification challenge too many times. Depending on your settings, they might need to be unblocked by an admin now. | -| **SMSAuthFailedWrongCodeEntered** | Wrong code entered/Text Message OTP Incorrect | The user entered the wrong code. Have them try again by requesting a new code or signing in again. | -| **AuthenticationThrottled** | Too many attempts by user in a short period of time. Throttling. | Microsoft can limit repeated authentication attempts that are performed by the same user in a short period of time. This limitation doesn't apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes. | -| **AuthenticationMethodLimitReached** | Authentication Method Limit Reached. Throttling. | Microsoft can limit repeated authentication attempts that are performed by the same user using the same authentication method type in a short period of time, specifically Voice call or SMS. This limitation doesn't apply to the Microsoft Authenticator or verification code. If you reach these limits, you can use the Authenticator App, verification code or try to sign in again in a few minutes.| - -## Errors that require support - -If you encounter one of these errors, we recommend that you [contact support](#contact-microsoft-support) for diagnostic help. There's no standard set of steps that can address these errors. When you do contact support, be sure to include as much information as possible about the steps that led to an error, and your tenant information. - -| Error code | Error message | -| ---------- | ------------- | -| **InvalidParameter** | Request must not be null | -| **InvalidParameter** | ObjectId must not be null or empty for ReplicationScope:{0} | -| **InvalidParameter** | The length of CompanyName \{0}\ is longer than the maximum allowed length {1} | -| **InvalidParameter** | UserPrincipalName must not be null or empty | -| **InvalidParameter** | The provided TenantId isn't in correct format | -| **InvalidParameter** | SessionId must not be null or empty | -| **InvalidParameter** | Couldn't resolve any ProofData from request or Msods. The ProofData is unKnown | -| **InternalError** | | -| **OathCodePinIncorrect** | | -| **VersionNotSupported** | | -| **MFAPinNotSetup** | | - -## Next steps - -### Troubleshoot user accounts - -If your users are [Having trouble with two-step verification](https://support.microsoft.com/account-billing/common-problems-with-two-step-verification-for-a-work-or-school-account-63acbb9b-16a1-47b9-8619-6a865e8071a5), help them self-diagnose problems. - -### Health check script - -The [Microsoft Entra multifactor authentication NPS Extension health check script](https://github.com/Azure-Samples/azure-mfa-nps-extension-health-check) performs several basic health checks when troubleshooting the NPS extension. Here's a quick summary about each available option when the script is run: -- Option **1** - to isolate the cause of the issue: if it's an NPS or MFA issue (Export MFA RegKeys, Restart NPS, Test, Import RegKeys, Restart NPS) -- Option **2** - to check a full set of tests, when not all users can use the MFA NPS Extension (Testing Access to Azure/Create HTML Report) -- Option **3** - to check a specific set of tests, when a specific user can't use the MFA NPS Extension (Test MFA for specific UPN) -- Option **4** - to collect logs to contact Microsoft support (Enable Logging/Restart NPS/Gather Logs) - -### Contact Microsoft support - -If you need additional help, contact a support professional through [MFA support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs. - -To collect debug logs for support diagnostics, run the [Microsoft Entra multifactor authentication NPS Extension health check script](https://github.com/Azure-Samples/azure-mfa-nps-extension-health-check) on the NPS server and choose option **4** to collect the logs to provide them to Microsoft support. - -At the end, upload the zip output file generated on the C:\NPS folder and attach it to the support case. diff --git a/docs/identity/authentication/howto-mfa-server-settings.md b/docs/identity/authentication/howto-mfa-server-settings.md deleted file mode 100644 index e93627fb9f2..00000000000 --- a/docs/identity/authentication/howto-mfa-server-settings.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Configure MFA Server -description: Learn how to configure settings for Microsoft Entra multifactor authentication Server - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jpettere ---- -# Configure MFA Server settings - -This article helps you to manage Microsoft Entra multifactor authentication Server settings. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. As of September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). - -The following MFA Server settings are available: - -| Feature | Description | -| ------- | ----------- | -| Server settings | Download MFA Server and generate activation credentials to initialize your environment | -| [One-time bypass](#one-time-bypass) | Allow a user to authenticate without performing multifactor authentication for a limited time. | -| [Caching rules](#caching-rules) | Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress. | -| Server status | See the status of your on-premises MFA servers including version, status, IP, and last communication time and date. | - -## One-time bypass - -[!INCLUDE [portal updates](~/includes/portal-update.md)] - -The one-time bypass feature allows a user to authenticate a single time without performing multifactor authentication. The bypass is temporary and expires after a specified number of seconds. In situations where the mobile app or phone is not receiving a notification or phone call, you can allow a one-time bypass so the user can access the desired resource. - -To create a one-time bypass, complete the following steps: - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](~/identity/role-based-access-control/permissions-reference.md#authentication-administrator). -1. Browse to **Protection** > **Multifactor authentication** > **One-time bypass**. -1. Select **Add**. -1. If necessary, select the replication group for the bypass. -1. Enter the username as `username@domain.com`. Enter the number of seconds that the bypass should last and the reason for the bypass. -1. Select **Add**. The time limit goes into effect immediately. The user needs to sign in before the one-time bypass expires. - -You can also view the one-time bypass report from this same window. - -## Caching rules - -You can set a time period to allow authentication attempts after a user is authenticated by using the *caching* feature. Subsequent authentication attempts for the user within the specified time period succeed automatically. - -Caching is primarily used when on-premises systems, such as VPN, send multiple verification requests while the first request is still in progress. This feature allows the subsequent requests to succeed automatically, after the user succeeds the first verification in progress. - ->[!NOTE] -> The caching feature is not intended to be used for sign-ins to Microsoft Entra ID. - -To set up caching, complete the following steps: - -1. Browse to **Protection** > **Multifactor authentication** > **Caching rules**. -1. Select **Add**. -1. Select the **cache type** from the drop-down list. Enter the maximum number of **cache seconds**. -1. If necessary, select an authentication type and specify an application. -1. Select **Add**. - -## Next steps - -Additional MFA Server configuration options are available from the web console of the MFA Server itself. You can also [configure Microsoft Entra multifactor authentication Server for high availability](howto-mfaserver-deploy-ha.md). diff --git a/docs/identity/authentication/howto-mfaserver-adfs-2.md b/docs/identity/authentication/howto-mfaserver-adfs-2.md deleted file mode 100644 index edf1fd1bc86..00000000000 --- a/docs/identity/authentication/howto-mfaserver-adfs-2.md +++ /dev/null @@ -1,129 +0,0 @@ ---- -title: Use Microsoft Entra multifactor authenticationServer with AD FS 2.0 -description: Describes how to get started with Microsoft Entra multifactor authentication and AD FS 2.0. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/08/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jpettere ---- -# Configure Microsoft Entra multifactor authenticationServer to work with AD FS 2.0 - -This article is for organizations that are federated with Microsoft Entra ID, and want to secure resources that are on-premises or in the cloud. Protect your resources by using the Microsoft Entra multifactor authentication Server and configuring it to work with AD FS so that two-step verification is triggered for high-value end points. - -This documentation covers using the Microsoft Entra multifactor authentication Server with AD FS 2.0. For information about AD FS, see [Securing cloud and on-premises resources using Microsoft Entra multifactor authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md). - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). -> -> If you use cloud-based MFA, see [Securing cloud resources with Azure multifactor authentication and AD FS](howto-mfa-adfs.md). -> -> Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. - -## Secure AD FS 2.0 with a proxy - -To secure AD FS 2.0 with a proxy, install the Microsoft Entra multifactor authenticationServer on the AD FS proxy server. - -### Configure IIS authentication - -1. In the Microsoft Entra multifactor authenticationServer, select the **IIS Authentication** icon in the left menu. -2. Select the **Form-Based** tab. -3. Select **Add**. - - ![MFA Server IIS Authentication window](./media/howto-mfaserver-adfs-2/setup1.png) - -4. To detect username, password, and domain variables automatically, enter the sign-in URL (like `https://sso.contoso.com/adfs/ls`) within the Auto-Configure Form-Based Website dialog box and select **OK**. -5. Check the **Require Azure multifactor authentication user match** box if all users are or will be imported into the Server and subject to two-step verification. If a significant number of users haven't yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. -6. If the page variables can't be detected automatically, select the **Specify Manually…** button in the Auto-Configure Form-Based Website dialog box. -7. In the Add Form-Based Website dialog box, enter the URL to the AD FS sign-in page in the Submit URL field (like `https://sso.contoso.com/adfs/ls`) and enter an Application name (optional). The Application name appears in Azure multifactor authentication reports and may be displayed within SMS or Mobile App authentication messages. -8. Set the Request format to **POST or GET**. -9. Enter the Username variable (ctl00$ContentPlaceHolder1$UsernameTextBox) and Password variable (ctl00$ContentPlaceHolder1$PasswordTextBox). If your form-based sign-in page displays a domain textbox, enter the Domain variable as well. To find the names of the input boxes on the sign-in page, go to the sign-in page in a web browser, right-select on the page, and select **View Source**. -10. Check the **Require Azure multifactor authentication user match** box if all users are or will be imported into the Server and subject to two-step verification. If a significant number of users haven't yet been imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. - - ![Add form-based website to MFA Server](./media/howto-mfaserver-adfs-2/manual.png) - -11. Select **Advanced…** to review advanced settings. Settings that you can configure include: - - - Select a custom denial page file - - Cache successful authentications to the website using cookies - - Select how to authenticate the primary credentials - -12. Since the AD FS proxy server isn't likely to be joined to the domain, you can use LDAP to connect to your domain controller for user import and pre-authentication. In the Advanced Form-Based Website dialog box, select the **Primary Authentication** tab and select **LDAP Bind** for the Pre-authentication Authentication type. -13. When complete, select **OK** to return to the Add Form-Based Website dialog box. -14. Select **OK** to close the dialog box. -15. Once the URL and page variables are detected or entered, the website data displays in the Form-Based panel. -16. Select the **Native Module** tab and select the server, the website that the AD FS proxy is running under (like "Default Web Site"), or the AD FS proxy application (like "ls" under "adfs") to enable the IIS plug-in at the desired level. -17. Select the **Enable IIS authentication** box at the top of the screen. - -The IIS authentication is now enabled. - -### Configure directory integration - -You enabled IIS authentication, but to perform the pre-authentication to your Active Directory (AD) via LDAP you must configure the LDAP connection to the domain controller. - -1. Select the **Directory Integration** icon. -2. On the Settings tab, select the **Use specific LDAP configuration** radio button. - - ![Configure LDAP settings for specific LDAP settings](./media/howto-mfaserver-adfs-2/ldap1.png) - -3. Select **Edit**. -4. In the Edit LDAP Configuration dialog box, populate the fields with the information required to connect to the AD domain controller. -5. Test the LDAP connection by selecting the **Test** button. - - ![Test LDAP Configuration in MFA Server](./media/howto-mfaserver-adfs-2/ldap2.png) - -6. If the LDAP connection test was successful, select **OK**. - -### Configure company settings - -1. Next, select the **Company Settings** icon and select the **Username Resolution** tab. -2. Select the **Use LDAP unique identifier attribute for matching usernames** radio button. -3. If users enter their username in "domain\username" format, the Server needs to be able to strip the domain off the username when it creates the LDAP query, which can be done through a registry setting. -4. Open the registry editor and go to HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Positive Networks/PhoneFactor on a 64-bit server. If you use a 32-bit server, remove **/Wow6432Node** from the path. Create a DWORD registry key called "UsernameCxz_stripPrefixDomain" and set the value to 1. Azure multifactor authentication is now securing the AD FS proxy. - -Make sure users are imported from Active Directory into the Server. To allow users to skip two-step verification from internal IP addresses, see the [Trusted IPs](#trusted-ips). - -![Registry editor to configure company settings](./media/howto-mfaserver-adfs-2/reg.png) - -## AD FS 2.0 Direct without a proxy - -You can secure AD FS when the AD FS proxy isn't used. Install the Microsoft Entra multifactor authenticationServer on the AD FS server and configure the Server per the following steps: - -1. Within the Microsoft Entra multifactor authenticationServer, select the **IIS Authentication** icon in the left menu. -2. Select the **HTTP** tab. -3. Select **Add**. -4. In the Add Base URL dialogue box, enter the URL for the AD FS website where HTTP authentication is performed (like `https://sso.domain.com/adfs/ls/auth/integrated`) into the Base URL field. Then, enter an Application name (optional). The Application name appears in Azure multifactor authentication reports and may be displayed within SMS or Mobile App authentication messages. -5. If desired, adjust the Idle timeout and Maximum session times. -6. Check the **Require Azure multifactor authentication user match** box if all users are or will be imported into the Server and subject to two-step verification. If a significant number of users aren't yet imported into the Server and/or will be exempt from two-step verification, leave the box unchecked. -7. Check the cookie cache box if desired. - - ![AD FS 2.0 Direct without a proxy](./media/howto-mfaserver-adfs-2/noproxy.png) - -8. Select **OK**. -9. Select the **Native Module** tab and select the server, the website (like "Default Web Site"), or the AD FS application (like "ls" under "adfs") to enable the IIS plug-in at the desired level. -10. Select the **Enable IIS authentication** box at the top of the screen. - -Azure multifactor authentication is now securing AD FS. - -Ensure that users are imported from Active Directory into the Server. See the next section if you would like to allow internal IP addresses so that two-step verification isn't required when signing in to the website from those locations. - -## Trusted IPs - -Trusted IPs allow users to bypass Azure multifactor authentication for website requests originating from specific IP addresses or subnets. For example, you may want to exempt users from two-step verification when they sign in from the office. For this, you would specify the office subnet as a Trusted IPs entry. - -### To configure trusted IPs - -1. In the IIS Authentication section, select the **Trusted IPs** tab. -2. Select the **Add…** button. -3. When the Add Trusted IPs dialog box appears, select one of the **Single IP**, **IP range**, or **Subnet** radio buttons. -4. Enter the IP address, range of IP addresses, or subnet that should be allowed. If entering a subnet, select the appropriate Netmask and select the **OK** button. - -![Configure trusted IPs to MFA Server](./media/howto-mfaserver-adfs-2/trusted.png) diff --git a/docs/identity/authentication/howto-mfaserver-adfs-windows-server.md b/docs/identity/authentication/howto-mfaserver-adfs-windows-server.md deleted file mode 100644 index 05864b0b651..00000000000 --- a/docs/identity/authentication/howto-mfaserver-adfs-windows-server.md +++ /dev/null @@ -1,179 +0,0 @@ ---- -title: Microsoft Entra Multifactor Authentication Server with AD FS in Windows Server -description: This article describes how to get started with Microsoft Entra Multifactor Authentication and AD FS in Windows Server 2016. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/08/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Configure Microsoft Entra Multifactor Authentication Server to work with AD FS in Windows Server - -If you use Active Directory Federation Services (AD FS) and want to secure cloud or on-premises resources, you can configure Microsoft Entra Multifactor Authentication Server to work with AD FS. This configuration triggers two-step verification for high-value endpoints. - -In this article, we discuss using Microsoft Entra Multifactor Authentication Server with AD FS beginning with Windows Server 2016. For more information, read about how to [secure cloud and on-premises resources by using Microsoft Entra Multifactor Authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md). - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Microsoft Entra Multifactor Authentication Server. Beginning September 30, 2024, Microsoft Entra Multifactor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra Multifactor Authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra Multifactor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra Multifactor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra Multifactor Authentication](tutorial-enable-azure-mfa.md). -> -> If you use cloud-based MFA, see [Securing cloud resources with Microsoft Entra Multifactor Authentication and AD FS](howto-mfa-adfs.md). -> -> Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. - - - - - -## Secure Windows Server AD FS with Microsoft Entra Multifactor Authentication Server - -When you install Microsoft Entra Multifactor Authentication Server, you have the following options: - -* Install Microsoft Entra Multifactor Authentication Server locally on the same server as AD FS -* Install the Microsoft Entra Multifactor Authentication adapter locally on the AD FS server, and then install Multifactor Authentication Server on a different computer - -Before you begin, be aware of the following information: - -* You don't have to install Microsoft Entra Multifactor Authentication Server on your AD FS server. However, you must install the multifactor authentication adapter for AD FS on a Windows Server 2012 R2 or Windows Server 2016 that is running AD FS. You can install the server on a different computer if you install the AD FS adapter separately on your AD FS federation server. See the following procedures to learn how to install the adapter separately. -* If your organization is using text message or mobile app verification methods, the strings defined in Company Settings contain a placeholder, <$*application_name*$>. In MFA Server v7.1, you can provide an application name that replaces this placeholder. In v7.0 or older, this placeholder isn't automatically replaced when you use the AD FS adapter. For those older versions, remove the placeholder from the appropriate strings when you secure AD FS. -* The account that you use to sign in must have user rights to create security groups in your Active Directory service. -* The multifactor authentication AD FS adapter installation wizard creates a security group called PhoneFactor Admins in your instance of Active Directory. It then adds the AD FS service account of your federation service to this group. Verify that the PhoneFactor Admins group was created on your domain controller, and that the AD FS service account is a member of this group. If necessary, manually add the AD FS service account to the PhoneFactor Admins group on your domain controller. -* For information about installing the Web Service SDK with the user portal, see [deploying the user portal for Microsoft Entra Multifactor Authentication Server.](howto-mfaserver-deploy-userportal.md) - - - - - -### Install Microsoft Entra Multifactor Authentication Server locally on the AD FS server - -1. Download and install Microsoft Entra Multifactor Authentication Server on your AD FS server. For installation information, read about [getting started with Microsoft Entra Multifactor Authentication Server](howto-mfaserver-deploy.md). -2. In the Microsoft Entra Multifactor Authentication Server management console, click the **AD FS** icon. Select the options **Allow user enrollment** and **Allow users to select method**. -3. Select any additional options you'd like to specify for your organization. -4. Click **Install AD FS Adapter**. - - ![Install the ADFS Adapter from the MFA Server console](./media/howto-mfaserver-adfs-2012/server.png) - -5. If the Active Directory window is displayed, that means two things. Your computer is joined to a domain, and the Active Directory configuration for securing communication between the AD FS adapter and the multifactor authentication service is incomplete. Click **Next** to automatically complete this configuration, or select the **Skip automatic Active Directory configuration and configure settings manually** check box. Click **Next**. -6. If the Local Group window is displayed, that means two things. Your computer isn't joined to a domain, and the local group configuration for securing communication between the AD FS adapter and the multifactor authentication service is incomplete. Click **Next** to automatically complete this configuration, or select the **Skip automatic Local Group configuration and configure settings manually** check box. Click **Next**. -7. In the installation wizard, click **Next**. Microsoft Entra Multifactor Authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group. -8. On the **Launch Installer** page, click **Next**. -9. In the multifactor authentication AD FS adapter installer, click **Next**. -10. Click **Close** when the installation is finished. -11. When the adapter has been installed, you must register it with AD FS. Open Windows PowerShell and run the following command: - - `C:\Program Files\Multifactor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1` - -12. To use your newly registered adapter, edit the global authentication policy in AD FS. In the AD FS management console, go to the **Authentication Policies** node. In the **Multifactor authentication** section, click the **Edit** link next to the **Global Settings** section. In the **Edit Global Authentication Policy** window, select **Multifactor authentication** as an additional authentication method, and then click **OK**. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect. - -![Edit global authentication policy](./media/howto-mfaserver-adfs-2012/global.png) - -At this point, Multifactor Authentication Server is set up to be an additional authentication provider to use with AD FS. - -## Install a standalone instance of the AD FS adapter by using the Web Service SDK - -1. Install the Web Service SDK on the server that is running Multifactor Authentication Server. -2. Copy the following files from the \Program Files\Multifactor Authentication Server directory to the server on which you plan to install the AD FS adapter: - * MultiFactorAuthenticationAdfsAdapterSetup64.msi - * Register-MultiFactorAuthenticationAdfsAdapter.ps1 - * Unregister-MultiFactorAuthenticationAdfsAdapter.ps1 - * MultiFactorAuthenticationAdfsAdapter.config -3. Run the MultiFactorAuthenticationAdfsAdapterSetup64.msi installation file. -4. In the multifactor authentication AD FS adapter installer, click **Next** to start the installation. -5. Click **Close** when the installation is finished. - -## Edit the MultiFactorAuthenticationAdfsAdapter.config file - -Follow these steps to edit the MultiFactorAuthenticationAdfsAdapter.config file: - -1. Set the **UseWebServiceSdk** node to **true**. -2. Set the value for **WebServiceSdkUrl** to the URL of the multifactor authentication Web Service SDK. For example: *https:\/\/contoso.com/\/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx*, Where *\* is the name of your certificate. -3. Edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding `-ConfigurationFilePath <path>` to the end of the `Register-AdfsAuthenticationProvider` command, where *<path>* is the full path to the MultiFactorAuthenticationAdfsAdapter.config file. - -### Configure the Web Service SDK with a username and password - -There are two options for configuring the Web Service SDK. The first is with a username and password, the second is with a client certificate. Follow these steps for the first option, or skip ahead for the second. - -1. Set the value for **WebServiceSdkUsername** to an account that is a member of the PhoneFactor Admins security group. Use the <domain>\<user name> format. -2. Set the value for **WebServiceSdkPassword** to the appropriate account password. The special character "&" can't be used in the **WebServiceSdkPassword**. - -### Configure the Web Service SDK with a client certificate - -If you don't want to use a username and password, follow these steps to configure the Web Service SDK with a client certificate. - -1. Obtain a client certificate from a certificate authority for the server that is running the Web Service SDK. Learn how to [obtain client certificates](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770328(v=ws.10)). -2. Import the client certificate to the local computer personal certificate store on the server that is running the Web Service SDK. Make sure that the certificate authority's public certificate is in Trusted Root Certificates certificate store. -3. Export the public and private keys of the client certificate to a .pfx file. -4. Export the public key in Base64 format to a .cer file. -5. In Server Manager, verify that the Web Server (IIS)\Web Server\Security\IIS Client Certificate Mapping Authentication feature is installed. If it isn't installed, select **Add Roles and Features** to add this feature. -6. In IIS Manager, double-click **Configuration Editor** in the website that contains the Web Service SDK virtual directory. It's important to select the website, not the virtual directory. -7. Go to the **system.webServer/security/authentication/iisClientCertificateMappingAuthentication** section. -8. Set enabled to **true**. -9. Set oneToOneCertificateMappingsEnabled to **true**. -10. Click the **...** button next to oneToOneMappings, and then click the **Add** link. -11. Open the Base64 .cer file you exported earlier. Remove *-----BEGIN CERTIFICATE-----*, *-----END CERTIFICATE-----*, and any line breaks. Copy the resulting string. -12. Set certificate to the string copied in the preceding step. -13. Set enabled to **true**. -14. Set userName to an account that is a member of the PhoneFactor Admins security group. Use the <domain>\<user name> format. -15. Set the password to the appropriate account password, and then close Configuration Editor. -16. Click the **Apply** link. -17. In the Web Service SDK virtual directory, double-click **Authentication**. -18. Verify that ASP.NET Impersonation and Basic Authentication are set to **Enabled**, and that all other items are set to **Disabled**. -19. In the Web Service SDK virtual directory, double-click **SSL Settings**. -20. Set Client Certificates to **Accept**, and then click **Apply**. -21. Copy the .pfx file you exported earlier to the server that is running the AD FS adapter. -22. Import the .pfx file to the local computer personal certificate store. -23. Right-click and select **Manage Private Keys**, and then grant read access to the account you used to sign in to the AD FS service. -24. Open the client certificate and copy the thumbprint from the **Details** tab. -25. In the MultiFactorAuthenticationAdfsAdapter.config file, set **WebServiceSdkCertificateThumbprint** to the string copied in the previous step. - -Finally, to register the adapter, run the \Program Files\Multifactor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect. - - - -## Secure Microsoft Entra resources using AD FS - -To secure your cloud resource, set up a claims rule so that Active Directory Federation Services emits the multipleauthn claim when a user performs two-step verification successfully. This claim is passed on to Microsoft Entra ID. Follow this procedure to walk through the steps: - -1. Open AD FS Management. -2. On the left, select **Relying Party Trusts**. -3. Right-click on **Microsoft Office 365 Identity Platform** and select **Edit Claim Rules…** - - ![Edit claim rules in the ADFS console](./media/howto-mfaserver-adfs-2012/trustedip1.png) - -4. On Issuance Transform Rules, click **Add Rule.** - - ![Edit transform rules in the ADFS console](./media/howto-mfaserver-adfs-2012/trustedip2.png) - -5. On the Add Transform Claim Rule Wizard, select **Pass Through or Filter an Incoming Claim** from the drop-down and click **Next**. - - ![Add transform claim rule wizard](./media/howto-mfaserver-adfs-2012/trustedip3.png) - -6. Give your rule a name. -7. Select **Authentication Methods References** as the Incoming claim type. -8. Select **Pass through all claim values**. - - ![Add Transform Claim Rule Wizard](./media/howto-mfaserver-adfs-2012/configurewizard.png) - -9. Click **Finish**. Close the AD FS Management console. - -## Troubleshooting logs - -To help with troubleshooting issues with the MFA Server AD FS Adapter use the steps that follow to enable more logging. - -1. In the MFA Server interface, open the AD FS section, and check the **Enable logging** checkbox. -2. On each AD FS server, use **regedit.exe** to create string value registry key `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Positive Networks\PhoneFactor\InstallPath` with value `C:\Program Files\Multifactor Authentication Server\` (or other directory of your choice). **Note, the trailing backslash is important.