Azure Multi-Factor Authentication - Part 5: Settings

In the previous part of this series about Azure Multi-Factor Authentication, I covered the portals. In today’s post, I will discuss the Multi-Factor Authentication Server settings. The default settings might not be the ideal settings for your environment. Furthermore, some settings are (intentionally) left blank.
Profile gravatar of Sander Berkouwer

Sander Berkouwer

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.
Profile gravatar of Sander Berkouwer
Contents of this article

Let’s look at the settings and configure some of them, so we can unlock all of the awesome features of the server and the Azure Multi-Factor Authentication Service for our organization!

As stated in Part 2 of this series, settings for users, appliances, and agents are located in the management interface of the Multi-factor Authentication Server software installation. Azure-related configuration items (such as enabling and disabling users) are managed through the Azure Portal. Authentication configuration (such as which authentication factors to allow and how they need to be used) is managed through the PhoneFactor portal.

Let’s start with the MFA Server:

  1. Log on to the server running the Multi-Factor Authentication Server with administrative privileges.
  2. Open the Multi-Factor Authentication Server Management console by searching for it on the Start Screen.
  3. In the left pane, click Company Settings.

Company Settings ^

The Company Settings section allows MFA admins to define company-wide settings for authentication behavior, user defaults, username resolution, text message content, and user information to include in reports.

General tab

The General tab offers three distinct pieces of management functionality.

Company Settings, General tab

Company Settings, General tab

The first setting, When Internet Is Not Accessible, sets what to do when the on-premises MFA Server is unable to communicate with the Azure MFA Service. You can specify Succeed Authentication (colleagues are not required to provide a second authentication in this situation) or the default Fail Authentication (colleagues are locked out in this situation).

The User Defaults area contains the default settings for new users. User defaults are intended to be used in tandem with the Users section. In the Company Settings section, you set the default rules for the entire environment. Then, in the Users section, you can either accept the default company settings for each colleague or override the settings. This allows for granular yet clear MFA policies.

One of the first decisions is whether to set up the Multi-Factor Authentication Server Company Settings in Phone Call mode, Text Message mode, Mobile App mode, or OATH Token mode, by default:

  • Phone Call modes
    In Phone Call mode, a phone call is placed to the user’s phone to complete the authentication. The three Phone Call modes are:

    • Standard mode (without PIN)
    • Pin mode (requires the colleague to enter a PIN during the call)
    • Voiceprint mode (requires the colleague to say a passphrase during the call
  • Text Message modes
    In Text Message mode, a text message is sent to the colleague’s phone to complete the authentication. The four Text Message modes are:

    • Two-Way OTP (a text message containing a one-time passcode (OTP) is sent and the OTP needs to be replied to)
    • Two-Way OTP + PIN (in the reply text message, the OTP and the PIN need to be entered)
    • One-Way OTP (the OTP in the text message needs be entered at the appliance, agent, or [web]service)
    • One-Way OTP + PIN (both the OTP and PIN need to be entered)
  • Mobile App modesIn Mobile App mode, a notification is sent to the Multi-Factor Authentication mobile app. The two Mobile App modes are:
    • Standard mode (colleagues verify, or deny, the authentication request)
    • PIN mode (colleagues need to enter their PIN before they can verify or deny)/li>
  • OATH Token mode
    In Oath Token mode, the user is prompted for an OATH code to authenticate with Multi-Factor Authentication. Time-based OATH codes may be generated by the Multi-Factor Authentication mobile app, a third-party token (such as VASCO), or a software-based token.

Note:
The OATH Token method is only supported by RADIUS Authentication and IIS Authentication Form-Based Authentication.

The option for Keep Phone Synchronized with Active Directory is an interesting privacy option when you have colleagues who want to access resources secured through Multi-Factor Authentication but don’t want to share their (mobile) phone numbers with the organization through Exchange, Lync, SharePoint, or other collaboration solutions that display phone numbers. The option is enabled by default, but you could disable it in the above situation.

The Default PIN Rules area under User Defaults operates in the same way as the user defaults. You can set whether colleagues can change their PIN and the minimum length for the PIN. You can also prevent weak PINs (such as 0000 and 1234), make PINs expire (set as days), and set PIN history.

Username Resolution tab

Company Settings, Username Resolution tab

Company Settings, Username Resolution tab

The settings on the Username Resolution tab specify the method to use in resolving a username to a MFA user object in the Users section.

Text Message, Mobile App Text, and OATH Token Text tabs

Company Settings, Text Message tab

Company Settings, Text Message tab

The settings on the Text Message, Mobile App Text, and OATH Token Text tabs specify the text to send to colleagues per language.

Reports tab

Company Settings, Reports tab

Company Settings, Reports tab

The report settings specify what information should be sent to the Azure Multi-Factor Authentication Service for reporting purposes. You can access these reports via the PhoneFactor portal (https://pfweb.phonefactor.net) with the administrator account credentials (email address and password) that you used to activate the Multi-Factor Authentication Server.

Email ^

The Email section is another section of MFA settings you might want to configure. This section is in the left pane of the Multi-Factor Authentication Server management console. Several options are available to configure Multi-Factor Authentication to send emails.

Settings tab

Email, Settings tab

Email, Settings tab

The Settings tab allows the administrator to send emails to new and updated Multi-Factor Authentication user objects and email notifications to MFA admins.

The first option, Send Emails to Users, is useful when you want to invite colleagues to enroll for MFA and notify them of changes to their accounts.

Note:
Emails are only sent when this option is selected and the user’s email address is specified or the username is in email address format.

The second option (Send Notifications to User Portal Administrators with the Receive Notifications Permissions) and the setting below it define the settings for administrator email notifications. These notifications alert administrators to things that may require their attention, such as when approval is required when the directory synchronization disable/remove thresholds are exceeded.

Notifications are only sent to administrators when either Send Notifications to User Portal Administrators with the Receive Notification Permission is selected or Send Notifications to These Email Addresses is specified.

You can use the SMTP area to define settings for the server address, specify credentials, and indicate whether or not to use SSL for the connections.

Email Content tab

Email, Email Content tab

Email, Email Content tab

You can use the Email Content tab to fully customize the content of the emails being sent. The content of the email sent may vary for new users, user enrollments, and updated users and whether the user is in Standard, PIN, or Voiceprint Phone Call modes; Two-Way OTP, Two-Way OTP + PIN, One-Way OTP, or One-Way OTP + PIN Text Message modes; Standard or PIN Mobile App modes; or OATH Token mode.

Logging ^

Logging for the on-premises Multi-Factor Authentication Server is enabled by default, but the Logging section enables you to customize the log file settings and other settings to take advantage of a SYSLOG server.

Log Files tab

Logging, Log Files tab

Logging, Log Files tab

Let’s start with the Log Files tab. You can specify whether to log configuration and user changes.

The View Log Files button takes you straight to the log files folder. By default, this is C:\Program Files\Multi-Factor Authentication Server\Logs.

Furthermore, you can expand the maximum sizes (in MB) for the various logs. Although you can set them pretty high (up to 1000 MB) to avoid log rotation, please bear in mind that the logs are located on the system drive by default.

Syslog tab

Logging, Syslog tab

Logging, Syslog tab

The Syslog tab allows admins to configure the Multi-Factor Authentication Server installation to log to one or more SYSLOG servers.

In the next installment of this series, we’ll look into Active Directory onboarding, so we’ll actually be able to log on to any of these portals.

Take part in our competition and win $100!

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017
Do NOT follow this link or you will be banned from the site!

Log in with your credentials

or    

Forgot your details?

Create Account