Azure Multi-Factor Authentication – Part 6: Onboarding

• Author
• Recent Posts

Sander Berkouwer

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

Latest posts by Sander Berkouwer (see all)

• Turn the tables on your organization with Adaxes 2018.1’s Web Interface and reporting capabilities - Thu, Sep 20 2018
• Review: Softerra Adaxes – Automating Active Directory management - Thu, Jun 4 2015
• Azure Multi-Factor Authentication – Part 8: Delegating Administration - Tue, Apr 28 2015

The Multi-Factor Authentication database

On-premises Multi-Factor Authentication Servers use databases to store user accounts.

Although many of the other settings are stored without file extensions in the Data folder of the Multi-Factor Authentication Server installation folder (C:\Program Files\Multi-Factor Authentication Server\Data by default), settings pertaining to users are stored specifically in the PhoneFactor.pfdata file in that folder. This is the Multi-Factor Authentication database.

This model allows for flexibility, privacy, and degradability.

Flexibility

Because it has its own database, the Multi-Factor Authentication Server offers two choices for directories it can synchronize with: Active Directory and generic LDAP directories. Filters on containers, groups, and object type are available for both configurations as well as attribute translation for directory schemas. This offers flexibility in terms of directory integration.

Privacy

When people in your organization would like to keep their mobile phone numbers private, the Multi-Factor Authentication database allows this by not synchronizing telephone numbers from the Multi-Factor Authentication database back to fields in Active Directory, where they are accessible for all others (for instance, in Lync).

Degradability

Additionally, because the Multi-Factor Authentication database is synchronized with directories, the directory servers themselves (domain controllers, in Active Directory speak) may be offline, overloaded, or otherwise indispensable without affecting the functionality of the Multi-Factor Authentication Server (for a short period).

Configuring directory integration

Although you could use the Multi-Factor Authentication Server to synchronize to generic LDAP directories, in this article we’ll focus on integrating with Active Directory.

To set up directory integration with Active Directory, perform the following steps.

Configuring filters and attributes to use

1. Log on with administrative privileges to the server running the Multi-Factor Authentication Server.
2. Open the Multi-Factor Authentication Server management console by searching for it on the Start Screen.
3. In the left pane, click Directory Integration.
   
4. On the Settings tab, decide if you want to include trusted domains. Although this is a very powerful setting in multi-domain and multi-forest environments, this setting doesn’t do anything in a single domain topology.
5. On the Filters tab, decide if you want to change the default filters. By default, all enabled user objects (from Active Directory Domain Services) and person objects (from Active Directory Lightweight Directory Services) are synchronized from both Containers and Organizational Units (OUs). For groups, only security groups are synchronized.
6. On the Attributes tab, you can edit the attribute translation. Depending on the attribute you’ve already used in Active Directory to populate telephone numbers, the business phone (telephoneNumber, by default) and mobile phone (mobile, by default) are of interest to change.

Note:
When you’re migrating from a previous multi-factor authentication solution, you might get errors because of the way that particular solution stores the phone number. In that case, use attributes other than the default ones otherMobile and otherTelephone. PowerShell can help you populate the attributes with the right formatting.

Synchronizing for the first time

1. When you’ve configured the settings for Directory Integration, you can configure synchronization on the Synchronization tab.
   
2. Click Add…
   
3. On the Add Synchronization Item window, in the top left corner, select the domain. When the environment features more than one domain, the pull-down list will contain the Active Directory domains trusted by the Active Directory domain the Multi-Factor Authentication Server is a member of.
4. Just below the domain, choose between the Container Hierarchy and the Security Groups view. If you want to import user accounts based on containers and OUs, choose the first; if you want to add security groups, choose the latter.
5. Pick the container, OU, or security group containing user accounts and/or persons that you want to add.
6. For the Import value, choose to import Selected Container - Subtree, Selected Container - One Level, Selected Security Group, Selected Security Group - Recursive, or Selected Users.
7. On Add Synchronization Item window’s Settings tab, choose to Add new users, Update existing users, and/or Disable/Remove users no longer a member. For their import phone, use the field from Step 6 in the "configuring filters and attributes" section that translates to the attribute in Active Directory containing the phone number.
8. Choose to enable the newly added objects: Only New Users with Phone Number, All New Users, or All Users.
9. To onboard users and make them aware of this, select the Send email option.
10. On the Method Defaults tab, choose the settings for the second authentication factor for the objects that are synchronized using this synchronization item.
11. On the Language Defaults tab, choose the default languages for phone calls, text messages, mobile apps, and OATH tokens.
12. Click Add when done.
13. Click OK in the Add Synchronization Item pop-up window acknowledging the synchronization item was added.
14. Click Close.

Create additional items to accommodate the needs of your organization:

1. On the Synchronization tab of the Directory Integration window in the Multi-Factor Authentication Server management console, click Synchronize Now to synchronize.
2. At the end of the synchronization, a pop-up appears to share some statistics on the number of users added and the settings (enabled/disabled) they were added with. Click OK.

Configuring automatic synchronization

The Multi-Factor Authentication Server management console also offers automatic synchronization:

1. On the Synchronization tab of the Directory Integration window in the Multi-Factor Authentication Server management console, enable the Enable synchronization with Active Directory option.
2. Optionally change the synchronization interval if 5 minutes is too long or too short. The minimum interval is 1 minute. The maximum interval is 24 hours.
3. When you have multiple Multi-Factor Authentication Servers, go to the Multi-Factor Auth Servers tab and configure which Multi-Factor Authentication Servers you want to automatically synchronize with Active Directory.

As a result, the Directory Integration icon in the left pane of the Multi-Factor Authentication Server management console will show a green orb with a checkmark in it, indicating directory integration is enabled.

Concluding

Synchronizing Active Directory automatically is easy and offers many advantages. In combination with the Company Settings in the previous article in this series, onboarding of your colleagues is granular, yet clear. In the next installment, I will discuss how Azure Multi-Factor Authentication works together with Active Directory Federation Services (AD FS).