** -3. Create `C:\Program Files\Multifactor Authentication Server\Logs` directory (or other directory as referenced in **Step 2**). -4. Grant Modify access on the Logs directory to the AD FS service account. -5. Restart the AD FS service. -6. Verify that `MultiFactorAuthAdfsAdapter.log` file was created in the Logs directory. - -## Related topics - -For troubleshooting help, see the [Microsoft Entra Multifactor Authentication FAQs](multi-factor-authentication-faq.yml) diff --git a/docs/identity/authentication/howto-mfaserver-deploy-ha.md b/docs/identity/authentication/howto-mfaserver-deploy-ha.md deleted file mode 100644 index 8884eb57acc..00000000000 --- a/docs/identity/authentication/howto-mfaserver-deploy-ha.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: High availability for Microsoft Entra Multifactor Authentication Server -description: Deploy multiple instances of Microsoft Entra Multifactor Authentication Server in configurations that provide high availability. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/08/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Configure Microsoft Entra Multifactor Authentication Server for high availability - -To achieve high-availability with your Azure Server MFA deployment, you need to deploy multiple MFA servers. This section provides information on a load-balanced design to achieve your high availability targets in your Azure MFS Server deployment. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra Multifactor Authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra Multifactor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra Multifactor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra Multifactor Authentication](tutorial-enable-azure-mfa.md). -> - -## MFA Server overview - -The Microsoft Entra Multifactor Authentication Server service architecture comprises several components as shown in the following diagram: - - ![MFA Server Architecture components](./media/howto-mfaserver-deploy-ha/mfa-ha-architecture.png) - -An MFA Server is a Windows Server that has the Microsoft Entra Multifactor Authentication authentication software installed. The MFA Server instance must be activated by the MFA Service in Azure to function. More than one MFA Server can be installed on-premises. - -The first MFA Server that is installed is the primary MFA Server upon activation by the Microsoft Entra Multifactor Authentication Service by default. The primary MFA server has a writeable copy of the PhoneFactor.pfdata database. Subsequent installations of instances of MFA Server are known as subordinates. The MFA subordinates have a replicated read-only copy of the PhoneFactor.pfdata database. MFA servers replicate information using Remote Procedure Call (RPC). All MFA Severs must collectively either be domain joined or standalone to replicate information. - -Both MFA primary and subordinate MFA Servers communicate with the MFA Service when two-factor authentication is required. For example, when a user attempts to gain access to an application that requires two-factor authentication, the user will first be authenticated by an identity provider, such as Active Directory (AD). - -After successful authentication with AD, the MFA Server will communicate with the MFA Service. The MFA Server waits for notification from the MFA Service to allow or deny the user access to the application. - -If the MFA primary server goes offline, authentications can still be processed, but operations that require changes to the MFA database can't be processed. (Examples include: the addition of users, self-service PIN changes, changing user information, or access to the user portal) - -## Deployment - -Consider the following important points for load balancing Microsoft Entra Multifactor Authentication Server and its related components. - -* **Using RADIUS standard to achieve high availability**. If you are using Microsoft Entra Multifactor Authentication Servers as RADIUS servers, you can potentially configure one MFA Server as a primary RADIUS authentication target and other Microsoft Entra Multifactor Authentication Servers as secondary authentication targets. However, this method to achieve high availability may not be practical because you must wait for a time-out period to occur when authentication fails on the primary authentication target before you can be authenticated against the secondary authentication target. It is more efficient to load balance the RADIUS traffic between the RADIUS client and the RADIUS Servers (in this case, the Microsoft Entra Multifactor Authentication Servers acting as RADIUS servers) so that you can configure the RADIUS clients with a single URL that they can point to. -* **Need to manually promote MFA subordinates**. If the primary Microsoft Entra Multifactor Authentication server goes offline, the secondary Microsoft Entra Multifactor Authentication Servers continue to process MFA requests. However, until a primary MFA server is available, admins can't add users or modify MFA settings, and users can't make changes using the user portal. Promoting an MFA subordinate to the primary role is always a manual process. -* **Separability of components**. The Microsoft Entra Multifactor Authentication Server comprises several components that can be installed on the same Windows Server instance or on different instances. These components include the User Portal, Mobile App Web Service, and the ADFS adapter (agent). This separability makes it possible to use the Web Application Proxy to publish the User Portal and Mobile App Web Server from the perimeter network. Such a configuration adds to the overall security of your design, as shown in the following diagram. The MFA User Portal and Mobile App Web Server may also be deployed in HA load-balanced configurations. - - ![MFA Server with a Perimeter Network](./media/howto-mfaserver-deploy-ha/mfasecurity.png) - -* **One-time password (OTP) over SMS (also known as one-way SMS) requires the use of sticky sessions if traffic is load-balanced**. One-way SMS is an authentication option that causes the MFA Server to send the users a text message containing an OTP. The user enters the OTP in a prompt window to complete the MFA challenge. If you load balance Microsoft Entra Multifactor Authentication Servers, the same server that served the initial authentication request must be the server that receives the OTP message from the user; if another MFA Server receives the OTP reply, the authentication challenge fails. For more information, see [One Time Password over SMS Added to Microsoft Entra Multifactor Authentication Server](https://blogs.technet.microsoft.com/enterprisemobility/2015/03/02/one-time-password-over-sms-added-to-azure-mfa-server). -* **Load-Balanced deployments of the User Portal and Mobile App Web Service require sticky sessions**. If you are load-balancing the MFA User Portal and the Mobile App Web Service, each session needs to stay on the same server. - -## High-availability deployment - -The following diagram shows a complete HA load-balanced implementation of Microsoft Entra Multifactor Authentication and its components, along with ADFS for reference. - - ![Microsoft Entra Multifactor Authentication Server HA implementation](./media/howto-mfaserver-deploy-ha/mfa-ha-deployment.png) - -Note the following items for the correspondingly numbered area of the preceding diagram. - -1. The two Microsoft Entra Multifactor Authentication Servers (MFA1 and MFA2) are load balanced (mfaapp.contoso.com) and are configured to use a static port (4443) to replicate the PhoneFactor.pfdata database. The Web Service SDK is installed on each of the MFA Server to enable communication over TCP port 443 with the ADFS servers. The MFA servers are deployed in a stateless load-balanced configuration. However, if you wanted to use OTP over SMS, you must use stateful load balancing. - ![Microsoft Entra Multifactor Authentication Server - App server HA](./media/howto-mfaserver-deploy-ha/mfaapp.png) - - > [!NOTE] - > Because RPC uses dynamic ports, it isn't recommended to open firewalls up to the range of dynamic ports that RPC can potentially use. If you have a firewall **between** your MFA application servers, you should configure the MFA Server to communicate on a static port for the replication traffic between subordinate and primary servers and open that port on your firewall. You can force the static port by creating a DWORD registry value at ```HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Positive Networks\PhoneFactor``` called ```Pfsvc_ncan_ip_tcp_port``` and setting the value to an available static port. Connections are always initiated by the subordinate MFA Servers to the primary, the static port is only required on the primary, but since you can promote a subordinate to be the primary at any time, you should set the static port on all MFA Servers. - -2. The two User Portal/MFA Mobile App servers (MFA-UP-MAS1 and MFA-UP-MAS2) are load balanced in a **stateful** configuration (mfa.contoso.com). Recall that sticky sessions are a requirement for load balancing the MFA User Portal and Mobile App Service. - ![Microsoft Entra Multifactor Authentication Server - User Portal and Mobile App Service HA](./media/howto-mfaserver-deploy-ha/mfaportal.png) -3. The ADFS Server farm is load balanced and published to the Internet through load-balanced ADFS proxies in the perimeter network. Each ADFS Server uses the ADFS agent to communicate with the Microsoft Entra Multifactor Authentication Servers using a single load-balanced URL (mfaapp.contoso.com) over TCP port 443. - -## Next steps - -* [Install and configure Microsoft Entra Multifactor Authentication Server](howto-mfaserver-deploy.md) diff --git a/docs/identity/authentication/howto-mfaserver-deploy-mobileapp.md b/docs/identity/authentication/howto-mfaserver-deploy-mobileapp.md deleted file mode 100644 index 52964be2bf9..00000000000 --- a/docs/identity/authentication/howto-mfaserver-deploy-mobileapp.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: Microsoft Entra Multifactor Authentication Server Mobile App Web Service -description: Configure MFA server to send push notifications to users with the Microsoft Authenticator App. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jpettere ---- -# Enable mobile app authentication with Microsoft Entra Multifactor Authentication Server - -The Microsoft Authenticator app offers an extra out-of-band verification option. Instead of placing an automated phone call or SMS to the user during login, Microsoft Entra Multifactor Authentication pushes a notification to the Authenticator app on the user's smartphone or tablet. The user simply taps **Verify** (or enters a PIN and taps "Authenticate") in the app to complete their sign-in. - -Using a mobile app for two-step verification is preferred when phone reception is unreliable. If you use the app as an OATH token generator, it doesn't require any network or internet connection. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra Multifactor Authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra Multifactor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra Multifactor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). - -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra Multifactor Authentication](tutorial-enable-azure-mfa.md). - - -> [!IMPORTANT] -> If you have installed Microsoft Entra Multifactor Authentication Server v8.x or higher, most of the steps below are not required. Mobile app authentication can be set up by following the steps under [Configure the mobile app](#configure-the-mobile-app-settings-in-mfa-server). - -## Requirements - -To use the Authenticator app, you must be running Microsoft Entra Multifactor Authentication Server v8.x or higher - -## Configure the mobile app settings in MFA Server - -1. In the MFA Server console, select the **User Portal** icon. If users are allowed to control their authentication methods, check **Mobile App** on the Settings tab, under **Allow users to select method**. Without this feature enabled, end users are required to contact your Help Desk to complete activation for the Mobile App. -2. Check the **Allow users to activate Mobile App** box. -3. Check the **Allow User Enrollment** box. -4. Click the **Mobile App** icon. -5. Populate the **Account name** field with the company or organization name to display in the mobile application for this account. - ![MFA Server configuration Mobile App settings](./media/howto-mfaserver-deploy-mobileapp/mobile.png) - -## Next steps - -- [Advanced scenarios with Microsoft Entra Multifactor Authentication Server and third-party VPNs](howto-mfaserver-nps-vpn.md). diff --git a/docs/identity/authentication/howto-mfaserver-deploy-upgrade-pf.md b/docs/identity/authentication/howto-mfaserver-deploy-upgrade-pf.md deleted file mode 100644 index 41fc9642255..00000000000 --- a/docs/identity/authentication/howto-mfaserver-deploy-upgrade-pf.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Upgrade PhoneFactor to Microsoft Entra Multifactor Authentication Server -description: Get started with Microsoft Entra Multifactor Authentication Server when you upgrade from the older phonefactor agent. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jpettere ---- -# Upgrade the PhoneFactor Agent to Microsoft Entra Multifactor Authentication Server - -To upgrade the PhoneFactor Agent v5.x or older to Microsoft Entra Multifactor Authentication Server, uninstall the PhoneFactor Agent and affiliated components first. Then the Multifactor Authentication Server and its affiliated components can be installed. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra Multifactor Authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra Multifactor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra Multifactor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). - -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). - - -## Uninstall the PhoneFactor Agent - -1. First, back up the PhoneFactor data file. The default installation location is C:\Program Files\PhoneFactor\Data\Phonefactor.pfdata. - -2. If the User portal is installed: - 1. Navigate to the install folder and back up the web.config file. The default installation location is C:\inetpub\wwwroot\PhoneFactor. - - 2. If you added custom themes to the portal, back up your custom folder below the C:\inetpub\wwwroot\PhoneFactor\App_Themes directory. - - 3. Uninstall the User portal either through the PhoneFactor Agent (only available if installed on the same server as the PhoneFactor Agent) or through Windows Programs and Features. - -3. If the Mobile App Web Service is installed: - - 1. Go to the install folder and back up the web.config file. The default installation location is C:\inetpub\wwwroot\PhoneFactorPhoneAppWebService. - - 2. Uninstall the Mobile App Web Service through Windows Programs and Features. - -4. If the Web Service SDK is installed, uninstall it either through the PhoneFactor Agent or through Windows Programs and Features. - -5. Uninstall the PhoneFactor Agent through Windows Programs and Features. - - - - - -## Install the Multifactor Authentication Server - -The installation path is picked up from the registry from the previous PhoneFactor Agent installation, so it should install in the same location (for example, C:\Program Files\PhoneFactor). New installations have a different default install path (for example, C:\Program Files\Multifactor Authentication Server). The data file left by the previous PhoneFactor Agent should be upgraded during installation, so your users and settings should still be there after installing the new Multifactor Authentication Server. - -1. If prompted, activate the Multifactor Authentication Server and ensure it's assigned to the correct replication group. - -2. If the Web Service SDK was previously installed, install the new Web Service SDK through the Multifactor Authentication Server User Interface. - - The default virtual directory name is now **MultiFactorAuthWebServiceSdk** instead of **PhoneFactorWebServiceSdk**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you have to change the URL in any applications that reference the Web Service SDK, such as the User portal and Mobile App Web Service, to point at the correct location. - -3. If the User portal was previously installed on the PhoneFactor Agent Server, install the new multifactor authentication User portal through the Multifactor Authentication Server User Interface. - - The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should select the User portal icon in the Multifactor Authentication Server and update the User portal URL on the Settings tab. - -4. If the User portal and/or Mobile App Web Service was previously installed on a different server from the PhoneFactor Agent: - - 1. Go to the install location (for example, C:\Program Files\PhoneFactor) and copy one or more installers to the other server. There are 32-bit and 64-bit installers for both the User portal and Mobile App Web Service. They're called MultiFactorAuthenticationUserPortalSetupXX.msi and MultiFactorAuthenticationMobileAppWebServiceSetupXX.msi. - - 2. To install the User portal on the web server, open a command prompt as an administrator and run MultiFactorAuthenticationUserPortalSetupXX.msi. - - The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should select the User portal icon in the Multifactor Authentication Server and update the User portal URL on the Settings tab. Existing users need to be informed of the new URL. - - 3. Go to the User portal install location (for example, C:\inetpub\wwwroot\MultiFactorAuth) and edit the web.config file. Copy the values in the appSettings and applicationSettings sections from your original web.config file that was backed up before the upgrade into the new web.config file. If the new default virtual directory name was kept when installing the Web Service SDK, change the URL in the applicationSettings section to point to the correct location. If any other defaults were changed in the previous web.config file, apply those same changes to the new web.config file. - -> [!NOTE] -> When upgrading from a version of Microsoft Entra Multifactor Authentication Server older than 8.0 to 8.0+ that the mobile app web service can be uninstalled after the upgrade - -## Next steps - -- [Install the users portal](howto-mfaserver-deploy-userportal.md) for the Microsoft Entra Multifactor Authentication Server. - -- [Configure Windows Authentication](howto-mfaserver-windows.md) for your applications. diff --git a/docs/identity/authentication/howto-mfaserver-deploy-upgrade.md b/docs/identity/authentication/howto-mfaserver-deploy-upgrade.md deleted file mode 100644 index ae19c8234f1..00000000000 --- a/docs/identity/authentication/howto-mfaserver-deploy-upgrade.md +++ /dev/null @@ -1,117 +0,0 @@ ---- -title: Upgrading Microsoft Entra Multifactor Authentication Server -description: Steps and guidance to upgrade the Microsoft Entra Multifactor Authentication Server to a newer version. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jpettere ---- -# Upgrade to the latest Microsoft Entra Multifactor Authentication Server - -This article walks you through the process of upgrading Microsoft Entra Multifactor Authentication Server v6.0 or higher. If you need to upgrade an old version of the PhoneFactor Agent, refer to [Upgrade the PhoneFactor Agent to Microsoft Entra Multifactor Authentication Server](howto-mfaserver-deploy-upgrade-pf.md). - -If you're upgrading from v6.x or older to v7.x or newer, all components change from .NET 2.0 to .NET 4.5. All components also require Microsoft Visual C++ 2015 Redistributable Update 1 or higher. The MFA Server installer installs both the x86 and x64 versions of these components if they aren't already installed. If the User Portal and Mobile App Web Service run on separate servers, you need to install those packages before upgrading those components. You can search for the latest Microsoft Visual C++ 2015 Redistributable update on the [Microsoft Download Center](https://www.microsoft.com/download/). - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra Multifactor Authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra Multifactor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra Multifactor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). - -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). - - -Upgrade steps at a glance: - -* Upgrade Microsoft Entra Multifactor Authentication Servers (Subordinates then Primary) -* Upgrade the User Portal instances -* Upgrade the AD FS Adapter instances - -## Upgrade Microsoft Entra Multifactor Authentication Server - -1. Use the instructions in [Download the Microsoft Entra Multifactor Authentication Server](howto-mfaserver-deploy.md#download-the-mfa-server) to get the latest version of the Microsoft Entra Multifactor Authentication Server installer. -2. Make a backup of the MFA Server data file located at C:\Program Files\Multifactor Authentication Server\Data\PhoneFactor.pfdata (assuming the default install location) on your primary MFA Server. -3. If you run multiple servers for high availability, change the client systems that authenticate to the MFA Server so that they stop sending traffic to the servers that are upgrading. If you use a load balancer, remove a subordinate MFA Server from the load balancer, do the upgrade, and then add the server back into the farm. -4. Run the new installer on each MFA Server. Upgrade subordinate servers first because they can read the old data file being replicated by the primary. - - > [!NOTE] - > When upgrading a server it should be removed from any load balancing or traffic sharing with other MFA Servers. - > - > You don't need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade. The installation path is picked up from the registry from the previous installation, so it installs in the same location (for example, C:\Program Files\Multifactor Authentication Server). - -5. If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. -6. If you use the Web Service SDK, you're prompted to install the new Web Service SDK. When you install the new Web Service SDK, make sure that the virtual directory name matches the previously installed virtual directory (for example, MultiFactorAuthWebServiceSdk). -7. Repeat the steps on all subordinate servers. Promote one of the subordinates to be the new primary, then upgrade the old primary server. - -## Upgrade the User Portal - -Complete the upgrade of your MFA Servers before moving to this section. - -1. Make a backup of the web.config file that is in the virtual directory of the User Portal installation location (for example, C:\inetpub\wwwroot\MultiFactorAuth). If any changes were made to the default theme, make a backup of the App_Themes\Default folder as well. It's better to create a copy of the Default folder and create a new theme than to change the Default theme. -2. If the User Portal runs on the same server as the other MFA Server components, the MFA Server installation prompts you to update the User Portal. Accept the prompt and install the User Portal update. Check that the virtual directory name matches the previously installed virtual directory (for example, MultiFactorAuth). -3. If the User Portal is on its own server, copy the MultiFactorAuthenticationUserPortalSetup64.msi file from the install location of one of the MFA Servers and put it onto the User Portal web server. Run the installer. - - If an error occurs stating, "Microsoft Visual C++ 2015 Redistributable Update 1 or higher is required," download and install the latest update package from the [Microsoft Download Center](https://www.microsoft.com/download/). Install both the x86 and x64 versions. - -4. After the updated User Portal software is installed, compare the web.config backup you made in step 1 with the new web.config file. If no new attributes exist in the new web.config, copy your backup web.config into the virtual directory to overwrite the new one. Another option is to copy/paste the appSettings values and the Web Service SDK URL from the backup file into the new web.config. - -If you have the User Portal on multiple servers, repeat the installation on all of them. - -## Upgrade the Mobile App Web Service - -> [!NOTE] -> When upgrading from a version of Microsoft Entra Multifactor Authentication Server older than 8.0 to 8.0+ then the mobile app web service can be uninstalled after the upgrade - -## Upgrade the AD FS Adapters - -Complete the upgrade of your MFA Servers and User Portal before moving to this section. - -### If MFA runs on different servers than AD FS - -These instructions only apply if you run Multifactor Authentication Server separately from your AD FS servers. If both services run on the same servers, skip this section and go to the installation steps. - -1. Save a copy of the MultiFactorAuthenticationAdfsAdapter.config file that was registered in AD FS, or export the configuration using the following PowerShell command: `Export-AdfsAuthenticationProviderConfigurationData -Name [adapter name] -FilePath [path to config file]`. The adapter name is either "WindowsAzureMultiFactorAuthentication" or "AzureMfaServerAuthentication" depending on the version previously installed. -2. Copy the following files from the MFA Server installation location to the AD FS servers: - - * MultiFactorAuthenticationAdfsAdapterSetup64.msi - * Register-MultiFactorAuthenticationAdfsAdapter.ps1 - * Unregister-MultiFactorAuthenticationAdfsAdapter.ps1 - * MultiFactorAuthenticationAdfsAdapter.config - -3. Edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding `-ConfigurationFilePath [path]` to the end of the `Register-AdfsAuthenticationProvider` command. Replace *[path]* with the full path to the MultiFactorAuthenticationAdfsAdapter.config file or the configuration file exported in the previous step. - - Check the attributes in the new MultiFactorAuthenticationAdfsAdapter.config to see if they match the old config file. If any attributes were added or removed in the new version, copy the attribute values from the old configuration file to the new one or modify the old configuration file to match. - -### Install new AD FS adapters - -> [!IMPORTANT] -> Your users will not be required to perform two-step verification during steps 3-8 of this section. If you have AD FS configured in multiple clusters, you can remove, upgrade, and restore each cluster in the farm independently of the other clusters to avoid downtime. - -1. Remove some AD FS servers from the farm. Update these servers while the others are still running. -2. Install the new AD FS adapter on each server removed from the AD FS farm. If the MFA Server is installed on each AD FS server, you can update through the MFA Server admin UX. Otherwise, update by running MultiFactorAuthenticationAdfsAdapterSetup64.msi. - - If an error occurs stating, "Microsoft Visual C++ 2015 Redistributable Update 1 or higher is required," download and install the latest update package from the [Microsoft Download Center](https://www.microsoft.com/download/). Install both the x86 and x64 versions. - -3. Go to **AD FS** > **Authentication Policies** > **Edit Global multifactor authentication Policy**. Uncheck **WindowsAzureMultiFactorAuthentication** or **AzureMFAServerAuthentication** (depending on the current version installed). - - Once this step is complete, two-step verification through MFA Server is not available in this AD FS cluster until you complete step 8. - -4. Unregister the older version of the AD FS adapter by running the Unregister-MultiFactorAuthenticationAdfsAdapter.ps1 PowerShell script. Ensure that the *-Name* parameter (either "WindowsAzureMultiFactorAuthentication" or "AzureMFAServerAuthentication") matches the name that was displayed in step 3. This applies to all servers in the same AD FS cluster since there's a central configuration. -5. Register the new AD FS adapter by running the Register-MultiFactorAuthenticationAdfsAdapter.ps1 PowerShell script. This applies to all servers in the same AD FS cluster since there's a central configuration. -6. Restart the AD FS service on each server removed from the AD FS farm. -7. Add the updated servers back to the AD FS farm and remove the other servers from the farm. -8. Go to **AD FS** > **Authentication Policies** > **Edit Global multifactor authentication Policy**. Check **AzureMfaServerAuthentication**. -9. Repeat step 2 to update the servers now removed from the AD FS farm and restart the AD FS service on those servers. -10. Add those servers back into the AD FS farm. - -## Next steps - -* Get examples of [Advanced scenarios with Microsoft Entra multifactor authentication and third-party VPNs](howto-mfaserver-nps-vpn.md) - -* [Synchronize MFA Server with Windows Server Active Directory](howto-mfaserver-dir-ad.md) - -* [Configure Windows Authentication](howto-mfaserver-windows.md) for your applications diff --git a/docs/identity/authentication/howto-mfaserver-deploy-userportal.md b/docs/identity/authentication/howto-mfaserver-deploy-userportal.md deleted file mode 100644 index 1e170a7e0ea..00000000000 --- a/docs/identity/authentication/howto-mfaserver-deploy-userportal.md +++ /dev/null @@ -1,194 +0,0 @@ ---- -title: User portal for Microsoft Entra multifactor authentication Server -description: Get started with Microsoft Entra multifactor authentication and the user portal. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jpettere ---- -# User portal for the Microsoft Entra multifactor authentication Server - -The user portal is an IIS web site that allows users to enroll in Microsoft Entra multifactor authentication and maintain their accounts. A user may change their phone number, change their PIN, or choose to bypass two-step verification during their next sign-on. - -Users sign in to the user portal with their normal username and password, then either complete a two-step verification call or answer security questions to complete their authentication. If user enrollment is allowed, users configure their phone number and PIN the first time they sign in to the user portal. - -User portal Administrators may be set up and granted permission to add new users and update existing users. - -Depending on your environment, you may want to deploy the user portal on the same server as Microsoft Entra multifactor authentication Server or on another internet-facing server. