Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
Let’s look at the settings and configure some of them, so we can unlock all of the awesome features of the server and the Azure Multi-Factor Authentication Service for our organization!
As stated in Part 2 of this series, settings for users, appliances, and agents are located in the management interface of the Multi-factor Authentication Server software installation. Azure-related configuration items (such as enabling and disabling users) are managed through the Azure Portal. Authentication configuration (such as which authentication factors to allow and how they need to be used) is managed through the PhoneFactor portal.
Let’s start with the MFA Server:
- Log on to the server running the Multi-Factor Authentication Server with administrative privileges.
- Open the Multi-Factor Authentication Server Management console by searching for it on the Start Screen.
- In the left pane, click Company Settings.
Company Settings ^
The Company Settings section allows MFA admins to define company-wide settings for authentication behavior, user defaults, username resolution, text message content, and user information to include in reports.
The General tab offers three distinct pieces of management functionality.
Company Settings, General tab
The first setting, When Internet Is Not Accessible, sets what to do when the on-premises MFA Server is unable to communicate with the Azure MFA Service. You can specify Succeed Authentication (colleagues are not required to provide a second authentication in this situation) or the default Fail Authentication (colleagues are locked out in this situation).
The User Defaults area contains the default settings for new users. User defaults are intended to be used in tandem with the Users section. In the Company Settings section, you set the default rules for the entire environment. Then, in the Users section, you can either accept the default company settings for each colleague or override the settings. This allows for granular yet clear MFA policies.
One of the first decisions is whether to set up the Multi-Factor Authentication Server Company Settings in Phone Call mode, Text Message mode, Mobile App mode, or OATH Token mode, by default:
- Phone Call modes
In Phone Call mode, a phone call is placed to the user’s phone to complete the authentication. The three Phone Call modes are:
- Standard mode (without PIN)
- Pin mode (requires the colleague to enter a PIN during the call)
- Voiceprint mode (requires the colleague to say a passphrase during the call
- Text Message modes
In Text Message mode, a text message is sent to the colleague’s phone to complete the authentication. The four Text Message modes are:
- Two-Way OTP (a text message containing a one-time passcode (OTP) is sent and the OTP needs to be replied to)
- Two-Way OTP + PIN (in the reply text message, the OTP and the PIN need to be entered)
- One-Way OTP (the OTP in the text message needs be entered at the appliance, agent, or [web]service)
- One-Way OTP + PIN (both the OTP and PIN need to be entered)
- Mobile App modesIn Mobile App mode, a notification is sent to the Multi-Factor Authentication mobile app. The two Mobile App modes are:
- Standard mode (colleagues verify, or deny, the authentication request)
- PIN mode (colleagues need to enter their PIN before they can verify or deny)/li>
- OATH Token mode
In Oath Token mode, the user is prompted for an OATH code to authenticate with Multi-Factor Authentication. Time-based OATH codes may be generated by the Multi-Factor Authentication mobile app, a third-party token (such as VASCO), or a software-based token.
The OATH Token method is only supported by RADIUS Authentication and IIS Authentication Form-Based Authentication.
The option for Keep Phone Synchronized with Active Directory is an interesting privacy option when you have colleagues who want to access resources secured through Multi-Factor Authentication but don’t want to share their (mobile) phone numbers with the organization through Exchange, Lync, SharePoint, or other collaboration solutions that display phone numbers. The option is enabled by default, but you could disable it in the above situation.
The Default PIN Rules area under User Defaults operates in the same way as the user defaults. You can set whether colleagues can change their PIN and the minimum length for the PIN. You can also prevent weak PINs (such as 0000 and 1234), make PINs expire (set as days), and set PIN history.
Username Resolution tab
Company Settings, Username Resolution tab
The settings on the Username Resolution tab specify the method to use in resolving a username to a MFA user object in the Users section.
Text Message, Mobile App Text, and OATH Token Text tabs
Company Settings, Text Message tab
The settings on the Text Message, Mobile App Text, and OATH Token Text tabs specify the text to send to colleagues per language.
Company Settings, Reports tab
The report settings specify what information should be sent to the Azure Multi-Factor Authentication Service for reporting purposes. You can access these reports via the PhoneFactor portal (https://pfweb.phonefactor.net) with the administrator account credentials (email address and password) that you used to activate the Multi-Factor Authentication Server.
The Email section is another section of MFA settings you might want to configure. This section is in the left pane of the Multi-Factor Authentication Server management console. Several options are available to configure Multi-Factor Authentication to send emails.
Email, Settings tab
The Settings tab allows the administrator to send emails to new and updated Multi-Factor Authentication user objects and email notifications to MFA admins.
The first option, Send Emails to Users, is useful when you want to invite colleagues to enroll for MFA and notify them of changes to their accounts.
Emails are only sent when this option is selected and the user’s email address is specified or the username is in email address format.
The second option (Send Notifications to User Portal Administrators with the Receive Notifications Permissions) and the setting below it define the settings for administrator email notifications. These notifications alert administrators to things that may require their attention, such as when approval is required when the directory synchronization disable/remove thresholds are exceeded.
Notifications are only sent to administrators when either Send Notifications to User Portal Administrators with the Receive Notification Permission is selected or Send Notifications to These Email Addresses is specified.
You can use the SMTP area to define settings for the server address, specify credentials, and indicate whether or not to use SSL for the connections.
Email Content tab
Email, Email Content tab
You can use the Email Content tab to fully customize the content of the emails being sent. The content of the email sent may vary for new users, user enrollments, and updated users and whether the user is in Standard, PIN, or Voiceprint Phone Call modes; Two-Way OTP, Two-Way OTP + PIN, One-Way OTP, or One-Way OTP + PIN Text Message modes; Standard or PIN Mobile App modes; or OATH Token mode.
Logging for the on-premises Multi-Factor Authentication Server is enabled by default, but the Logging section enables you to customize the log file settings and other settings to take advantage of a SYSLOG server.
Log Files tab
Logging, Log Files tab
Let’s start with the Log Files tab. You can specify whether to log configuration and user changes.
The View Log Files button takes you straight to the log files folder. By default, this is C:\Program Files\Multi-Factor Authentication Server\Logs.
Furthermore, you can expand the maximum sizes (in MB) for the various logs. Although you can set them pretty high (up to 1000 MB) to avoid log rotation, please bear in mind that the logs are located on the system drive by default.
Logging, Syslog tab
The Syslog tab allows admins to configure the Multi-Factor Authentication Server installation to log to one or more SYSLOG servers.