The last two articles covered the more ethereal parts of the Azure Multi-Factor Authentication story. Today, we’re getting hands-on with the technology.

We’re going to enable Multi-Factor Authentication in our Azure tenant, and then download and install the on-premises Multi-Factor Authentication Server.

This walkthrough assumes that you already have an Azure tenant and a Windows Server installation on which to install the Multi-Factor Authentication Server.

This walkthrough features:

  • Windows Server 2012 R2 Standard Edition
  • Multi-Factor Authentication Server

Let’s get technical!


To complete the steps in this article and the two articles after it, you will need:

  • A domain-joined and Internet-connected Windows Server 2012 R2 (x64) installation
  • An SSL/TLS certificate for the external domain name for the above server (for instance, mfa.domain.tld to help protect the communications between end users, devices, and the services offered through the MFA portals)

You can get free trusted SSL/TLS certificates from

Preparing the Windows Server installation

Before we can install the Multi-Factor Authentication Server on an on-premises Windows Server, we need to prepare the latter for this functionality. We’ll need to install Internet Information Services (IIS) and the .NET Framework 2.0.

Let’s start with the .NET Framework. Open a Windows PowerShell with elevated rights and issue this PowerShell command:

Install-WindowsFeature NET-Framework-Core

This installation may take some time because the installation files for the .NET Framework 2.0 features are downloaded from Windows Update. You’ll see it seemingly stalling at 68% progress while it downloads.

Next, install the IIS role and role features:

Install-WindowsFeature Web-WebServer,Web-Http-Redirect,Web-Basic-Auth,Web-ASP,Web-Asp-Net,Web-Asp-Net45,Web-Metabase -IncludeManagementTools

Because we’ll be using Internet Explorer on this server, it’s also a good idea to disable Internet Explorer Enhanced Security Configuration. In Server Manager, in the left pane, click Local Server. Then, in the second column, click On next to IE Enhanced Security Configuration. Disable it and then click OK.

Enabling the Multi-Factor Authentication Service

By default, in any Azure Active Directory tenant, Multi-Factor Authentication is disabled. As pointed out previously, this allows for Multi-Factor Authentication for Office 365 and Azure Admins.

Enabling the Azure Multi-Factor Authentication Service, however, is straightforward and easy.

Although the new Azure Portal, now in preview, shows a user interface where you’d suspect you could enable Multi-Factor Authentication for the tenant, this functionality is labeled “Coming Soon.” We’ll just use the “old” portal.

Just follow these steps:

  1. Log on to the Azure Portal.
  2. In the column on the left that lists all the available items and services, scroll down until you reach ACTIVE DIRECTORY.
  3. In the main pane, select the default directory.
  4. Just above the list of directories, click the text MULTI-FACTOR AUTH PROVIDERS.
    Azure MFA Service - Get started
  5. You’ll be prompted with the message “You have no Multi-Factor Authentication providers. Add one to get started!” Click the link CREATE A NEW MULTI-FACTOR AUTHENTICATION PROVIDER.
  6. A configuration pane will unfold from the bottom of the Azure Management Portal, offering you a set of configuration options. Here, we’ll make three distinct choices:
    1. Choose a NAME. You will not see this name anywhere, but it is good to name the Multi-Factor Authentication Provider appropriately.
    2. Choose a USER MODEL. This determines if you use the Per Enabled User or Per Authentication mode.
    3. Under DIRECTORY, choose your directory. This is often aptly named the Default Directory.
  7. When done configuring, click CREATE.

It’ll only take a minute to create. After that, you can manage the Multi-Factor Authentication Provider by selecting it from the list and then clicking MANAGE on the bottom ribbon.

Downloading the Multi-Factor Authentication Server

You’ll be redirected to the PhoneFactor management portal (, where you can download the installation files for the on-premises Multi-Factor Authentication Server and get activation credentials to connect it to the Azure Multi-Factor Authentication Service.

Azure Multi-Factor Authentication Service

Azure Multi-Factor Authentication Service

In the PhoneFactor management portal, perform these steps:

  1. On the Welcome page, click DOWNLOADS.
  2. Below the list of supported operating systems for the on-premises Azure Multi-Factor Authentication Server (including Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, Windows Server 2003, Windows 8.1, Windows 8, Windows 7, and Windows Vista), click Download.
  3. Save the 122MB MultiFactorAuthenticationServerSetup.exe file somewhere convenient.
  4. Run the installer.
  5. On the Select Installation Folder page, accept the default C:\Program Files\Multi-Factor Authentication Server\ folder or choose another folder. Click Next > when done.
    Azure Multi-Factor Authentication Server Installer -Select Installation Folder
  6. On the Installation Complete page, click Finish.
    Azure Multi-Factor Authentication Server - Installation complete

Configuring the Multi-Factor Authentication Server

The Multi-Factor Authentication Server Authentication Configuration Wizard appears.

Perform these actions:

  1. On the Welcome page, click Next >.
    Azure Multi-Factor Authentication Server Configuration Wizard 01
  2. On the Activate screen, fill in the Email and Password fields with the data you get when you click the Generate Activation Credentials button on the DOWNLOADS page of the PhoneFactor management portal. Click Next > when done.
    Azure Multi-Factor Authentication Server Configuration Wizard 02
  3. On the Join Group screen, click Next >, unless you’re installing a second or consecutive Multi-Factor Authentication Server.
    Azure Multi-Factor Authentication Server Configuration Wizard 03
  4. On the Enable Replication Between Servers page, enable the Enable replication between servers option, unless you’re installing the first server and are really sure you’re never going to add a second server. Click Next > when done.

The Multi-Factor Authentication Server Authentication Configuration Wizard closes and the Authentication Configuration Wizard opens.

  1. On the Secure Communications page, deselect Certificates and click Next >.
    Azure Multi-Factor Authentication Server Configuration Wizard 04
  2. On the Active Directory page, make sure all options are selected and click Next >.
    Azure Multi-Factor Authentication Server Configuration Wizard 05
  3. On the Select Applications page, click Cancel or click the button in the title bar to close the Authentication Configuration Wizard, unless you have the information required and prerequisites met for the listed agents and types of appliances.
    Azure Multi-Factor Authentication Server Configuration Wizard 06

You’ll receive an error stating that “the Authentication Configuration Wizard has not been completed. Any configuration specified will be lost. Are you sure you want to cancel?” But, in fact, the wizard has done everything we need it to do at this point. Click Yes.

When you’re ready to add Virtual Private Networking (VPN) appliances, Citrix Web Interface, Outlook Web Access (OWA), Websites, RADIUS client devices, and/or Remote Desktop to the Multi-Factor Authentication Server configuration, simply open the Tools menu in the Multi-Factor Authentication Server Management Console and select Authentication Configuration Wizard….


In the next article, we’ll install the Web Service SDK, the User Portal, and the Mobile Portal so that end users can configure their multi-factor authentication preferences and activate their mobile Multi-Factor Auth apps.

  1. Avatar
    Rishi 8 years ago

    Sweetest article I have ever come across for Azure MFA… Really nicely explained. Can you throw some light on Azure On-prem server High availability ?

  2. Avatar
    Rishi 8 years ago

    Does the MFA Server need to be internet facing, i.e. does it need to be reachable from Internet on a Public IP ?

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account