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). - -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). - - -![MFA Server User portal log in page](./media/howto-mfaserver-deploy-userportal/portal.png) - -> [!NOTE] -> The user portal is only available with Multi-Factor Authentication Server. If you use multifactor authentication in the cloud, refer your users to the [Set-up your account for two-step verification](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) or [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7). - -## Install the web service SDK - -In either scenario, if the Microsoft Entra multifactor authentication Web Service SDK is **not** already installed on the Microsoft Entra multifactor authentication Server, complete the steps that follow. - -1. Open the Multi-Factor Authentication Server console. -2. Go to the **Web Service SDK** and select **Install Web Service SDK**. -3. Complete the install using the defaults unless you need to change them for some reason. -4. Bind a TLS/SSL Certificate to the site in IIS. - -If you have questions about configuring a TLS/SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](/iis/manage/configuring-security/how-to-set-up-ssl-on-iis). - -The Web Service SDK must be secured with a TLS/SSL certificate. A self-signed certificate is okay for this purpose. Import the certificate into the "Trusted Root Certification Authorities" store of the Local Computer account on the User Portal web server so that it trusts that certificate when initiating the TLS connection. - -![MFA Server configuration setup Web Service SDK](./media/howto-mfaserver-deploy-userportal/sdk.png) - - - - - -## Deploy the user portal on the same server as the Microsoft Entra multifactor authentication Server - -The following pre-requisites are required to install the user portal on the **same server** as the Microsoft Entra multifactor authentication Server: - -* IIS, including ASP.NET, and IIS 6 meta base compatibility (for IIS 7 or higher) -* An account with admin rights for the computer and Domain if applicable. The account needs permissions to create Active Directory security groups. -* Secure the user portal with a TLS/SSL certificate. -* Secure the Microsoft Entra multifactor authentication Web Service SDK with a TLS/SSL certificate. - -To deploy the user portal, follow these steps: - -1. Open the Microsoft Entra multifactor authentication Server console, select the **User Portal** icon in the left menu, then select **Install User Portal**. -2. Complete the install using the defaults unless you need to change them for some reason. -3. Bind a TLS/SSL Certificate to the site in IIS - - > [!NOTE] - > This TLS/SSL Certificate is usually a publicly signed TLS/SSL Certificate. - -4. Open a web browser from any computer and navigate to the URL where the user portal was installed (Example: `https://mfa.contoso.com/MultiFactorAuth`). Ensure that no certificate warnings or errors are displayed. - -![MFA Server User Portal installation](./media/howto-mfaserver-deploy-userportal/install.png) - -If you have questions about configuring a TLS/SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](/iis/manage/configuring-security/how-to-set-up-ssl-on-iis). - -## Deploy the user portal on a separate server - -If the server where Microsoft Entra multifactor authentication Server is running isn't internet-facing, you should install the user portal on a **separate, internet-facing server**. - -If your organization uses the Microsoft Authenticator app as one of the verification methods, and want to deploy the user portal on its own server, complete the following requirements: - -* Use v6.0 or higher of the Microsoft Entra multifactor authentication Server. -* Install the user portal on an internet-facing web server running Microsoft internet Information Services (IIS) 6.x or higher. -* When using IIS 6.x, ensure ASP.NET v2.0.50727 is installed, registered, and set to **Allowed**. -* When using IIS 7.x or higher, IIS, including Basic Authentication, ASP.NET, and IIS 6 meta base compatibility. -* Secure the user portal with a TLS/SSL certificate. -* Secure the Microsoft Entra multifactor authentication Web Service SDK with a TLS/SSL certificate. -* Ensure that the user portal can connect to the Microsoft Entra multifactor authentication Web Service SDK over TLS/SSL. -* Ensure that the user portal can authenticate to the Microsoft Entra multifactor authentication Web Service SDK using the credentials of a service account in the "PhoneFactor Admins" security group. This service account and group should exist in Active Directory if the Microsoft Entra multifactor authentication Server is running on a domain-joined server. This service account and group exist locally on the Microsoft Entra multifactor authentication Server if it isn't joined to a domain. - -Installing the user portal on a server other than the Microsoft Entra multifactor authentication Server requires the following steps: - -1. **On the MFA Server**, browse to the installation path (Example: C:\Program Files\Multi-Factor Authentication Server), and copy the file **MultiFactorAuthenticationUserPortalSetup64** to a location accessible to the internet-facing server where you'll install it. -2. **On the internet-facing web server**, run the MultiFactorAuthenticationUserPortalSetup64 install file as an administrator, change the Site if desired and change the Virtual directory to a short name if you would like. -3. Bind a TLS/SSL Certificate to the site in IIS. - - > [!NOTE] - > This TLS/SSL Certificate is usually a publicly signed TLS/SSL Certificate. - -4. Browse to **C:\inetpub\wwwroot\MultiFactorAuth** -5. Edit the Web.Config file in Notepad - - * Find the key **"USE_WEB_SERVICE_SDK"** and change **value="false"** to **value="true"** - * Find the key **"WEB_SERVICE_SDK_AUTHENTICATION_USERNAME"** and change **value=""** to **value="DOMAIN\User"** where DOMAIN\User is a Service Account that is a part of "PhoneFactor Admins" Group. - * Find the key **"WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD"** and change **value=""** to **value="Password"** where Password is the password for the Service Account entered in the previous line. - * Find the value `https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx` and change this placeholder URL to the Web Service SDK URL we installed in step 2. - * Save the Web.Config file and close Notepad. - -6. Open a web browser from any computer and navigate to the URL where the user portal was installed (Example: `https://mfa.contoso.com/MultiFactorAuth`). Ensure that no certificate warnings or errors are displayed. - -If you have questions about configuring a TLS/SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](/iis/manage/configuring-security/how-to-set-up-ssl-on-iis). - - - - - -## Configure user portal settings in the Microsoft Entra multifactor authentication Server - -Now that the user portal is installed, you need to configure the Microsoft Entra multifactor authentication Server to work with the portal. - -1. In the Microsoft Entra multifactor authentication Server console, select the **User Portal** icon. On the Settings tab, enter the URL to the user portal in the **User Portal URL** textbox. If email functionality has been enabled, this URL is included in the emails that are sent to users when they're imported into the Microsoft Entra multifactor authentication Server. -2. Choose the settings that you want to use in the User Portal. For example, if users are allowed to choose their authentication methods, ensure that **Allow users to select method** is checked, along with the methods they can choose from. -3. Define who should be Administrators on the **Administrators** tab. You can create granular administrative permissions using the checkboxes and dropdowns in the Add/Edit boxes. - -Optional configuration: - -- **Security Questions** - Define approved security questions for your environment and the language they appear in. -- **Passed Sessions** - Configure user portal integration with a form-based website using MFA. -- **Trusted IPs** - Allow users to skip MFA when authenticating from a list of trusted IPs or ranges. - -![MFA Server User Portal configuration](./media/howto-mfaserver-deploy-userportal/config.png) - -Microsoft Entra multifactor authentication Server provides several options for the user portal. The following table provides a list of these options and an explanation of what they're used for. - -| User Portal Settings | Description | -|:--- |:--- | -| User Portal URL | Enter the URL of where the portal is being hosted. | -| Primary authentication | Specify the type of authentication to use when signing in to the portal. Either Windows, Radius, or LDAP authentication. | -| Allow users to log in | Allow users to enter a username and password on the sign-in page for the User portal. If this option isn't selected, the boxes are grayed out. | -| Allow user enrollment | Allow a user to enroll in multifactor authentication by taking them to a setup screen that prompts them for additional information such as telephone number. Prompt for backup phone allows users to specify a secondary phone number. Prompt for third-party OATH token allows users to specify a third-party OATH token. | -| Allow users to initiate One-Time Bypass | Allow users to initiate a one-time bypass. If a user sets up this option, it will take effect the next time the user signs in. Prompt for bypass seconds provides the user with a box so they can change the default of 300 seconds. Otherwise, the one-time bypass is only good for 300 seconds. | -| Allow users to select method | Allow users to specify their primary contact method. This method can be phone call, text message, mobile app, or OATH token. | -| Allow users to select language | Allow users to change the language that is used for the phone call, text message, mobile app, or OATH token. | -| Allow users to activate mobile app | Allow users to generate an activation code to complete the mobile app activation process that is used with the server. You can also set the number of devices they can activate the app on, between 1 and 10. | -| Use security questions for fallback | Allow security questions in case two-step verification fails. You can specify the number of security questions that must be successfully answered. | -| Allow users to associate third-party OATH token | Allow users to specify a third-party OATH token. | -| Use OATH token for fallback | Allow for the use of an OATH token in case two-step verification isn't successful. You can also specify the session timeout in minutes. | -| Enable logging | Enable logging on the user portal. The log files are located at: C:\Program Files\Multi-Factor Authentication Server\Logs. | - -> [!IMPORTANT] -> Starting in March of 2019 the phone call options will not be available to MFA Server users in free/trial Microsoft Entra tenants. SMS messages are not impacted by this change. Phone call will continue to be available to users in paid Microsoft Entra tenants. This change only impacts free/trial Microsoft Entra tenants. - -The user can see these settings after they sign in to the user portal. - -![Manage your MFA Server account using the user portal](./media/howto-mfaserver-deploy-userportal/portalsettings.png) - -### Self-service user enrollment - -If you want your users to sign in and enroll, you must select the **Allow users to log in** and **Allow user enrollment** options under the Settings tab. Remember that the settings you select affect the user sign-in experience. - -For example, when a user signs in to the user portal for the first time, they're then taken to the Microsoft Entra multifactor authentication User Setup page. Depending on how you have configured Microsoft Entra multifactor authentication, the user may be able to select their authentication method. - -If they select the Voice Call verification method or have been pre-configured to use that method, the page prompts the user to enter their primary phone number and extension if applicable. They may also be allowed to enter a backup phone number. - -![Register primary and backup phone numbers](./media/howto-mfaserver-deploy-userportal/backupphone.png) - -If the user is required to use a PIN when they authenticate, the page prompts them to create a PIN. After entering their phone number(s) and PIN (if applicable), the user selects the **Call Me Now to Authenticate** button. Microsoft Entra multifactor authentication performs a phone call verification to the user's primary phone number. The user must answer the phone call and enter their PIN (if applicable) and press # to move on to the next step of the self-enrollment process. - -If the user selects the Text Message verification method or has been pre-configured to use that method, the page prompts the user for their mobile phone number. If the user is required to use a PIN when they authenticate, the page also prompts them to enter a PIN. After entering their phone number and PIN (if applicable), the user selects the **Text Me Now to Authenticate** button. Microsoft Entra multifactor authentication performs an SMS verification to the user's mobile phone. The user receives the text message with a one-time-passcode (OTP), then replies to the message with that OTP plus their PIN (if applicable). - -![User portal verification using SMS](./media/howto-mfaserver-deploy-userportal/text.png) - -If the user selects the Mobile App verification method, the page prompts the user to install the Microsoft Authenticator app on their device and generate an activation code. After installing the app, the user selects the Generate Activation Code button. - -> [!NOTE] -> To use the Microsoft Authenticator app, the user must enable push notifications for their device. - -The page then displays an activation code and a URL along with a barcode picture. If the user is required to use a PIN when they authenticate, the page additionally prompts them to enter a PIN. The user enters the activation code and URL into the Microsoft Authenticator app or uses the barcode scanner to scan the barcode picture and selects the Activate button. - -After the activation is complete, the user selects the **Authenticate Me Now** button. Microsoft Entra multifactor authentication performs a verification to the user's mobile app. The user must enter their PIN (if applicable) and press the Authenticate button in their mobile app to move on to the next step of the self-enrollment process. - -If the administrators have configured the Microsoft Entra multifactor authentication Server to collect security questions and answers, the user is then taken to the Security Questions page. The user must select four security questions and provide answers to their selected questions. - -![User portal security questions](./media/howto-mfaserver-deploy-userportal/secq.png) - -The user self-enrollment is now complete and the user is signed in to the user portal. Users can sign back in to the user portal at any time in the future to change their phone numbers, PINs, authentication methods, and security questions if changing their methods is allowed by their administrators. - -## Next steps - -- [Deploy the Microsoft Entra multifactor authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md) diff --git a/docs/identity/authentication/howto-mfaserver-deploy.md b/docs/identity/authentication/howto-mfaserver-deploy.md deleted file mode 100644 index 0e762400bee..00000000000 --- a/docs/identity/authentication/howto-mfaserver-deploy.md +++ /dev/null @@ -1,242 +0,0 @@ ---- -title: Getting started Azure Multi-Factor Authentication Server -description: Step-by-step get started with Azure Multi-Factor Authentication Server on-premises - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: jpettere ---- -# Getting started with the Azure Multi-Factor Authentication Server - -
- -![Getting started with MFA Server on-premises](./media/howto-mfaserver-deploy/server2.png)
- -This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md). - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). - -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). - -## Plan your deployment - -Before you download the Azure Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy. - -A good guideline for the amount of memory you need is the number of users you expect to authenticate regularly. - -| Users | RAM | -| ----- | --- | -| 1-10,000 | 4 GB | -| 10,001-50,000 | 8 GB | -| 50,001-100,000 | 12 GB | -| 100,000-200,001 | 16 GB | -| 200,001+ | 32 GB | - -Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Azure Multi-Factor Authentication Server. When you install your first Azure Multi-Factor Authentication Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers. - -When a master Azure Multi-Factor Authentication Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted. - -### Prepare your environment - -Make sure the server that you're using for Azure multifactor authentication meets the following requirements. - -| Azure Multi-Factor Authentication Server Requirements | Description | -|:--- |:--- | -| Hardware |
  • 200 MB of hard disk space
  • x32 or x64 capable processor
  • 1 GB or greater RAM
    • | -| Software |
  • Windows Server 20221
  • Windows Server 20191
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008/R2 (with \[extended security update (ESU)](/lifecycle/faq/extended-security-updates) only)
  • Windows 10
  • Windows 8.1, all editions
  • Windows 8, all editions
  • Windows 7, all editions (\[extended security update (ESU)](/lifecycle/faq/extended-security-updates) only)
  • Microsoft .NET 4.0 Framework
  • IIS 7.0 or greater if installing the user portal or web service SDK
    • | -| Permissions | Domain Administrator or Enterprise Administrator account to register with Active Directory | - -1If Azure Multi-Factor Authentication Server fails to activate on an Azure virtual machine (VM) that runs Windows Server 2019 or later, try using an earlier version of Windows Server. - - - - - -### Azure Multi-Factor Authentication Server Components - -There are three web components that make up Azure Multi-Factor Authentication Server: - -* Web Service SDK - Enables communication with the other components and is installed on the Azure Multi-Factor Authentication Server application server -* User portal - An Internet Information Services (IIS) website that allows users to enroll in Microsoft Entra multifactor authentication and maintain their accounts. -* Mobile App Web Service - Enables using a mobile app like the Microsoft Authenticator app for two-step verification. - -All three components can be installed on the same server if the server is internet-facing. If breaking up the components, the Web Service SDK is installed on the Microsoft Entra multifactor authentication application server and the User portal and Mobile App Web Service are installed on an internet-facing server. - - - - - -### Azure Multi-Factor Authentication Server firewall requirements - -Each MFA server must be able to communicate on port 443 outbound to the following addresses: - -* https://pfd.phonefactor.net -* https://pfd2.phonefactor.net -* https://css.phonefactor.net - -If outbound firewalls are restricted on port 443, open the following IP address ranges: - -| IP Subnet | Netmask | IP Range | -|:---: |:---: |:---: | -| 134.170.116.0/25 |255.255.255.128 |134.170.116.1 – 134.170.116.126 | -| 134.170.165.0/25 |255.255.255.128 |134.170.165.1 – 134.170.165.126 | -| 70.37.154.128/25 |255.255.255.128 |70.37.154.129 – 70.37.154.254 | -| 52.251.8.48/28 | 255.255.255.240 | 52.251.8.48 - 52.251.8.63 | -| 52.247.73.160/28 | 255.255.255.240 | 52.247.73.160 - 52.247.73.175 | -| 52.159.5.240/28 | 255.255.255.240 | 52.159.5.240 - 52.159.5.255 | -| 52.159.7.16/28 | 255.255.255.240 | 52.159.7.16 - 52.159.7.31 | -| 52.250.84.176/28 | 255.255.255.240 | 52.250.84.176 - 52.250.84.191 | -| 52.250.85.96/28 | 255.255.255.240 | 52.250.85.96 - 52.250.85.111 | - -If you aren't using the Event Confirmation feature, and your users aren't using mobile apps to verify from devices on the corporate network, you only need the following ranges: - -| IP Subnet | Netmask | IP Range | -|:---: |:---: |:---: | -| 134.170.116.72/29 |255.255.255.248 |134.170.116.72 – 134.170.116.79| -| 134.170.165.72/29 |255.255.255.248 |134.170.165.72 – 134.170.165.79| -| 70.37.154.200/29 |255.255.255.248 |70.37.154.201 – 70.37.154.206 | -| 52.251.8.48/28 | 255.255.255.240 | 52.251.8.48 - 52.251.8.63 | -| 52.247.73.160/28 | 255.255.255.240 | 52.247.73.160 - 52.247.73.175 | -| 52.159.5.240/28 | 255.255.255.240 | 52.159.5.240 - 52.159.5.255 | -| 52.159.7.16/28 | 255.255.255.240 | 52.159.7.16 - 52.159.7.31 | -| 52.250.84.176/28 | 255.255.255.240 | 52.250.84.176 - 52.250.84.191 | -| 52.250.85.96/28 | 255.255.255.240 | 52.250.85.96 - 52.250.85.111 | - -## Download the MFA Server - -[!INCLUDE [portal updates](~/includes/portal-update.md)] - -Follow these steps to download the Azure Multi-Factor Authentication Server: - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). -> -> Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. The following steps only work if you were an existing MFA Server customer. - -1. [!INCLUDE [Privileged role](~/includes/privileged-role-include.md)] -1. Browse to **Protection** > **Multifactor authentication** > **Server settings**. -4. Select **Download** and follow the instructions on the download page to save the installer. - - ![Download MFA Server](./media/howto-mfaserver-deploy/downloadportal.png) - -5. Keep this page open as we'll refer to it after you run the installer. - -## Install and configure the MFA Server - -Now that you have downloaded the server you can install and configure it. Be sure that the server you install it on meets requirements listed in the planning section. - -1. Double-click the executable. -2. On the Select Installation Folder screen, make sure that the folder is correct and click **Next**. - The following libraries are installed: - * [Visual C++ Redistributable for Visual Studio 2017 (x64)](https://go.microsoft.com/fwlink/?LinkId=746572) - * [Visual C++ Redistributable for Visual Studio 2017 (x86)](https://go.microsoft.com/fwlink/?LinkId=746571) -3. When the installation finishes, select **Finish**. The configuration wizard starts. -5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Azure Multi-Factor Authentication Server in the boxes provided and click **Activate**. - -> [!NOTE] -> [!INCLUDE [Privileged role feature](~/includes/privileged-role-feature-include.md)] - -## Send users an email - -To ease rollout, allow MFA Server to communicate with your users. MFA Server can send an email to inform them that they have been enrolled for two-step verification. - -The email you send should be determined by how you configure your users for two-step verification. For example, if you can import phone numbers from the company directory, the email should include the default phone numbers so that users know what to expect. If you don't import phone numbers, or your users are going to use the mobile app, send them an email that directs them to complete their account enrollment. Include a hyperlink to the Azure multifactor authentication User portal in the email. - -The content of the email also varies depending on the method of verification that has been set for the user (phone call, SMS, or mobile app). For example, if the user is required to use a PIN when they authenticate, the email tells them what their initial PIN has been set to. Users are required to change their PIN during their first verification. - -### Configure email and email templates - -Click the email icon on the left to set up the settings for sending these emails. This page is where you can enter the Simple Mail Transfer Protocol (SMTP) information of your mail server and send email by checking the **Send emails to users** check box. - -![MFA Server Email configuration](./media/howto-mfaserver-deploy/email1.png) - -On the Email Content tab, you can see the email templates that are available to choose from. Depending on how you have configured your users to perform two-step verification, choose the template that best suits you. - -![MFA Server Email templates in the console](./media/howto-mfaserver-deploy/email2.png) - -## Import users from Active Directory - -Now that the server is installed you want to add users. You can choose to create them manually, import users from Active Directory, or configure automated synchronization with Active Directory. - -### Manual import from Active Directory - -1. In the Azure Multi-Factor Authentication Server, on the left, select **Users**. -2. At the bottom, select **Import from Active Directory**. -3. Now you can either search for individual users or search the Windows Server Active Directory for organizational units (OUs) with users in them. In this case, we specify the users OU. -4. Highlight all the users on the right and click **Import**. You should receive a pop-up telling you that you were successful. Close the import window. - - ![MFA Server user import from Active Directory](./media/howto-mfaserver-deploy/import2.png) - -### Automated synchronization with Active Directory - -1. In the Azure Multi-Factor Authentication Server, on the left, select **Directory Integration**. -2. Navigate to the **Synchronization** tab. -3. At the bottom, choose **Add** -4. In the **Add Synchronization Item** box that appears choose the Domain, OU **or** security group, Settings, Method Defaults, and Language Defaults for this synchronization task and click **Add**. -5. Check the box labeled **Enable synchronization with Active Directory** and choose a **Synchronization interval** between one minute and 24 hours. - - - - - -## How the Azure Multi-Factor Authentication Server handles user data - -When you use the Multi-Factor Authentication Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Microsoft Entra multifactor authentication cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they're available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are: - -* Unique ID - either username or internal MFA server ID -* First and last name (optional) -* Email address (optional) -* Phone number - when doing a voice call or SMS authentication -* Device token - when doing mobile app authentication -* Authentication mode -* Authentication result -* MFA Server name -* MFA Server IP -* Client IP – if available - -In addition to the fields above, the verification result (success/denial) and reason for any denials is also stored with the authentication data and available through the authentication/usage reports. - -> [!IMPORTANT] -> Starting in March of 2019 the phone call options will not be available to MFA Server users in free/trial Microsoft Entra tenants. SMS messages are not impacted by this change. Phone call will continue to be available to users in paid Microsoft Entra tenants. This change only impacts free/trial Microsoft Entra tenants. - - - - - -## Back up and restore Azure Multi-Factor Authentication Server - -Making sure that you have a good backup is an important step to take with any system. - -To back up Azure Multi-Factor Authentication Server, ensure that you have a copy of the **C:\Program Files\Multi-Factor Authentication Server\Data** folder including the **PhoneFactor.pfdata** file. - -In case a restore is needed complete the following steps: - -1. Reinstall Azure Multi-Factor Authentication Server on a new server. -2. Activate the new Azure Multi-Factor Authentication Server. -3. Stop the **MultiFactorAuth** service. -4. Overwrite the **PhoneFactor.pfdata** with the backed-up copy. -5. Start the **MultiFactorAuth** service. - -The new server is now up and running with the original backed-up configuration and user data. - -## Managing the TLS/SSL Protocols and Cipher Suites - -Once you have upgraded to or installed MFA Server version 8.x or higher, it's recommended that older and weaker cipher suites be disabled or removed unless required by your organization. Information on how to complete this task can be found in the article [Managing SSL/TLS Protocols and Cipher Suites for Active Directory Federation Services (AD FS)](/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs). - -## Next steps - -- Set up and configure the [User portal](howto-mfaserver-deploy-userportal.md) for user self-service. -- Set up and configure the Azure Multi-Factor Authentication Server with [Active Directory Federation Service](multi-factor-authentication-get-started-adfs.md), [RADIUS Authentication](howto-mfaserver-dir-radius.md), or [Lightweight Directory Access Protocol (LDAP) Authentication](howto-mfaserver-dir-ldap.md). -- Set up and configure [Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md). -- [Deploy the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md). -- [Advanced scenarios with Azure multifactor authentication and third-party VPNs](howto-mfaserver-nps-vpn.md). diff --git a/docs/identity/authentication/howto-mfaserver-dir-ad.md b/docs/identity/authentication/howto-mfaserver-dir-ad.md deleted file mode 100644 index 3d39128975a..00000000000 --- a/docs/identity/authentication/howto-mfaserver-dir-ad.md +++ /dev/null @@ -1,147 +0,0 @@ ---- -title: Azure MFA Server and Active Directory -description: How to integrate the Azure Multi-Factor Authentication Server with Active Directory so you can synchronize the directories. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: conceptual -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Directory integration between Azure MFA Server and Active Directory - -Use the Directory Integration section of the Azure MFA Server to integrate with Active Directory or another LDAP directory. You can configure attributes to match the directory schema and set up automatic user synchronization. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure Multi-Factor Authentication](tutorial-enable-azure-mfa.md). -> - -## Settings - -By default, the Azure Multi-Factor Authentication (MFA) Server is configured to import or synchronize users from Active Directory. The Directory Integration tab allows you to override the default behavior and to bind to a different LDAP directory, an ADAM directory, or specific Active Directory domain controller. It also provides for the use of LDAP Authentication to proxy LDAP or for LDAP Bind as a RADIUS target, pre-authentication for IIS Authentication, or primary authentication for User Portal. The following table describes the individual settings. - -![Edit LDAP configuration in MFA Server](./media/howto-mfaserver-dir-ad/dirint.png) - -> [!NOTE] -> Directory integration is not guaranteed to work with directories other than Active Directory Domain Services. - -| Feature | Description | -| --- | --- | -| Use Active Directory |Select the Use Active Directory option to use Active Directory for importing and synchronization. This is the default setting.
    Note: For Active Directory integration to work properly,join the computer to a domain and sign in with a domain account. | -| Include trusted domains |Check **Include Trusted Domains** to have the agent attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, uncheck the checkbox to improve performance. The default is checked. | -| Use specific LDAP configuration |Select the Use LDAP option to use the LDAP settings specified for importing and synchronization. Note: When Use LDAP is selected, the user interface changes references from Active Directory to LDAP. | -| Edit button |The Edit button allows the current LDAP configuration settings to modified. | -| Use attribute scope queries |Indicates whether attribute scope queries should be used. Attribute scope queries allow for efficient directory searches qualifying records based on the entries in another record's attribute. The Azure Multi-Factor Authentication Server uses attribute scope queries to efficiently query the users that are a member of a security group.
    Note: There are some cases where attribute scope queries are supported, but shouldn't be used. For example, Active Directory can have issues with attribute scope queries when a security group contains members from more than one domain. In this case, unselect the checkbox. | - -The following table describes the LDAP configuration settings. - -| Feature | Description | -| --- | --- | -| Server |Enter the hostname or IP address of the server running the LDAP directory. A backup server may also be specified separated by a semi-colon.
    Note: When Bind Type is SSL (TLS), a fully qualified hostname is required. | -| Base DN |Enter the distinguished name of the base directory object from which all directory queries start. For example, dc=abc,dc=com. | -| Bind type - Queries |Select the appropriate bind type for use when binding to search the LDAP directory. This is used for imports, synchronization, and username resolution.

    Anonymous - An anonymous bind is performed. Bind DN and Bind Password are not used. This only works if the LDAP directory allows anonymous binding and permissions allow the querying of the appropriate records and attributes.

    Simple - Bind DN and Bind Password are passed as plain text to bind to the LDAP directory. This is for testing purposes, to verify that the server can be reached and that the bind account has the appropriate access. After the appropriate cert has been installed, use SSL instead.

    SSL - Bind DN and Bind Password are encrypted using SSL to bind to the LDAP directory. Install a cert locally that the LDAP directory trusts.

    Windows - Bind Username and Bind Password are used to securely connect to an Active Directory domain controller or ADAM directory. If Bind Username is left blank, the logged-on user's account is used to bind. | -| Bind type - Authentications |Select the appropriate bind type for use when performing LDAP bind authentication. See the bind type descriptions under Bind type - Queries. For example, this allows for Anonymous bind to be used for queries while SSL bind is used to secure LDAP bind authentications. | -| Bind DN or Bind username |Enter the distinguished name of the user record for the account to use when binding to the LDAP directory.

    The bind distinguished name is only used when Bind Type is Simple or SSL.

    Enter the username of the Windows account to use when binding to the LDAP directory when Bind Type is Windows. If left blank, the logged-on user's account is used to bind. | -| Bind Password |Enter the bind password for the Bind DN or username being used to bind to the LDAP directory. To configure the password for the Multi-Factor Auth Server AdSync Service, enable synchronization and ensure that the service is running on the local machine. The password is saved in the Windows Stored Usernames and Passwords under the account the Multi-Factor Auth Server AdSync Service is running as. The password is also saved under the account the Multi-Factor Auth Server user interface is running as and under the account the Multi-Factor Auth Server Service is running as.

    Since the password is only stored in the local server's Windows Stored Usernames and Passwords, repeat this step on each Multi-Factor Auth Server that needs access to the password. | -| Query size limit |Specify the size limit for the maximum number of users that a directory search returns. This limit should match the configuration on the LDAP directory. For large searches where paging is not supported, import and synchronization attempts to retrieve users in batches. If the size limit specified here is larger than the limit configured on the LDAP directory, some users may be missed. | -| Test button |Click **Test** to test binding to the LDAP server.

    You don't need to select the **Use LDAP** option to test binding. This allows the binding to be tested before you use the LDAP configuration. | - -## Filters - -Filters allow you to set criteria to qualify records when performing a directory search. By setting the filter, you can scope the objects you want to synchronize. - -![Configure directory filtering in MFA Server](./media/howto-mfaserver-dir-ad/dirint2.png) - -Azure Multi-Factor Authentication has the following three filter options: - -* **Container filter** - Specify the filter criteria used to qualify container records when performing a directory search. For Active Directory and ADAM, (|(objectClass=organizationalUnit)(objectClass=container)) is commonly used. For other LDAP directories, use filter criteria that qualifies each type of container object, depending on the directory schema.
    Note: If left blank, ((objectClass=organizationalUnit)(objectClass=container)) is used by default. -* **Security group filter** - Specify the filter criteria used to qualify security group records when performing a directory search. For Active Directory and ADAM, (&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=-2147483648)) is commonly used. For other LDAP directories, use filter criteria that qualifies each type of security group object, depending on the directory schema.
    Note: If left blank, (&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=-2147483648)) is used by default. -* **User filter** - Specify the filter criteria used to qualify user records when performing a directory search. For Active Directory and ADAM, (&(objectClass=user)(objectCategory=person)) is commonly used. For other LDAP directories, use (objectClass=inetOrgPerson) or something similar, depending on the directory schema.
    Note: If left blank, (&(objectCategory=person)(objectClass=user)) is used by default. - -## Attributes - -You can customize attributes as necessary for a specific directory. This allows you to add custom attributes and fine-tune the synchronization to only the attributes that you need. Use the name of the attribute as defined in the directory schema for the value of each attribute field. The following table provides additional information about each feature. - -Attributes may be entered manually and are not required to match an attribute in the attribute list. - -![Customize directory integration attributes in MFA Server](./media/howto-mfaserver-dir-ad/dirint3.png) - -| Feature | Description | -| --- | --- | -| Unique identifier |Enter the attribute name of the attribute that serves as the unique identifier of container, security group, and user records. In Active Directory, this is usually objectGUID. Other LDAP implementations may use entryUUID or something similar. The default is objectGUID. | -| Unique identifier type |Select the type of the unique identifier attribute. In Active Directory, the objectGUID attribute is of type GUID. Other LDAP implementations may use type ASCII Byte Array or String. The default is GUID.

    It is important to set this type correctly since Synchronization Items are referenced by their Unique Identifier. The Unique Identifier Type is used to directly find the object in the directory. Setting this type to String when the directory actually stores the value as a byte array of ASCII characters prevents synchronization from functioning properly. | -| Distinguished name |Enter the attribute name of the attribute that contains the distinguished name for each record. In Active Directory, this is usually distinguishedName. Other LDAP implementations may use entryDN or something similar. The default is distinguishedName.

    If an attribute containing just the distinguished name doesn't exist, the ads path attribute may be used. The "LDAP://\/" portion of the path is automatically stripped off, leaving just the distinguished name of the object. | -| Container name |Enter the attribute name of the attribute that contains the name in a container record. The value of this attribute is displayed in the Container Hierarchy when importing from Active Directory or adding synchronization items. The default is name.

    If different containers use different attributes for their names, use semi-colons to separate multiple container name attributes. The first container name attribute found on a container object is used to display its name. | -| Security group name |Enter the attribute name of the attribute that contains the name in a security group record. The value of this attribute is displayed in the Security Group list when importing from Active Directory or adding synchronization items. The default is name. | -| Username |Enter the attribute name of the attribute that contains the username in a user record. The value of this attribute is used as the Multi-Factor Auth Server username. A second attribute may be specified as a backup to the first. The second attribute is only used if the first attribute does not contain a value for the user. The defaults are userPrincipalName and sAMAccountName. | -| First name |Enter the attribute name of the attribute that contains the first name in a user record. The default is givenName. | -| Last name |Enter the attribute name of the attribute that contains the last name in a user record. The default is sn. | -| Email address |Enter the attribute name of the attribute that contains the email address in a user record. Email address is used to send welcome and update emails to the user. The default is mail. | -| User group |Enter the attribute name of the attribute that contains the user group in a user record. User group can be used to filter users in the agent and on reports in the Multi-Factor Auth Server Management Portal. | -| Description |Enter the attribute name of the attribute that contains the description in a user record. Description is only used for searching. The default is description. | -| Phone call language |Enter the attribute name of the attribute that contains the short name of the language to use for voice calls for the user. | -| Text message language |Enter the attribute name of the attribute that contains the short name of the language to use for SMS text messages for the user. | -| Mobile app language |Enter the attribute name of the attribute that contains the short name of the language to use for phone app text messages for the user. | -| OATH token language |Enter the attribute name of the attribute that contains the short name of the language to use for OATH token text messages for the user. | -| Business phone |Enter the attribute name of the attribute that contains the business phone number in a user record. The default is telephoneNumber. | -| Home phone |Enter the attribute name of the attribute that contains the home phone number in a user record. The default is homePhone. | -| Pager |Enter the attribute name of the attribute that contains the pager number in a user record. The default is pager. | -| Mobile phone |Enter the attribute name of the attribute that contains the mobile phone number in a user record. The default is mobile. | -| Fax |Enter the attribute name of the attribute that contains the fax number in a user record. The default is facsimileTelephoneNumber. | -| IP phone |Enter the attribute name of the attribute that contains the IP phone number in a user record. The default is ipPhone. | -| Custom |Enter the attribute name of the attribute that contains a custom phone number in a user record. The default is blank. | -| Extension |Enter the attribute name of the attribute that contains the phone number extension in a user record. The value of the extension field is used as the extension to the primary phone number only. The default is blank.

    If the Extension attribute is not specified, extensions can be included as part of the phone attribute. In this case, precede the extension with an 'x' so that it gets parsed correctly. For example, 555-123-4567 x890 would result in 555-123-4567 as the phone number and 890 as the extension. | -| Restore Defaults button |Click **Restore Defaults** to return all attributes back to their default value. The defaults should work properly with the normal Active Directory or ADAM schema. | - -To edit attributes, click **Edit** on the Attributes tab. This brings up a window where you can edit the attributes. Select the **...** next to any attribute to open a window where you can choose which attributes to display. - -![Edit directory attribute mapping in MFA Server](./media/howto-mfaserver-dir-ad/dirint4.png) - -## Synchronization - -Synchronization keeps the Azure MFA user database synchronized with the users in Active Directory or another Lightweight Directory Access Protocol (LDAP) directory. The process is similar to importing users manually from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also disables or removes users that were removed from a container, security group, or Active Directory. - -The Multi-Factor Auth ADSync service is a Windows service that performs the periodic polling of Active Directory. This is not to be confused with Azure AD Sync or Microsoft Entra Connect. The Multi-Factor Auth ADSync, although built on a similar code base, is specific to the Azure Multi-Factor Authentication Server. It is installed in a Stopped state and is started by the Multi-Factor Auth Server service when configured to run. If you have a multi-server Multi-Factor Auth Server configuration, the Multi-Factor Auth ADSync may only be run on a single server. - -The Multi-Factor Auth ADSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The Multi-Factor Auth AdSync service is configured to run as LocalSystem by default. Therefore it is simplest to run the service on a domain controller. If you configure the service to always perform a full synchronization, it can run as an account with lesser permissions. This is less efficient, but requires fewer account privileges. - -If the LDAP directory supports and is configured for DirSync, then polling for user and security group changes will work the same as it does with Active Directory. If the LDAP directory does not support the DirSync control, then a full synchronization is performed during each cycle. - -![Synchronization of directory objects to MFA Server](./media/howto-mfaserver-dir-ad/dirint5.png) - -The following table contains additional information on each of the Synchronization tab settings. - -| Feature | Description | -| --- | --- | -| Enable synchronization with Active Directory |When checked, the Multi-Factor Auth Server service periodically polls Active Directory for changes.

    Note: At least one Synchronization Item must be added and a Synchronize Now must be performed before the Multi-Factor Auth Server service will start processing changes. | -| Synchronize every |Specify the time interval the Multi-Factor Auth Server service will wait between polling and processing changes.

    Note: The interval specified is the time between the beginning of each cycle. If the time processing changes exceed the interval, the service will poll again immediately. | -| Remove users no longer in Active Directory |When checked, the Multi-Factor Auth Server service will process Active Directory deleted user tombstones and remove the related Multi-Factor Auth Server user. | -| Always perform a full synchronization |When checked, the Multi-Factor Auth Server service will always perform a full synchronization. When unchecked, the Multi-Factor Auth Server service will perform an incremental synchronization by only querying users that have changed. The default is unchecked.

    When unchecked, Azure MFA Server performs incremental synchronization only when the directory supports the DirSync control and the account binding to the directory has permissions to perform DirSync incremental queries. If the account does not have the appropriate permissions or multiple domains are involved in the synchronization, Azure MFA Server performs a full synchronization. | -| Require administrator approval when more than X users will be disabled or removed |Synchronization items can be configured to disable or remove users who are no longer a member of the item's container or security group. As a safeguard, administrator approval can be required when the number of users to disable or remove exceeds a threshold. When checked, approval is required for specified threshold. The default is 5 and the range is 1 to 999.

    Approval is facilitated by first sending an email notification to administrators. The email notification gives instructions for reviewing and approving the disabling and removal of users. When the Multi-Factor Auth Server user interface is launched, it will prompt for approval. | - -The **Synchronize Now** button allows you to run a full synchronization for the synchronization items specified. A full synchronization is required whenever synchronization items are added, modified, removed, or reordered. It is also required before the Multi-Factor Auth AdSync service is operational since it sets the starting point from which the service will poll for incremental changes. If changes have been made to synchronization items but a full synchronization hasn't been performed, you will be prompted to Synchronize Now. - -The **Remove** button allows the administrator to delete one or more synchronization items from the Multi-Factor Auth Server synchronization item list. - -> [!WARNING] -> Once a synchronization item record has been removed, it cannot be recovered. You will need to add the synchronization item record again if you deleted it by mistake. - -The synchronization item or synchronization items have been removed from Multi-Factor Auth Server. The Multi-Factor Auth Server service will no longer process the synchronization items. - -The Move Up and Move Down buttons allow the administrator to change the order of the synchronization items. The order is important since the same user may be a member of more than one synchronization item (such as a container and a security group). The settings applied to the user during synchronization will come from the first synchronization item in the list to which the user is associated. Therefore, the synchronization items should be put in priority order. - -> [!TIP] -> A full synchronization should be performed after removing synchronization items. A full synchronization should be performed after ordering synchronization items. Click **Synchronize Now** to perform a full synchronization. - -## Multi-Factor Authentication servers - -Additional Multi-Factor Authentication servers may be set up to serve as a backup RADIUS proxy, LDAP proxy, or for IIS Authentication. The Synchronization configuration is shared among all the agents. However, only one of these agents may have the Multi-Factor Authentication server service running. This tab allows you to select the Multi-Factor Authentication server that should be enabled for synchronization. - -![Related Multi-Factor Authentication Servers](./media/howto-mfaserver-dir-ad/dirint6.png) diff --git a/docs/identity/authentication/howto-mfaserver-dir-ldap.md b/docs/identity/authentication/howto-mfaserver-dir-ldap.md deleted file mode 100644 index a470ea00324..00000000000 --- a/docs/identity/authentication/howto-mfaserver-dir-ldap.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: LDAP Authentication and Microsoft Entra multifactor authentication Server -description: Deploying LDAP Authentication and Microsoft Entra multifactor authentication Server. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# LDAP authentication and Microsoft Entra multifactor authentication Server - -By default, the Microsoft Entra multifactor authentication Server is configured to import or synchronize users from Active Directory. However, it can be configured to bind to different LDAP directories, such as an ADAM directory, or specific Active Directory domain controller. When connected to a directory via LDAP, the Microsoft Entra multifactor authentication Server can act as an LDAP proxy to perform authentications. Microsoft Entra multifactor authentication Server can also use LDAP bind as a RADIUS target to pre-authenticate IIS users, or for primary authentication in the Microsoft Entra multifactor authentication user portal. - -To use Microsoft Entra multifactor authentication as an LDAP proxy, insert the Microsoft Entra multifactor authentication Server between the LDAP client (for example, VPN appliance, application) and the LDAP directory server. The Microsoft Entra multifactor authentication Server must be configured to communicate with both the client servers and the LDAP directory. In this configuration, the Microsoft Entra multifactor authentication Server accepts LDAP requests from client servers and applications and forwards them to the target LDAP directory server to validate the primary credentials. If the LDAP directory validates the primary credentials, Microsoft Entra multifactor authentication performs a second identity verification and sends a response back to the LDAP client. The entire authentication succeeds only if both the LDAP server authentication and the second-step verification succeed. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). - -## Configure LDAP authentication - -To configure LDAP authentication, install the Microsoft Entra multifactor authentication Server on a Windows server. Use the following procedure: - -### Add an LDAP client - -1. In the Microsoft Entra multifactor authentication Server, select the LDAP Authentication icon in the left menu. -2. Check the **Enable LDAP Authentication** checkbox. - - ![LDAP Authentication in MFA Server](./media/howto-mfaserver-dir-ldap/ldap2.png) - -3. On the Clients tab, change the TCP port and SSL (TLS) port if the Microsoft Entra multifactor authentication LDAP service should bind to non-standard ports to listen for LDAP requests. -4. If you plan to use LDAPS from the client to the Microsoft Entra multifactor authentication Server, an TLS/SSL certificate must be installed on the same server as MFA Server. Select **Browse** next to the SSL (TLS) certificate box, and select a certificate to use for the secure connection. -5. Select **Add**. -6. In the Add LDAP Client dialog box, enter the IP address of the appliance, server, or application that authenticates to the Server and an Application name (optional). The Application name appears in Microsoft Entra multifactor authentication reports and may be displayed within SMS or Mobile App authentication messages. -7. Check the **Require Microsoft Entra multifactor authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users haven't yet been imported into the Server and/or are exempt from two-step verification, leave the box unchecked. See the MFA Server help file for additional information on this feature. - -Repeat these steps to add more LDAP clients. - -### Configure the LDAP directory connection - -When the Microsoft Entra multifactor authentication is configured to receive LDAP authentications, it must proxy those authentications to the LDAP directory. Therefore, the Target tab only displays a single, grayed out option to use an LDAP target. - -> [!NOTE] -> Directory integration is not guaranteed to work with directories other than Active Directory Domain Services. - -1. To configure the LDAP directory connection, select the **Directory Integration** icon. -2. On the Settings tab, select the **Use specific LDAP configuration** radio button. -3. Select **Edit…** -4. In the Edit LDAP Configuration dialog box, populate the fields with the information required to connect to the LDAP directory. Descriptions of the fields are included in the Microsoft Entra multifactor authentication Server help file. - - ![Directory Integration LDAP config](./media/howto-mfaserver-dir-ldap/ldap.png) - -5. Test the LDAP connection by selecting the **Test** button. -6. If the LDAP connection test was successful, select the **OK** button. -7. Select the **Filters** tab. The Server is pre-configured to load containers, security groups, and users from Active Directory. If binding to a different LDAP directory, you probably need to edit the filters displayed. Select the **Help** link for more information on filters. -8. Select the **Attributes** tab. The Server is pre-configured to map attributes from Active Directory. -9. If you're binding to a different LDAP directory or to change the pre-configured attribute mappings, select **Edit…** -10. In the Edit Attributes dialog box, modify the LDAP attribute mappings for your directory. Attribute names can be typed in or selected by selecting the **…** button next to each field. Select the **Help** link for more information on attributes. -11. Select the **OK** button. -12. Select the **Company Settings** icon and select the **Username Resolution** tab. -13. If you're connecting to Active Directory from a domain-joined server, leave the **Use Windows security identifiers (SIDs) for matching usernames** radio button selected. Otherwise, select the **Use LDAP unique identifier attribute for matching usernames** radio button. - -When the **Use LDAP unique identifier attribute for matching usernames** radio button is selected, the Microsoft Entra multifactor authentication Server attempts to resolve each username to a unique identifier in the LDAP directory. An LDAP search is performed on the Username attributes defined in the Directory Integration > Attributes tab. When a user authenticates, the username is resolved to the unique identifier in the LDAP directory. The unique identifier is used for matching the user in the Microsoft Entra multifactor authentication data file. This allows for case-insensitive comparisons, and long and short username formats. - -After you complete these steps, the MFA Server listens on the configured ports for LDAP access requests from the configured clients, and acts as a proxy for those requests to the LDAP directory for authentication. - -## Configure LDAP client - -To configure the LDAP client, use the guidelines: - -* Configure your appliance, server, or application to authenticate via LDAP to the Microsoft Entra multifactor authentication Server as though it were your LDAP directory. Use the same settings that you normally use to connect directly to your LDAP directory, but use the Microsoft Entra multifactor authentication Server for the server name or IP address. -* Configure the LDAP timeout to 30-60 seconds to provide enough time to validate the user's credentials with the LDAP directory, perform the second-step verification, receive their response, and respond to the LDAP access request. -* If using LDAPS, the appliance or server making the LDAP queries must trust the TLS/SSL certificate installed on the Microsoft Entra multifactor authentication Server. diff --git a/docs/identity/authentication/howto-mfaserver-dir-radius.md b/docs/identity/authentication/howto-mfaserver-dir-radius.md deleted file mode 100644 index 51fb83f6879..00000000000 --- a/docs/identity/authentication/howto-mfaserver-dir-radius.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: RADIUS and Microsoft Entra multifactor authentication Server -description: Deploying RADIUS Authentication and Microsoft Entra multifactor authentication Server. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Integrate RADIUS authentication with Microsoft Entra multifactor authentication Server - -RADIUS is a standard protocol to accept authentication requests and to process those requests. The Microsoft Entra multifactor authentication Server can act as a RADIUS server. Insert it between your RADIUS client (VPN appliance) and your authentication target to add two-step verification. Your authentication target could be Active Directory, an LDAP directory, or another RADIUS server. For Azure multifactor authentication to function, you must configure the Microsoft Entra multifactor authentication Server so that it can communicate with both the client servers and the authentication target. The Microsoft Entra multifactor authentication Server accepts requests from a RADIUS client, validates credentials against the authentication target, adds Azure multifactor authentication, and sends a response back to the RADIUS client. The authentication request only succeeds if both the primary authentication and the Azure multifactor authentication succeed. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). -> -> If you use cloud-based MFA, see [Integrate your existing NPS infrastructure with Azure multifactor authentication](howto-mfa-nps-extension.md). - -> [!NOTE] -> The MFA Server only supports PAP (password authentication protocol) and MSCHAPv2 (Microsoft's Challenge-Handshake Authentication Protocol) RADIUS protocols when acting as a RADIUS server. Other protocols, like EAP (extensible authentication protocol), can be used when the MFA server acts as a RADIUS proxy to another RADIUS server that supports that protocol. -> -> In this configuration, one-way SMS and OATH tokens don't work since the MFA Server can't initiate a successful RADIUS Challenge response using alternative protocols. - -![Radius Authentication in MFA Server](./media/howto-mfaserver-dir-radius/radius.png) - -## Add a RADIUS client - -To configure RADIUS authentication, install the Microsoft Entra multifactor authentication Server on a Windows server. If you have an Active Directory environment, the server should be joined to the domain inside the network. Use the following procedure to configure the Microsoft Entra multifactor authentication Server: - -1. In the Microsoft Entra multifactor authentication Server, select the RADIUS Authentication icon in the left menu. -2. Check the **Enable RADIUS authentication** checkbox. -3. On the Clients tab, change the Authentication and Accounting ports if the Microsoft Entra multifactor authentication RADIUS service needs to listen for RADIUS requests on non-standard ports. -4. Select **Add**. -5. Enter the IP address of the appliance/server that will authenticate to the Microsoft Entra multifactor authentication Server, an application name (optional), and a shared secret. - - The application name appears in reports and may be displayed within SMS or mobile app authentication messages. - - The shared secret needs to be the same on both the Microsoft Entra multifactor authentication Server and appliance/server. - -6. Check the **Require multifactor authentication user match** box if all users have been imported into the Server and subject to multifactor authentication. If a significant number of users haven't been imported into the Server or are exempt from two-step verification, leave the box unchecked. -7. Check the **Enable fallback OATH token** box if you want to use OATH passcodes from mobile verification apps as a backup method. -8. Select **OK**. - -Repeat steps 4 through 8 to add as many additional RADIUS clients as you need. - -## Configure your RADIUS client - -1. Select the **Target** tab. - * If the Microsoft Entra multifactor authentication Server is installed on a domain-joined server in an Active Directory environment, select **Windows domain**. - * If users should be authenticated against an LDAP directory, select **LDAP bind**. - Select the Directory Integration icon and edit the LDAP configuration on the Settings tab so that the Server can bind to your directory. Instructions for configuring LDAP can be found in the [LDAP Proxy configuration guide](howto-mfaserver-dir-ldap.md). - * If users should be authenticated against another RADIUS server, select **RADIUS server(s)**. -1. Select **Add** to configure the server to which the Microsoft Entra multifactor authentication Server will proxy the RADIUS requests. -1. In the Add RADIUS Server dialog box, enter the IP address of the RADIUS server and a shared secret. - - The shared secret needs to be the same on both the Microsoft Entra multifactor authentication Server and RADIUS server. Change the Authentication port and Accounting port if different ports are used by the RADIUS server. - -1. Select **OK**. -1. Add the Microsoft Entra multifactor authentication Server as a RADIUS client in the other RADIUS server so that it can process access requests sent to it from the Microsoft Entra multifactor authentication Server. Use the same shared secret configured in the Microsoft Entra multifactor authentication Server. - -Repeat these steps to add more RADIUS servers. Configure the order in which the Microsoft Entra multifactor authentication Server should call them with the **Move Up** and **Move Down** buttons. - -You've successfully configured the Microsoft Entra multifactor authentication Server. The Server is now listening on the configured ports for RADIUS access requests from the configured clients. - -## RADIUS Client configuration - -To configure the RADIUS client, use the guidelines: - -* Configure your appliance/server to authenticate via RADIUS to the Microsoft Entra multifactor authentication Server's IP address, which acts as the RADIUS server. -* Use the same shared secret that was configured earlier. -* Configure the RADIUS timeout to 60 seconds so that there's time to validate the user's credentials, perform two-step verification, receive their response, and then respond to the RADIUS access request. - -## Next steps - -Learn how to [integrate with RADIUS authentication](howto-mfa-nps-extension.md) if you have Microsoft Entra multifactor authentication in the cloud. diff --git a/docs/identity/authentication/howto-mfaserver-iis.md b/docs/identity/authentication/howto-mfaserver-iis.md deleted file mode 100644 index 3af1fc9eb73..00000000000 --- a/docs/identity/authentication/howto-mfaserver-iis.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: IIS Authentication and Microsoft Entra multifactor authentication Server -description: Deploying IIS Authentication and Microsoft Entra multifactor authentication Server. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Configure Microsoft Entra multifactor authentication Server for IIS web apps - -Use the IIS Authentication section of the Microsoft Entra multifactor authentication (MFA) Server to enable and configure IIS authentication for integration with Microsoft IIS web applications. The Microsoft Entra multifactor authentication Server installs a plug-in that can filter requests being made to the IIS web server to add Microsoft Entra multifactor authentication. The IIS plug-in provides support for Form-Based Authentication and Integrated Windows HTTP Authentication. Trusted IPs can also be configured to exempt internal IP addresses from two-factor authentication. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). ->> -> When you use cloud-based Microsoft Entra multifactor authentication, there is no alternative to the IIS plugin provided by Microsoft Entra multifactor authentication (MFA) Server. Instead, use Web Application Proxy (WAP) with Active Directory Federation Services (AD FS) or Microsoft Entra application proxy. - -![IIS Authentication in MFA Server](./media/howto-mfaserver-iis/iis.png) - -## Using Form-Based IIS Authentication with Microsoft Entra multifactor authentication Server - -To secure an IIS web application that uses form-based authentication, install the Microsoft Entra multifactor authentication Server on the IIS web server and configure the Server per the following procedure: - -1. In the Microsoft Entra multifactor authentication Server, select the IIS Authentication icon in the left menu. -2. Select the **Form-Based** tab. -3. Select **Add**. -4. To detect username, password and domain variables automatically, enter the Login URL (like `https://localhost/contoso/auth/login.aspx`) within the Auto-Configure Form-Based Website dialog box and select **OK**. -5. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multifactor authentication. If a significant number of users haven't yet been imported into the Server and/or will be exempt from multifactor authentication, leave the box unchecked. -6. If the page variables can't be detected automatically, select **Specify Manually** in the Auto-Configure Form-Based Website dialog box. -7. In the Add Form-Based Website dialog box, enter the URL to the sign-in page in the Submit URL field and enter an Application name (optional). The Application name appears in Microsoft Entra multifactor authentication reports and may be displayed within SMS or Mobile App authentication messages. -8. Select the correct Request format. This is set to **POST or GET** for most web applications. -9. Enter the Username variable, Password variable, and Domain variable (if it appears on the sign-in page). To find the names of the input boxes, navigate to the sign-in page in a web browser, right-select on the page, and select **View Source**. -10. Check the **Require Microsoft Entra multifactor authentication user match** box if all users have been or will be imported into the Server and subject to multifactor authentication. If a significant number of users haven't yet been imported into the Server and/or will be exempt from multifactor authentication, leave the box unchecked. -11. Select **Advanced** to review advanced settings, including: - - - Select a custom denial page file - - Cache successful authentications to the website for a period of time using cookies - - Select whether to authenticate the primary credentials against a Windows Domain, LDAP directory. or RADIUS server. - -12. Select **OK** to return to the Add Form-Based Website dialog box. -13. Select **OK**. -14. Once the URL and page variables have been detected or entered, the website data displays in the Form-Based panel. - -## Using integrated Windows authentication with Microsoft Entra multifactor authentication Server - -To secure an IIS web application that uses Integrated Windows HTTP authentication, install the Microsoft Entra multifactor authentication Server on the IIS web server, then configure the Server with the following steps: - -1. In the Microsoft Entra multifactor authentication Server, select the IIS Authentication icon in the left menu. -2. Select the **HTTP** tab. -3. Select **Add**. -4. In the Add Base URL dialogue box, enter the URL for the website where HTTP authentication is performed (like `http://localhost/owa`) and provide an Application name (optional). The Application name appears in Microsoft Entra multifactor authentication reports and may be displayed within SMS or Mobile App authentication messages. -5. Adjust the Idle timeout and Maximum session times if the default isn't sufficient. -6. Check the **Require Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to multifactor authentication. If a significant number of users haven't yet been imported into the Server and/or will be exempt from multifactor authentication, leave the box unchecked. -7. Check the **Cookie cache** box if desired. -8. Select **OK**. - -## Enable IIS Plug-ins for Microsoft Entra multifactor authentication Server - -After configuring the Form-Based or HTTP authentication URLs and settings, select the locations where the Microsoft Entra multifactor authentication IIS plug-ins should be loaded and enabled in IIS. Use the following procedure: - -1. If running on IIS 6, select the **ISAPI** tab. Select the website that the web application is running under (for example, Default Web Site) to enable the Microsoft Entra multifactor authentication ISAPI filter plug-in for that site. -2. If running on IIS 7 or higher, select the **Native Module** tab. Select the server, websites, or applications to enable the IIS plug-in at the desired levels. -3. Select the **Enable IIS authentication** box at the top of the screen. Microsoft Entra multifactor authentication is now securing the selected IIS application. Ensure that users have been imported into the Server. - -## Trusted IPs - -The Trusted IPs allows users to bypass Microsoft Entra multifactor authentication for website requests originating from specific IP addresses or subnets. For example, you may want to exempt users from Microsoft Entra multifactor authentication while logging in from the office. In that case, you can specify the office subnet as a Trusted IPs entry. To configure Trusted IPs, use the following procedure: - -1. In the IIS Authentication section, select the **Trusted IPs** tab. -2. Select **Add**. -3. When the Add Trusted IPs dialog box appears, select the **Single IP**, **IP range**, or **Subnet** radio button. -4. Enter the IP address, range of IP addresses or subnet that should be allowed. If entering a subnet, select the appropriate Netmask and select **OK**. diff --git a/docs/identity/authentication/howto-mfaserver-nps-rdg.md b/docs/identity/authentication/howto-mfaserver-nps-rdg.md deleted file mode 100644 index 8eeab49a953..00000000000 --- a/docs/identity/authentication/howto-mfaserver-nps-rdg.md +++ /dev/null @@ -1,90 +0,0 @@ ---- -title: RDG and Microsoft Entra Multifactor Authentication Server using RADIUS -description: This is the Microsoft Entra Multifactor Authentication page that assists in deploying Remote Desktop (RD) Gateway and Microsoft Entra Multifactor Authentication Server using RADIUS. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Remote Desktop Gateway and Microsoft Entra Multifactor Authentication Server using RADIUS - -Often, Remote Desktop (RD) Gateway uses the local [Network Policy Services (NPS)](/windows-server/networking/core-network-guide/core-network-guide#BKMK_optionalfeatures) to authenticate users. This article describes how to route RADIUS requests out from the Remote Desktop Gateway (through the local NPS) to the Multifactor Authentication Server. The combination of Microsoft Entra Multifactor Authentication and RD Gateway means that your users can access their work environments from anywhere while performing strong authentication. - -Since Windows Authentication for terminal services isn't supported for Server 2012 R2, use RD Gateway and RADIUS to integrate with MFA Server. - -Install the Microsoft Entra Multifactor Authentication Server on a separate server, which proxies the RADIUS request back to the NPS on the Remote Desktop Gateway Server. After NPS validates the username and password, it returns a response to the Multifactor Authentication Server. Then, the MFA Server performs the second factor of authentication and returns a result to the gateway. - -> [!IMPORTANT] -> In September 2022, Microsoft announced deprecation of Microsoft Entra Multifactor Authentication Server. Beginning September 30, 2024, Microsoft Entra Multifactor Authentication Server deployments no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra Multifactor Authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra Multifactor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra Multifactor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md). -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra Multifactor Authentication](tutorial-enable-azure-mfa.md). -> -> If you use cloud-based MFA, see how to [integrate with RADIUS authentication for Microsoft Entra Multifactor Authentication](howto-mfa-nps-extension.md). - -## Prerequisites - -- A domain-joined Microsoft Entra Multifactor Authentication Server. If you don't have one installed already, follow the steps in [Getting started with the Microsoft Entra Multifactor Authentication Server](howto-mfaserver-deploy.md). -- An existing configured NPS Server. -- A Remote Desktop Gateway that authenticates with Network Policy Services. - -> [!NOTE] -> This article should be used with MFA Server deployments only, not Microsoft Entra Multifactor Authentication (Cloud-based). - -## Configure the Remote Desktop Gateway - -Configure the RD Gateway to send RADIUS authentication to an Microsoft Entra Multifactor Authentication Server. - -1. In RD Gateway Manager, right-click the server name and select **Properties**. -2. Go to the **RD CAP Store** tab and select **Central server running NPS**. -3. Add one or more Microsoft Entra Multifactor Authentication Servers as RADIUS servers by entering the name or IP address of each server. -4. Create a shared secret for each server. - -## Configure NPS - -The RD Gateway uses NPS to send the RADIUS request to Microsoft Entra Multifactor Authentication. To configure NPS, first you change the timeout settings to prevent the RD Gateway from timing out before completing the two-step verification. Then, you update NPS to receive RADIUS authentications from your MFA Server. Use the following procedure to configure NPS: - -### Modify the timeout policy - -1. In NPS, open the **RADIUS Clients and Server** menu in the left column and select **Remote RADIUS Server Groups**. -2. Select the **TS GATEWAY SERVER GROUP**. -3. Go to the **Load Balancing** tab. -4. Change both the **Number of seconds without response before request is considered dropped** and the **Number of seconds between requests when server is identified as unavailable** to between 30 and 60 seconds. (If you find that the server still times out during authentication, you can come back here and increase the number of seconds.) -5. Go to the **Authentication/Account** tab and check that the RADIUS ports specified match the ports that the Multifactor Authentication Server is listening on. - -### Prepare NPS to receive authentications from the MFA Server - -1. Right-click **RADIUS Clients** under RADIUS Clients and Servers in the left column and select **New**. -2. Add the Microsoft Entra Multifactor Authentication Server as a RADIUS client. Choose a Friendly name and specify a shared secret. -3. Open the **Policies** menu in the left column and select **Connection Request Policies**. You should see a policy called TS GATEWAY AUTHORIZATION POLICY that was created when RD Gateway was configured. This policy forwards RADIUS requests to the Multifactor Authentication Server. -4. Right-click **TS GATEWAY AUTHORIZATION POLICY** and select **Duplicate Policy**. -5. Open the new policy and go to the **Conditions** tab. -6. Add a condition that matches the Client Friendly Name with the Friendly name set in step 2 for the Microsoft Entra Multifactor Authentication Server RADIUS client. -7. Go to the **Settings** tab and select **Authentication**. -8. Change the Authentication Provider to **Authenticate requests on this server**. This policy ensures that when NPS receives a RADIUS request from the Microsoft Entra Multifactor Authentication Server, the authentication occurs locally. This prevents sending a RADIUS request back to the Microsoft Entra Multifactor Authentication Server, which would result in a loop condition. -9. To prevent a loop condition, make sure that the new policy is ordered ABOVE the original policy in the **Connection Request Policies** pane. - -## Configure Microsoft Entra Multifactor Authentication - -The Microsoft Entra Multifactor Authentication Server is configured as a RADIUS proxy between RD Gateway and NPS. It should be installed on a domain-joined server that is separate from the RD Gateway server. Use the following procedure to configure the Microsoft Entra Multifactor Authentication Server. - -1. Open the Microsoft Entra Multifactor Authentication Server and select the RADIUS Authentication icon. -2. Check the **Enable RADIUS authentication** checkbox. -3. On the Clients tab, ensure the ports match what is configured in NPS then select **Add**. -4. Add the RD Gateway server IP address, application name (optional), and a shared secret. The shared secret needs to be the same on both the Microsoft Entra Multifactor Authentication Server and RD Gateway. -3. Go to the **Target** tab and select the **RADIUS server(s)** radio button. -4. Select **Add** and enter the IP address, shared secret, and ports of the NPS server. Unless using a central NPS, the RADIUS client and RADIUS target are the same. The shared secret must match the one setup in the RADIUS client section of the NPS server. - -![Radius Authentication in MFA Server](./media/howto-mfaserver-nps-rdg/radius.png) - -## Next steps - -- Integrate Microsoft Entra Multifactor Authentication and [IIS web apps](howto-mfaserver-iis.md) - -- Get answers in the [Microsoft Entra Multifactor Authentication FAQ](multi-factor-authentication-faq.yml) \ No newline at end of file diff --git a/docs/identity/authentication/howto-mfaserver-nps-vpn.md b/docs/identity/authentication/howto-mfaserver-nps-vpn.md deleted file mode 100644 index a41f00cbc85..00000000000 --- a/docs/identity/authentication/howto-mfaserver-nps-vpn.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: Microsoft Entra Multifactor Authentication Server and third-party VPNs -description: Step-by-step configuration guides for Microsoft Entra Multifactor Authentication Server to integrate with Cisco, Citrix, and Juniper. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Advanced scenarios with Microsoft Entra Multifactor Authentication Server and third-party VPN solutions - -Microsoft Entra Multifactor Authentication Server (formerly Microsoft Entra Multifactor Authentication Server) can be used to seamlessly connect with various third-party VPN solutions. This article focuses on Cisco® ASA VPN appliance, Citrix NetScaler SSL VPN appliance, and the Juniper Networks Secure Access/Pulse Secure Connect Secure SSL VPN appliance. We created configuration guides to address these three common appliances. Microsoft Entra Multifactor Authentication Server can also integrate with most other systems that use RADIUS, LDAP, IIS, or claims-based authentication to AD FS. You can find more details in [Microsoft Entra Multifactor Authentication Server configurations](howto-mfaserver-deploy.md#next-steps). - -> [!IMPORTANT] -> As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multifactor authentication during sign-in events should use cloud-based Microsoft Entra multifactor authentication. -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). -> -> If you use cloud-based MFA, see [Integrate your VPN infrastructure with Microsoft Entra Multifactor Authentication](howto-mfa-nps-extension-vpn.md). -> -> Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. - -## Cisco ASA VPN appliance and Microsoft Entra Multifactor Authentication Server -Microsoft Entra Multifactor Authentication Server integrates with your Cisco® ASA VPN appliance to provide additional security for Cisco AnyConnect® VPN logins and portal access. You can use either the LDAP or RADIUS protocol. Select one of the following to download the detailed step-by-step configuration guides. - -| Configuration Guide | Description | -| --- | --- | -| [Cisco ASA with Anyconnect VPN and Microsoft Entra Multifactor Authentication Configuration for LDAP](https://download.microsoft.com/download/A/2/0/A201567C-C3DE-4227-AF89-4567A470899E/Cisco_ASA_Azure_MFA_LDAP.docx) | Integrate your Cisco ASA VPN appliance with Microsoft Entra Multifactor Authentication using LDAP | -| [Cisco ASA with Anyconnect VPN and Microsoft Entra Multifactor Authentication Configuration for RADIUS](https://download.microsoft.com/download/4/5/7/4579C1CF-35B0-4FBE-8A1A-B49CB2CC0382/Cisco_ASA_Azure_MFA_RADIUS.docx) | Integrate your Cisco ASA VPN appliance with Microsoft Entra Multifactor Authentication using RADIUS | - -## Citrix NetScaler SSL VPN and Microsoft Entra Multifactor Authentication Server -Microsoft Entra Multifactor Authentication Server integrates with your Citrix NetScaler SSL VPN appliance to provide additional security for Citrix NetScaler SSL VPN logins and portal access. You can use either the LDAP or RADIUS protocol. Select one of the following to download the detailed step-by-step configuration guides. - -| Configuration Guide | Description | -| --- | --- | -| [Citrix NetScaler SSL VPN and Microsoft Entra Multifactor Authentication Configuration for LDAP](https://download.microsoft.com/download/2/4/E/24E1E722-72DF-471F-A88A-D1338DB1AF83/Citrix_NS_Azure_MFA_LDAP.docx) | Integrate your Citrix NetScaler SSL VPN with Microsoft Entra Multifactor Authentication appliance using LDAP | -| [Citrix NetScaler SSL VPN and Microsoft Entra Multifactor Authentication Configuration for RADIUS](https://download.microsoft.com/download/1/A/4/1A482764-4A63-45C2-A5EC-2B673ACCDD12/Citrix_NS_Azure_MFA_RADIUS.docx) | Integrate your Citrix NetScaler SSL VPN appliance with Microsoft Entra Multifactor Authentication using RADIUS | - -## Juniper/Pulse Secure SSL VPN appliance and Microsoft Entra Multifactor Authentication Server -Microsoft Entra Multifactor Authentication Server integrates with your Juniper/Pulse Secure SSL VPN appliance to provide additional security for Juniper/Pulse Secure SSL VPN logins and portal access. You can use either the LDAP or RADIUS protocol. Select one of the following to download the detailed step-by-step configuration guides. - -| Configuration Guide | Description | -| --- | --- | -| [Juniper/Pulse Secure SSL VPN and Microsoft Entra Multifactor Authentication Configuration for LDAP](https://download.microsoft.com/download/6/5/8/6587B418-75B1-4FCB-84D4-984BC479309E/JuniperPulse_Azure_MFA_LDAP.docx) | Integrate your Juniper/Pulse Secure SSL VPN with Microsoft Entra Multifactor Authentication appliance using LDAP | -| [Juniper/Pulse Secure SSL VPN and Microsoft Entra Multifactor Authentication Configuration for RADIUS](https://download.microsoft.com/download/7/9/A/79AB3DAD-4799-4379-B1DA-B95ABDF231DC/JuniperPulse_Azure_MFA_RADIUS.docx) | Integrate your Juniper/Pulse Secure SSL VPN appliance with Microsoft Entra Multifactor Authentication using RADIUS | - -## Next steps - -- [Augment your existing authentication infrastructure with the NPS extension for Microsoft Entra Multifactor Authentication](howto-mfa-nps-extension.md) - -- [Configure Microsoft Entra Multifactor Authentication settings](howto-mfa-mfasettings.md) diff --git a/docs/identity/authentication/howto-mfaserver-windows.md b/docs/identity/authentication/howto-mfaserver-windows.md deleted file mode 100644 index 6ac4bbe5241..00000000000 --- a/docs/identity/authentication/howto-mfaserver-windows.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Windows authentication and Microsoft Entra Multifactor Authentication Server -description: Deploy Windows Authentication and Microsoft Entra Multifactor Authentication Server. - - -ms.service: entra-id -ms.subservice: authentication -ms.topic: how-to -ms.date: 01/14/2025 - -ms.author: justinha -author: justinha -manager: amycolannino -ms.reviewer: michmcla ---- -# Windows Authentication and Microsoft Entra Multifactor Authentication Server - -To enable and configure Windows authentication for applications, use the Windows Authentication section of the Microsoft Entra Multifactor Authentication Server. Before you set up Windows Authentication, keep the following list in mind: - -* After setup, reboot the Microsoft Entra Multifactor Authenticationfor Terminal Services to take effect. -* If 'Require Microsoft Entra Multifactor Authenticationuser match' is checked, and you aren't in the user list, you won't be able to log into the machine after reboot. -* Trusted IPs is dependent on whether the application can provide the client IP with the authentication. Currently only Terminal Services is supported. - -> [!IMPORTANT] -> As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multifactor authentication during sign-in events should use cloud-based Microsoft Entra multifactor authentication. -> -> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). -> -> Existing customers that activated MFA Server before July 1, 2019 can download the latest version, future updates, and generate activation credentials as usual. - -> [!NOTE] -> This feature is not supported to secure Terminal Services on Windows Server 2012 R2. - -## To secure an application with Windows Authentication, use the following procedure - -1. In the Microsoft Entra Multifactor Authentication Server, select the Windows Authentication icon. - ![Windows Authentication in MFA Server](./media/howto-mfaserver-windows/windowsauth.png) -2. Check the **Enable Windows Authentication** checkbox. By default, this box is unchecked. -3. The Applications tab allows the administrator to configure one or more applications for Windows Authentication. -4. Select a server or application – specify whether the server/application is enabled. Select **OK**. -5. Select **Add…** -6. The Trusted IPs tab allows you to skip Microsoft Entra Multifactor Authenticationfor Windows sessions originating from specific IPs. For example, if employees use the application from the office and from home, you may decide you don't want their phones ringing for Microsoft Entra Multifactor Authentication while at the office. For this purpose, you would specify the office subnet as Trusted IPs entry. -7. Select **Add…** -8. Select **Single IP** if you would like to skip a single IP address. -9. Select **IP Range** if you would like to skip an entire IP range. Example 10.63.193.1-10.63.193.100. -10. Select **Subnet** if you would like to specify a range of IPs using subnet notation. Enter the subnet's starting IP and pick the appropriate netmask from the drop-down list. -11. Select **OK**. - -## Next steps - -- [Configure third-party VPN appliances for Microsoft Entra Multifactor Authentication Server](howto-mfaserver-nps-vpn.md) - -- [Augment your existing authentication infrastructure with the NPS extension for Microsoft Entra Multifactor Authentication](howto-mfa-nps-extension.md) diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2/ldap1.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2/ldap1.png deleted file mode 100644 index 3dadd7873c8..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2/ldap1.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2/ldap2.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2/ldap2.png deleted file mode 100644 index f02ed5afbe4..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2/ldap2.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2/manual.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2/manual.png deleted file mode 100644 index 67062577656..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2/manual.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2/noproxy.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2/noproxy.png deleted file mode 100644 index 75dc41836e0..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2/noproxy.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2/reg.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2/reg.png deleted file mode 100644 index 4b663b2f1cc..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2/reg.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2/setup1.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2/setup1.png deleted file mode 100644 index 65b505b999e..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2/setup1.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2/trusted.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2/trusted.png deleted file mode 100644 index 8835d5e0126..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2/trusted.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/configurewizard.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2012/configurewizard.png deleted file mode 100644 index 0cc2234bd17..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/configurewizard.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/global.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2012/global.png deleted file mode 100644 index 1497f3acbd2..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/global.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/server.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2012/server.png deleted file mode 100644 index 1b1f76ae259..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/server.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip1.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip1.png deleted file mode 100644 index 978dd2d50ec..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip1.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip2.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip2.png deleted file mode 100644 index 915d821ba31..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip2.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip3.png b/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip3.png deleted file mode 100644 index 14c3e72ede1..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-adfs-2012/trustedip3.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfa-ha-architecture.png b/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfa-ha-architecture.png deleted file mode 100644 index f47189891b1..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfa-ha-architecture.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfa-ha-deployment.png b/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfa-ha-deployment.png deleted file mode 100644 index 98677a0958a..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfa-ha-deployment.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfaapp.png b/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfaapp.png deleted file mode 100644 index cd2da64c81d..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfaapp.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfaportal.png b/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfaportal.png deleted file mode 100644 index 3ae095891ab..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfaportal.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfasecurity.png b/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfasecurity.png deleted file mode 100644 index 3019157b87a..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-ha/mfasecurity.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-mobileapp/mobile.png b/docs/identity/authentication/media/howto-mfaserver-deploy-mobileapp/mobile.png deleted file mode 100644 index e6a973910e6..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-mobileapp/mobile.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/backupphone.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/backupphone.png deleted file mode 100644 index f309cbc5350..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/backupphone.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/config.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/config.png deleted file mode 100644 index db1adc2b55c..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/config.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/install.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/install.png deleted file mode 100644 index c95f310e791..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/install.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/portal.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/portal.png deleted file mode 100644 index e831e2496d4..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/portal.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/portalsettings.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/portalsettings.png deleted file mode 100644 index 12255c8a24b..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/portalsettings.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/sdk.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/sdk.png deleted file mode 100644 index bc8fcad76ad..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/sdk.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/secq.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/secq.png deleted file mode 100644 index 9068d89084f..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/secq.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/text.png b/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/text.png deleted file mode 100644 index 251ac07b6e0..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy-userportal/text.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy/downloadportal.png b/docs/identity/authentication/media/howto-mfaserver-deploy/downloadportal.png deleted file mode 100644 index dac39eabaf3..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy/downloadportal.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy/email1.png b/docs/identity/authentication/media/howto-mfaserver-deploy/email1.png deleted file mode 100644 index 150ee5825b3..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy/email1.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy/email2.png b/docs/identity/authentication/media/howto-mfaserver-deploy/email2.png deleted file mode 100644 index 29e71933b97..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy/email2.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy/import2.png b/docs/identity/authentication/media/howto-mfaserver-deploy/import2.png deleted file mode 100644 index 702d3eb1cb0..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy/import2.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-deploy/server2.png b/docs/identity/authentication/media/howto-mfaserver-deploy/server2.png deleted file mode 100644 index aa05922ff1b..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-deploy/server2.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint.png b/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint.png deleted file mode 100644 index e1e9c1bf8c1..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint2.png b/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint2.png deleted file mode 100644 index 78ef6ac6b7d..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint2.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint3.png b/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint3.png deleted file mode 100644 index 5e822c3ea09..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint3.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint4.png b/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint4.png deleted file mode 100644 index 1a71a699bd1..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint4.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint5.png b/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint5.png deleted file mode 100644 index b0735511194..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint5.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint6.png b/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint6.png deleted file mode 100644 index d85fd856653..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ad/dirint6.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ldap/ldap.png b/docs/identity/authentication/media/howto-mfaserver-dir-ldap/ldap.png deleted file mode 100644 index e1e9c1bf8c1..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ldap/ldap.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-ldap/ldap2.png b/docs/identity/authentication/media/howto-mfaserver-dir-ldap/ldap2.png deleted file mode 100644 index 634293bb12d..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-ldap/ldap2.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-dir-radius/radius.png b/docs/identity/authentication/media/howto-mfaserver-dir-radius/radius.png deleted file mode 100644 index c8d806eb6f5..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-dir-radius/radius.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-iis/iis.png b/docs/identity/authentication/media/howto-mfaserver-iis/iis.png deleted file mode 100644 index 0dc758b32a0..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-iis/iis.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-nps-rdg/radius.png b/docs/identity/authentication/media/howto-mfaserver-nps-rdg/radius.png deleted file mode 100644 index c8d806eb6f5..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-nps-rdg/radius.png and /dev/null differ diff --git a/docs/identity/authentication/media/howto-mfaserver-windows/windowsauth.png b/docs/identity/authentication/media/howto-mfaserver-windows/windowsauth.png deleted file mode 100644 index 7f5c29518c1..00000000000 Binary files a/docs/identity/authentication/media/howto-mfaserver-windows/windowsauth.png and /dev/null differ diff --git a/docs/identity/saas-apps/bersin-tutorial.md b/docs/identity/saas-apps/bersin-tutorial.md deleted file mode 100644 index e19e363b708..00000000000 --- a/docs/identity/saas-apps/bersin-tutorial.md +++ /dev/null @@ -1,189 +0,0 @@ ---- -title: 'Tutorial: Microsoft Entra integration with Bersin' -description: Learn how to configure single sign-on between Microsoft Entra ID and Bersin. - -author: jeevansd -manager: CelesteDG -ms.reviewer: celested -ms.service: entra-id -ms.subservice: saas-apps - -ms.topic: tutorial -ms.date: 03/25/2024 -ms.author: jeedes - -# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Bersin so that I can control who has access to Bersin, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location. ---- -# Tutorial: Microsoft Entra integration with Bersin - -In this tutorial, you learn how to integrate Bersin with Microsoft Entra ID. -Integrating Bersin with Microsoft Entra ID provides you with the following benefits: - -* You can control in Microsoft Entra ID who has access to Bersin. -* You can enable your users to be automatically signed-in to Bersin (Single Sign-On) with their Microsoft Entra accounts. -* You can manage your accounts in one central location. - -If you want to know more details about SaaS app integration with Microsoft Entra ID, see [What is application access and single sign-on with Microsoft Entra ID](~/identity/enterprise-apps/what-is-single-sign-on.md). -If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin. - -## Prerequisites - -To configure Microsoft Entra integration with Bersin, you need the following items: - -* A Microsoft Entra subscription. If you don't have a Microsoft Entra environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/) -* Bersin single sign-on enabled subscription - -## Scenario description - -In this tutorial, you configure and test Microsoft Entra single sign-on in a test environment. - -* Bersin supports **SP and IDP** initiated SSO - -## Adding Bersin from the gallery - -To configure the integration of Bersin into Microsoft Entra ID, you need to add Bersin from the gallery to your list of managed SaaS apps. - -**To add Bersin from the gallery** - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. -1. In the **Add from the gallery** section, type **Bersin**, select **Bersin** from result panel then click **Add** button to add the application. - - ![Bersin in the results list](common/search-new-app.png) - - - -## Configure and test Microsoft Entra single sign-on - -In this section, you configure and test Microsoft Entra single sign-on with Bersin based on a test user called **Britta Simon** -For single sign-on to work, a link relationship between a Microsoft Entra user and the related user in Bersin needs to be established. - -To configure and test Microsoft Entra single sign-on with Bersin, you need to complete the following building blocks: - -1. **[Configure Microsoft Entra Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature. -2. **[Configure Bersin Single Sign-On](#configure-bersin-single-sign-on)** - to configure the Single Sign-On settings on application side. -3. **[Create a Microsoft Entra test user](#create-an-azure-ad-test-user)** - to test Microsoft Entra single sign-on with Britta Simon. -4. **[Assign the Microsoft Entra test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Microsoft Entra single sign-on. -5. **[Create Bersin test user](#create-bersin-test-user)** - to have a counterpart of Britta Simon in Bersin that is linked to the Microsoft Entra representation of user. -6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works. - - - -### Configure Microsoft Entra single sign-on - -In this section, you enable Microsoft Entra single sign-on. - -To configure Microsoft Entra single sign-on with Bersin, do the following steps: - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Bersin** application integration page, select **Single sign-on**. - - ![Configure single sign-on link](common/select-sso.png) - -1. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on. - - ![Single sign-on select mode](common/select-saml-option.png) - -1. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog. - - ![Edit Basic SAML Configuration](common/edit-urls.png) - -1. On the **Basic SAML Configuration** section, If you wish to configure the application in **IDP** initiated mode, do the following step: - - ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-identifier-relay.png) - - a. In the **Identifier** text box, type a URL using the following pattern: - `https://www.bersin.com/shibboleth` - - b. Click **Set additional URLs**. - - c. In the **Relay State** text box, type a URL using the following pattern: - `https://www.bersin.com/secure/` - -1. Click **Set additional URLs** and do the following steps if you wish to configure the application in **SP** initiated mode: - - ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png) - - In the **Sign-on URL** text box, type a URL using the following pattern: - `https://www.bersin.com/Login.aspx` - -1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - - ![The Certificate download link](common/metadataxml.png) - -1. On the **Set up Bersin** section, copy the appropriate URL(s) as per your requirement. - - ![Copy configuration URLs](common/copy-configuration-urls.png) - - a. Login URL - - b. Microsoft Entra Identifier - - c. Logout URL - -### Configure Bersin Single Sign-On - -To configure single sign-on on **Bersin** side, send the downloaded **Federation Metadata XML** and appropriate copied URLs from the application configuration to [Bersin support team](mailto:ramansabde@gmail.com). They set this setting to have the SAML SSO connection set properly on both sides. - - - -### Create a Microsoft Entra test user - -The objective of this section is to create a test user called Britta Simon. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator). -1. Browse to **Identity** > **Users** > **All users**. -1. Select **New user** > **Create new user**, at the top of the screen. -1. In the **User** properties, follow these steps: - 1. In the **Display name** field, enter `B.Simon`. - 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. - 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. - 1. Select **Review + create**. -1. Select **Create**. - - - -### Assign the Microsoft Entra test user - -In this section, you enable Britta Simon to use Azure single sign-on by granting access to Bersin. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Bersin**. - - ![Enterprise applications blade](common/enterprise-applications.png) - -1. In the applications list, select **Bersin**. - - ![The Bersin link in the Applications list](common/all-applications.png) - -3. In the menu on the left, select **Users and groups**. - - ![The "Users and groups" link](common/users-groups-blade.png) - -4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog. - - ![The Add Assignment pane](common/add-assign-user.png) - -5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen. - -6. If you're expecting any role value in the SAML assertion, then in the **Select Role** dialog, select the appropriate role for the user from the list. Click the **Select** button at the bottom of the screen. - -7. In the **Add Assignment** dialog, click the **Assign** button. - -### Create Bersin test user - -In this section, you create a user called Britta Simon in Bersin. Work with the [Bersin support team](mailto:USBersinServiceClient@deloitte.com) to add the users in the Bersin platform or the domain that must be added to an allow list for the Bersin platform. If the domain is added by the team, users will get automatically provisioned to the Bersin platform. Users must be created and activated before you use single sign-on. - -### Test single sign-on - -In this section, you test your Microsoft Entra single sign-on configuration using the Access Panel. - -When you click the Bersin tile in the Access Panel, you should be automatically signed in to the Bersin for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). - -## Additional Resources - -- [List of Tutorials on How to Integrate SaaS Apps with Microsoft Entra ID](./tutorial-list.md) - -- [What is application access and single sign-on with Microsoft Entra ID?](~/identity/enterprise-apps/what-is-single-sign-on.md) - -- [What is Conditional Access in Microsoft Entra ID?](~/identity/conditional-access/overview.md) diff --git a/docs/identity/saas-apps/lines-elibrary-advance-tutorial.md b/docs/identity/saas-apps/lines-elibrary-advance-tutorial.md deleted file mode 100644 index c997a7eea11..00000000000 --- a/docs/identity/saas-apps/lines-elibrary-advance-tutorial.md +++ /dev/null @@ -1,180 +0,0 @@ ---- -title: 'Tutorial: Microsoft Entra SSO integration with Lines eLibrary Advance' -description: Learn how to configure single sign-on between Microsoft Entra ID and Lines eLibrary Advance. - -author: jeevansd -manager: CelesteDG -ms.reviewer: CelesteDG -ms.service: entra-id -ms.subservice: saas-apps - -ms.topic: tutorial -ms.date: 03/25/2024 -ms.author: jeedes - - -# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Lines eLibrary Advance so that I can control who has access to Lines eLibrary Advance, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location. ---- - -# Tutorial: Microsoft Entra SSO integration with Lines eLibrary Advance - -In this tutorial, you'll learn how to integrate Lines eLibrary Advance with Microsoft Entra ID. When you integrate Lines eLibrary Advance with Microsoft Entra ID, you can: - -* Control in Microsoft Entra ID who has access to Lines eLibrary Advance. -* Enable your users to be automatically signed-in to Lines eLibrary Advance with their Microsoft Entra accounts. -* Manage your accounts in one central location. - -## Prerequisites - -To get started, you need the following items: - -* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). -* Lines eLibrary Advance single sign-on (SSO) enabled subscription. -* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Microsoft Entra ID. -For more information, see [Azure built-in roles](~/identity/role-based-access-control/permissions-reference.md). - -## Scenario description - -In this tutorial, you configure and test Microsoft Entra SSO in a test environment. - -* Lines eLibrary Advance supports **SP** and **IDP** initiated SSO. - -## Add Lines eLibrary Advance from the gallery - -To configure the integration of Lines eLibrary Advance into Microsoft Entra ID, you need to add Lines eLibrary Advance from the gallery to your list of managed SaaS apps. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. -1. In the **Add from the gallery** section, type **Lines eLibrary Advance** in the search box. -1. Select **Lines eLibrary Advance** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - - Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) - - - -## Configure and test Microsoft Entra SSO for Lines eLibrary Advance - -Configure and test Microsoft Entra SSO with Lines eLibrary Advance using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user at Lines eLibrary Advance. - -To configure and test Microsoft Entra SSO with Lines eLibrary Advance, perform the following steps: - -1. **[Configure Microsoft Entra SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. - 1. **[Create a Microsoft Entra test user](#create-an-azure-ad-test-user)** - to test Microsoft Entra single sign-on with B.Simon. - 1. **[Assign the Microsoft Entra test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. -1. **[Configure Lines eLibrary Advance SSO](#configure-lines-elibrary-advance-sso)** - to configure the single sign-on settings on application side. - 1. **[Create Lines eLibrary Advance test user](#create-lines-elibrary-advance-test-user)** - to have a counterpart of B.Simon in Lines eLibrary Advance that is linked to the Microsoft Entra representation of user. -1. **[Test SSO](#test-sso)** - to verify whether the configuration works. - - - -## Configure Microsoft Entra SSO - -Follow these steps to enable Microsoft Entra SSO. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Lines eLibrary Advance** > **Single sign-on**. -1. On the **Select a single sign-on method** page, select **SAML**. -1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. - - ![Screenshot shows to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") - -1. On the **Basic SAML Configuration** section, perform the following steps: - - a. In the **Identifier** textbox, type a value using one of the following patterns: - - | **Identifier** | - |-----------| - | `https://ela.education.ne.jp/students/gsso/metadata/gsuite/` | - | `https://ela.kodomo.ne.jp/students/gsso/metadata/gsuite/` | - | `https://ela.education.ne.jp/teachers/gsso/metadata/gsuite/` | - | `https://ela.kodomo.ne.jp/teachers/gsso/metadata/gsuite/` | - | `https://ela.kodomo.ne.jp/students/gsso/acs/gsuite/` | - | `https://ela.education.ne.jp/teachers/gsso/acs/gsuite/` | - | `https://ela.kodomo.ne.jp/teachers/gsso/acs/gsuite/` | - -1. Click **Set additional URLs** and perform the following step, if you wish to configure the application in **SP** initiated mode: - - In the **Sign-on URL** text box, type a URL using one of the following patterns: - - | **Sign-on URL** | - |--------| - | `https://fms.live.fm.ks.irdeto.com/` | - | `https://ela.education.ne.jp/students/gsso/login/azure/` | - | `https://ela.education.ne.jp/teachers/gsso/login/azure/` | - | `https://ela.kodomo.ne.jp/students/gsso/login/azure/` | - | `https://ela.kodomo.ne.jp/teachers/gsso/login/azure/` | - - > [!Note] - > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Lines eLibrary Advance support team](mailto:tech@education.jp) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section. - -1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. - - ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate") - -1. On the **Set up Lines eLibrary Advance** section, copy the appropriate URL(s) based on your requirement. - - ![Screenshot shows to copy configuration appropriate URL.](common/copy-configuration-urls.png "Metadata") - - - -### Create a Microsoft Entra test user - -In this section, you'll create a test user called B.Simon. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator). -1. Browse to **Identity** > **Users** > **All users**. -1. Select **New user** > **Create new user**, at the top of the screen. -1. In the **User** properties, follow these steps: - 1. In the **Display name** field, enter `B.Simon`. - 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. - 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. - 1. Select **Review + create**. -1. Select **Create**. - - - -### Assign the Microsoft Entra test user - -In this section, you'll enable B.Simon to use single sign-on by granting access to Lines eLibrary Advance. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Lines eLibrary Advance**. -1. In the app's overview page, select **Users and groups**. -1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. - 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. - 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. - 1. In the **Add Assignment** dialog, click the **Assign** button. - -## Configure Lines eLibrary Advance SSO - -To configure single sign-on on **Lines eLibrary Advance** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from the application configuration to [Lines eLibrary Advance support team](mailto:tech@education.jp). They set this setting to have the SAML SSO connection set properly on both sides. - -### Create Lines eLibrary Advance test user - -In this section, you create a user called Britta Simon at Lines eLibrary Advance. Work with [Lines eLibrary Advance support team](mailto:tech@education.jp) to add the users in the Lines eLibrary Advance platform. Users must be created and activated before you use single sign-on. - -## Test SSO - -In this section, you test your Microsoft Entra single sign-on configuration with following options. - -#### SP initiated: - -* Click on **Test this application**, this will redirect to Lines eLibrary Advance Sign-On URL where you can initiate the login flow. - -* Go to Lines eLibrary Advance Sign-On URL directly and initiate the login flow from there. - -#### IDP initiated: - -* Click on **Test this application**, and you should be automatically signed in to the Lines eLibrary Advance for which you set up the SSO. - -You can also use Microsoft My Apps to test the application in any mode. When you click the Lines eLibrary Advance tile in the My Apps, if configured in SP mode you would be redirected to the application Sign-On page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Lines eLibrary Advance for which you set up the SSO. For more information, see [Microsoft Entra My Apps](/azure/active-directory/manage-apps/end-user-experiences#azure-ad-my-apps). - -## Next steps - -Once you configure Lines eLibrary Advance you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). diff --git a/docs/identity/saas-apps/omnissa-identity-service-provisioning-tutorial.md b/docs/identity/saas-apps/omnissa-identity-service-provisioning-tutorial.md deleted file mode 100644 index c92c2e94bf9..00000000000 --- a/docs/identity/saas-apps/omnissa-identity-service-provisioning-tutorial.md +++ /dev/null @@ -1,177 +0,0 @@ ---- -title: 'Tutorial: Configure Omnissa Access Identity Service for automatic user provisioning with Microsoft Entra ID' -description: Learn how to automatically provision and de-provision user accounts from Microsoft Entra ID to Omnissa Access Identity Service. -author: thomasakelo -manager: jeedes -ms.service: entra-id -ms.subservice: saas-apps -ms.topic: tutorial -ms.date: 03/25/2024 -ms.author: thomasakelo - -# Customer intent: As an IT administrator, I want to learn how to automatically provision and deprovision user accounts from Microsoft Entra ID to Omnissa Access Identity Service so that I can streamline the user management process and ensure that users have the appropriate access to Omnissa Access Identity Service. ---- - -# Tutorial: Configure Omnissa Access Identity Service for automatic user provisioning - -This tutorial describes the steps you need to perform in both Omnissa Access Identity Service and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and de-provisions users and groups to [Omnissa Access Identity Service](https://www.omnissa.com/) using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID](~/identity/app-provisioning/user-provisioning.md). - - -## Supported capabilities -> [!div class="checklist"] -> * Create users in Omnissa Access Identity Service. -> * Remove users in Omnissa Access Identity Service when they do not require access anymore. -> * Keep user attributes synchronized between Microsoft Entra ID and Omnissa Access Identity Service. -> * Provision groups and group memberships in Omnissa Access Identity Service. -> * [Single sign-on](vmware-identity-service-tutorial.md) to Omnissa Access Identity Service (recommended). - -## Prerequisites - -The scenario outlined in this tutorial assumes that you already have the following prerequisites: - -* [A Microsoft Entra tenant](~/identity-platform/quickstart-create-new-tenant.md). -* One of the following roles: [Application Administrator](/entra/identity/role-based-access-control/permissions-reference#application-administrator), [Cloud Application Administrator](/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator), or [Application Owner](/entra/fundamentals/users-default-permissions#owned-enterprise-applications). -* An Omnissa Access Identity Service tenant. -* A user account in Omnissa Access Identity Service with Admin permissions. - -## Step 1: Plan your provisioning deployment -1. Learn about [how the provisioning service works](~/identity/app-provisioning/user-provisioning.md). -1. Determine who will be in [scope for provisioning](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). -1. Determine what data to [map between Microsoft Entra ID and Omnissa Access Identity Service](~/identity/app-provisioning/customize-application-attributes.md). - - - -## Step 2: Configure Omnissa Access Identity Service to support provisioning with Microsoft Entra ID -Contact Omnissa Access Identity Service support to configure Omnissa Access Identity Service to support provisioning with Microsoft Entra ID. - - - -## Step 3: Add Omnissa Access Identity Service from the Microsoft Entra application gallery - -Add Omnissa Access Identity Service from the Microsoft Entra application gallery to start managing provisioning to Omnissa Access Identity Service. If you have previously setup Omnissa Access Identity Service for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](~/identity/enterprise-apps/add-application-portal.md). - -## Step 4: Define who will be in scope for provisioning - -The Microsoft Entra provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](~/identity/enterprise-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). - -* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). - -* If you need more roles, you can [update the application manifest](~/identity-platform/howto-add-app-roles-in-apps.md) to add new roles. - - -## Step 5: Configure automatic user provisioning to Omnissa Access Identity Service - -This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Microsoft Entra ID. - - - -### To configure automatic user provisioning for Omnissa Access Identity Service in Microsoft Entra ID: - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** - - ![Screenshot of Enterprise applications blade.](common/enterprise-applications.png) - -1. In the applications list, select **Omnissa Access Identity Service**. - - ![Screenshot of the Omnissa Access Identity Service link in the Applications list.](common/all-applications.png) - -1. Select the **Provisioning** tab. - - ![Screenshot of Provisioning tab.](common/provisioning.png) - -1. Set the **Provisioning Mode** to **Automatic**. - - ![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png) - -1. Under the **Admin Credentials** section, input your Omnissa Access Identity Service Tenant URL and Secret Token. Click **Test Connection** to ensure Microsoft Entra ID can connect to Omnissa Access Identity Service. If the connection fails, ensure your Omnissa Access Identity Service account has Admin permissions and try again. - - ![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png) - -1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box. - - ![Screenshot of Notification Email.](common/provisioning-notification-email.png) - -1. Select **Save**. - -1. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Omnissa Access Identity Service**. - -1. Review the user attributes that are synchronized from Microsoft Entra ID to Omnissa Access Identity Service in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Omnissa Access Identity Service for update operations. If you choose to change the [matching target attribute](~/identity/app-provisioning/customize-application-attributes.md), you'll need to ensure that the Omnissa Access Identity Service API supports filtering users based on that attribute. Select the **Save** button to commit any changes. - - |Attribute|Type|Supported for filtering|Required by Omnissa Access Identity Service| - |---|---|---|---| - |userName|String|✓|✓ - |active|Boolean||✓ - |externalId|String|| - |emails[type eq "work"].value|String|| - |name.givenName|String|| - |name.familyName|String|| - |phoneNumbers[type eq "work"].value|String|| - |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|| - |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String|| - |addresses[type eq \"work\"].country|String|| - |addresses[type eq \"work\"].postalCode|String|| - |addresses[type eq \"work\"].region|String|| - |addresses[type eq \"work\"].locality|String|| - |addresses[type eq \"work\"].streetAddress|String|| - |profileUrl|String|| - |title|String|| - |nickName|String|| - |displayName|String|| - |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter|String|| - |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division|String|| - |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:adSourceAnchor|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute1|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute2|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute3|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute4|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute5|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:distinguishedName|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:domain|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:userPrincipalName|String|| - -1. Under the **Mappings** section, select **Synchronize Microsoft Entra groups to Omnissa Access Identity Service**. - -1. Review the group attributes that are synchronized from Microsoft Entra ID to Omnissa Access Identity Service in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Omnissa Access Identity Service for update operations. Select the **Save** button to commit any changes. - - |Attribute|Type|Supported for filtering|Required by Omnissa Access Identity Service| - |---|---|---|---| - |displayName|String|✓|✓ - |members|Reference|| - |externalId|String||✓ - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:Group:description|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:Group:distinguishedName|String|| - |urn:ietf:params:scim:schemas:extension:ws1b:2.0:Group:domain|String|| - -1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](~/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). - -1. To enable the Microsoft Entra provisioning service for Omnissa Access Identity Service, change the **Provisioning Status** to **On** in the **Settings** section. - - ![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png) - -1. Define the users and/or groups that you would like to provision to Omnissa Access Identity Service by choosing the desired values in **Scope** in the **Settings** section. - - ![Screenshot of Provisioning Scope.](common/provisioning-scope.png) - -1. When you're ready to provision, click **Save**. - - ![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png) - -This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running. - -## Step 6: Monitor your deployment -Once you've configured provisioning, use the following resources to monitor your deployment: - -* Use the [provisioning logs](~/identity/monitoring-health/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully -* Check the [progress bar](~/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion -* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](~/identity/app-provisioning/application-provisioning-quarantine-status.md). - -## More resources - -* [Managing user account provisioning for Enterprise Apps](~/identity/app-provisioning/configure-automatic-user-provisioning-portal.md) -* [What is application access and single sign-on with Microsoft Entra ID?](~/identity/enterprise-apps/what-is-single-sign-on.md) - -## Next steps - -* [Learn how to review logs and get reports on provisioning activity](~/identity/app-provisioning/check-status-user-account-provisioning.md) diff --git a/docs/identity/saas-apps/soonr-tutorial.md b/docs/identity/saas-apps/soonr-tutorial.md deleted file mode 100644 index d072ee1e03b..00000000000 --- a/docs/identity/saas-apps/soonr-tutorial.md +++ /dev/null @@ -1,160 +0,0 @@ ---- -title: 'Tutorial: Microsoft Entra SSO integration with Soonr Workplace' -description: Learn how to configure single sign-on between Microsoft Entra ID and Soonr Workplace. - -author: jeevansd -manager: CelesteDG -ms.reviewer: celested -ms.service: entra-id -ms.subservice: saas-apps - -ms.topic: tutorial -ms.date: 03/25/2024 -ms.author: jeedes - -# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Soonr Workplace so that I can control who has access to Soonr Workplace, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location. ---- -# Tutorial: Microsoft Entra SSO integration with Soonr Workplace - -In this tutorial, you'll learn how to integrate Soonr Workplace with Microsoft Entra ID. When you integrate Soonr Workplace with Microsoft Entra ID, you can: - -* Control in Microsoft Entra ID who has access to Soonr Workplace. -* Enable your users to be automatically signed-in to Soonr Workplace with their Microsoft Entra accounts. -* Manage your accounts in one central location. - -## Prerequisites - -To configure Microsoft Entra integration with Soonr Workplace, you need the following items: - -* A Microsoft Entra subscription. If you don't have a Microsoft Entra environment, you can get a [free account](https://azure.microsoft.com/free/). -* Soonr Workplace single sign-on enabled subscription. - -## Scenario description - -In this tutorial, you configure and test Microsoft Entra single sign-on in a test environment. - -* Soonr Workplace supports **SP and IDP** initiated SSO. - -## Add Soonr Workplace from the gallery - -To configure the integration of Soonr Workplace into Microsoft Entra ID, you need to add Soonr Workplace from the gallery to your list of managed SaaS apps. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. -1. In the **Add from the gallery** section, type **Soonr Workplace** in the search box. -1. Select **Soonr Workplace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - - Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) - - - -## Configure and test Microsoft Entra SSO for Soonr Workplace - -Configure and test Microsoft Entra SSO with Soonr Workplace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Soonr Workplace. - -To configure and test Microsoft Entra SSO with Soonr Workplace, perform the following steps: - -1. **[Configure Microsoft Entra SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. - 1. **[Create a Microsoft Entra test user](#create-an-azure-ad-test-user)** - to test Microsoft Entra single sign-on with B.Simon. - 1. **[Assign the Microsoft Entra test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. -1. **[Configure Soonr Workplace SSO](#configure-soonr-workplace-sso)** - to configure the single sign-on settings on application side. - 1. **[Create Soonr Workplace test user](#create-soonr-workplace-test-user)** - to have a counterpart of B.Simon in Soonr Workplace that is linked to the Microsoft Entra representation of user. -1. **[Test SSO](#test-sso)** - to verify whether the configuration works. - - - -## Configure Microsoft Entra SSO - -Follow these steps to enable Microsoft Entra SSO. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Soonr Workplace** > **Single sign-on**. -1. On the **Select a single sign-on method** page, select **SAML**. -1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. - - ![Edit Basic SAML Configuration](common/edit-urls.png) - -1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps: - - a. In the **Identifier** text box, type a URL using the following pattern: - `https://.soonr.com/singlesignon/saml/metadata` - - b. In the **Reply URL** text box, type a URL using the following pattern: - `https://.soonr.com/singlesignon/saml/SSO` - -5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: - - In the **Sign-on URL** text box, type a URL using the following pattern: - `https://.soonr.com/singlesignon/saml/SSO` - - > [!NOTE] - > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Soonr Workplace Client support team](https://awp.autotask.net/help/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section. - -6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. - - ![The Certificate download link](common/metadataxml.png) - -7. On the **Set up Soonr Workplace** section, copy the appropriate URL(s) as per your requirement. - - ![Copy configuration URLs](common/copy-configuration-urls.png) - - - -### Create a Microsoft Entra test user - -In this section, you'll create a test user called B.Simon. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator). -1. Browse to **Identity** > **Users** > **All users**. -1. Select **New user** > **Create new user**, at the top of the screen. -1. In the **User** properties, follow these steps: - 1. In the **Display name** field, enter `B.Simon`. - 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. - 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. - 1. Select **Review + create**. -1. Select **Create**. - - - -### Assign the Microsoft Entra test user - -In this section, you'll enable B.Simon to use single sign-on by granting access to Soonr Workplace. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Soonr Workplace**. -1. In the app's overview page, select **Users and groups**. -1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. - 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. - 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. - 1. In the **Add Assignment** dialog, click the **Assign** button. - -## Configure Soonr Workplace SSO - -To configure single sign-on on **Soonr Workplace** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from the application configuration to [Soonr Workplace support team](https://awp.autotask.net/help/). They set this setting to have the SAML SSO connection set properly on both sides. - -> [!Note] -> If you require assistance with configuring Autotask Workplace, please see [this page](https://awp.autotask.net/help/Content/0_HOME/Support_for_End_Clients.htm) to get assistance with your Workplace account. - -### Create Soonr Workplace test user - -In this section, you create a user called Britta Simon in Soonr Workplace. Work with [Soonr Workplace support team](https://awp.autotask.net/help/) to add the users in the Soonr Workplace platform. Users must be created and activated before you use single sign-on. - -## Test SSO - -In this section, you test your Microsoft Entra single sign-on configuration with following options. - -#### SP initiated: - -* Click on **Test this application**, this will redirect to Soonr Workplace Sign on URL where you can initiate the login flow. - -* Go to Soonr Workplace Sign-on URL directly and initiate the login flow from there. - -#### IDP initiated: - -* Click on **Test this application**, and you should be automatically signed in to the Soonr Workplace for which you set up the SSO. - -You can also use Microsoft My Apps to test the application in any mode. When you click the Soonr Workplace tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Soonr Workplace for which you set up the SSO. For more information, see [Microsoft Entra My Apps](/azure/active-directory/manage-apps/end-user-experiences#azure-ad-my-apps). - -## Next steps - -Once you configure Soonr Workplace you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad). diff --git a/docs/identity/saas-apps/toc.yml b/docs/identity/saas-apps/toc.yml index dc4973c02df..1c64092d412 100644 --- a/docs/identity/saas-apps/toc.yml +++ b/docs/identity/saas-apps/toc.yml @@ -328,8 +328,6 @@ href: benq-iam-tutorial.md - name: BenSelect href: benselect-tutorial.md - - name: Bersin - href: bersin-tutorial.md - name: BetterWorks href: betterworks-tutorial.md - name: Beyond Identity Admin Console @@ -1693,8 +1691,6 @@ href: litmus-tutorial.md - name: Learnster href: learnster-tutorial.md - - name: Lines eLibrary Advance - href: lines-elibrary-advance-tutorial.md - name: LinkedIn Elevate href: linkedinelevate-tutorial.md - name: LinkedIn Learning @@ -2669,8 +2665,6 @@ href: soloinsight-cloudgate-sso-tutorial.md - name: Sonarqube href: sonarqube-tutorial.md - - name: Soonr Workplace - href: soonr-tutorial.md - name: SpaceIQ href: spaceiq-tutorial.md - name: Spacio @@ -3151,8 +3145,6 @@ href: wiz-sso-tutorial.md - name: Wootric href: wootric-tutorial.md - - name: Work.com - href: work-com-tutorial.md - name: Workable href: workable-tutorial.md - name: WorkBoard @@ -3696,8 +3688,6 @@ href: officespace-software-provisioning-tutorial.md - name: Olfeo SAAS href: olfeo-saas-provisioning-tutorial.md - - name: Omnissa Identity Service - href: omnissa-identity-service-provisioning-tutorial.md - name: Oneflow href: oneflow-provisioning-tutorial.md - name: OpenForms diff --git a/docs/identity/saas-apps/work-com-tutorial.md b/docs/identity/saas-apps/work-com-tutorial.md deleted file mode 100644 index ae0f3b7b78b..00000000000 --- a/docs/identity/saas-apps/work-com-tutorial.md +++ /dev/null @@ -1,253 +0,0 @@ ---- -title: 'Tutorial: Microsoft Entra SSO integration with Work.com' -description: Learn how to configure single sign-on between Microsoft Entra ID and Work.com. - -author: jeevansd -manager: CelesteDG -ms.reviewer: celested -ms.service: entra-id -ms.subservice: saas-apps - -ms.topic: tutorial -ms.date: 03/25/2024 -ms.author: jeedes - -# Customer intent: As an IT administrator, I want to learn how to configure single sign-on between Microsoft Entra ID and Work.com so that I can control who has access to Work.com, enable automatic sign-in with Microsoft Entra accounts, and manage my accounts in one central location. ---- -# Tutorial: Microsoft Entra integration with Work.com - -In this tutorial, you'll learn how to integrate Work.com with Microsoft Entra ID. When you integrate Work.com with Microsoft Entra ID, you can: - -* Control in Microsoft Entra ID who has access to Work.com. -* Enable your users to be automatically signed-in to Work.com with their Microsoft Entra accounts. -* Manage your accounts in one central location. - -## Prerequisites - -To configure Microsoft Entra integration with Work.com, you need the following items: - -* A Microsoft Entra subscription. If you don't have a Microsoft Entra environment, you can get a [free account](https://azure.microsoft.com/free/) -* Work.com single sign-on enabled subscription. - -## Scenario description - -In this tutorial, you configure and test Microsoft Entra SSO in a test environment. - -* Work.com supports **SP** initiated SSO. - -## Add Work.com from the gallery - -To configure the integration of Work.com into Microsoft Entra ID, you need to add Work.com from the gallery to your list of managed SaaS apps. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. -1. In the **Add from the gallery** section, type **Work.com** in the search box. -1. Select **Work.com** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - - Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) - - - -## Configure and test Microsoft Entra SSO for Work.com - -Configure and test Microsoft Entra SSO with Work.com using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Work.com. - -To configure and test Microsoft Entra SSO with Work.com, perform the following steps: - -1. **[Configure Microsoft Entra SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. - 1. **[Create a Microsoft Entra test user](#create-an-azure-ad-test-user)** - to test Microsoft Entra single sign-on with B.Simon. - 2. **[Assign the Microsoft Entra test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. -2. **[Configure Work.com SSO](#configure-workcom-sso)** - to configure the single sign-on settings on application side. - 1. **[Create Work.com test user](#create-workcom-test-user)** - to have a counterpart of B.Simon in Work.com that is linked to the Microsoft Entra representation of user. -3. **[Test SSO](#test-sso)** - to verify whether the configuration works. - - - -## Configure Microsoft Entra SSO - -Follow these steps to enable Microsoft Entra SSO. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Work.com** > **Single sign-on**. -1. On the **Select a single sign-on method** page, select **SAML**. -1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. - - ![Edit Basic SAML Configuration](common/edit-urls.png) - -1. On the **Basic SAML Configuration** section, perform the following steps: - - In the **Sign-on URL** text box, type a URL using the following pattern: - `http://.my.salesforce.com` - - > [!NOTE] - > The value is not real. Update the value with the actual Sign-On URL. Contact [Work.com Client support team](https://help.salesforce.com/articleView?id=000159855&type=3) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section. - -1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer. - - ![The Certificate download link](common/certificatebase64.png) - -1. On the **Set up Work.com** section, copy the appropriate URL(s) as per your requirement. - - ![Copy configuration URLs](common/copy-configuration-urls.png) - - - -### Create a Microsoft Entra test user - -In this section, you'll create a test user called B.Simon. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator). -1. Browse to **Identity** > **Users** > **All users**. -1. Select **New user** > **Create new user**, at the top of the screen. -1. In the **User** properties, follow these steps: - 1. In the **Display name** field, enter `B.Simon`. - 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. - 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. - 1. Select **Review + create**. -1. Select **Create**. - - - -### Assign the Microsoft Entra test user - -In this section, you'll enable B.Simon to use single sign-on by granting access to Work.com. - -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). -1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Work.com**. -3. In the app's overview page, find the **Manage** section and select **Users and groups**. -4. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. -5. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. -6. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. -7. In the **Add Assignment** dialog, click the **Assign** button. - - -## Configure Work.com SSO - -1. Sign in to your Work.com tenant as administrator. - -2. Go to **Setup**. - - ![Screenshot shows Setup selected from the user menu.](./media/work-com-tutorial/setup.png "Setup") - -3. On the left navigation pane, in the **Administer** section, click **Domain Management** to expand the related section, and then click **My Domain** to open the **My Domain** page. - - ![Screenshot shows My Domain selected Domain Management in the Administer pane.](./media/work-com-tutorial/administer.png "My Domain") - -4. To verify that your domain has been set up correctly, make sure that it is in “**Step 4 Deployed to Users**” and review your “**My Domain Settings**”. - - ![Screenshot shows Domain Deployed to User.](./media/work-com-tutorial/domain-settings.png "Domain Deployed to User") - -5. Sign in to your Work.com tenant. - -6. Go to **Setup**. - - ![Screenshot shows Setup selected from the user menu.](./media/work-com-tutorial/setup.png "Setup") - -7. Expand the **Security Controls** menu, and then click **Single Sign-On Settings**. - - ![Screenshot shows Single Sign-On Settings.](./media/work-com-tutorial/security-controls.png "Single Sign-On Settings") - -8. On the **Single Sign-On Settings** dialog page, perform the following steps: - - ![Screenshot shows SAML Enabled.](./media/work-com-tutorial/sso-settings.png "SAML Enabled") - - a. Select **SAML Enabled**. - - b. Click **New**. - -9. In the **SAML Single Sign-On Settings** section, perform the following steps: - - ![Screenshot shows SAML Single Sign-On Setting.](./media/work-com-tutorial/configuration.png "SAML Single Sign-On Setting") - - a. In the **Name** textbox, type a name for your configuration. - - > [!NOTE] - > Providing a value for **Name** does automatically populate the **API Name** textbox. - - b. In **Issuer** textbox, paste the value of **Microsoft Entra Identifier**.. - - c. To upload the downloaded certificate from Azure portal, click **Browse**. - - d. In the **Entity Id** textbox, type `https://salesforce-work.com`. - - e. As **SAML Identity Type**, select **Assertion contains the Federation ID from the User object**. - - f. As **SAML Identity Location**, select **Identity is in the NameIdentfier element of the Subject statement**. - - g. In **Identity Provider Login URL** textbox, paste the value of **Login URL**.. - - h. In **Identity Provider Logout URL** textbox, paste the value of **Logout URL**.. - - i. As **Service Provider Initiated Request Binding**, select **HTTP Post**. - - j. Click **Save**. - -10. In your Work.com classic portal, on the left navigation pane, click **Domain Management** to expand the related section, and then click **My Domain** to open the **My Domain** page. - - ![Screenshot shows My Domain selected from Domain Management.](./media/work-com-tutorial/my-domain.png "My Domain") - -11. On the **My Domain** page, in the **Login Page Branding** section, click **Edit**. - - ![Screenshot shows the Login Page Branding section where you can select edit.](./media/work-com-tutorial/edit.png "Login Page Branding") - -12. On the **Login Page Branding** page, in the **Authentication Service** section, the name of your **SAML SSO Settings** is displayed. Select it, and then click **Save**. - - ![Screenshot shows Login Page Branding where you can select the name of your setting, which is P P E.](./media/work-com-tutorial/save.png "Login Page Branding") - -### Create Work.com test user - -For Microsoft Entra users to be able to sign in, they must be provisioned to Work.com. In the case of Work.com, provisioning is a manual task. - -### To configure user provisioning, perform the following steps: - -1. Sign on to your Work.com company site as an administrator. - -2. Go to **Setup**. - - ![Screenshot shows Setup selected from the user menu.](./media/work-com-tutorial/setup.png "Setup") - -3. Go to **Manage Users \> Users**. - - ![Screenshot shows Manage Users.](./media/work-com-tutorial/users.png "Manage Users") - -4. Click **New User**. - - ![Screenshot shows All Users.](./media/work-com-tutorial/new-user.png "All Users") - -5. In the User Edit section, perform the following steps, in attributes of a valid Microsoft Entra account you want to provision into the related textboxes: - - ![Screenshot shows User Edit.](./media/work-com-tutorial/create-user.png "User Edit") - - a. In the **First Name** textbox, type the **first name** of the user **Britta**. - - b. In the **Last Name** textbox, type the **last name** of the user **Simon**. - - c. In the **Alias** textbox, type the **name** of the user **BrittaS**. - - d. In the **Email** textbox, type the **email address** of user Brittasimon@contoso.com. - - e. In the **User Name** textbox, type a user name of user like Brittasimon@contoso.com. - - f. In the **Nick Name** textbox, type a **nick name** of user **Simon**. - - g. Select **Role**, **User License**, and **Profile**. - - h. Click **Save**. - - > [!NOTE] - > The Microsoft Entra account holder will get an email including a link to confirm the account before it becomes active. - > - -## Test SSO - -In this section, you test your Microsoft Entra single sign-on configuration with following options. - -* Click on **Test this application**, this will redirect to Work.com Sign-on URL where you can initiate the login flow. - -* Go to Work.com Sign-on URL directly and initiate the login flow from there. - -* You can use Microsoft My Apps. When you click the Work.com tile in the My Apps, this will redirect to Work.com Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). - -## Next steps - -Once you configure Work.com you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).