Azure Multi-Factor Authentication – Part 8: Delegating Administration

• Author
• Recent Posts

Sander Berkouwer

Sander Berkouwer is a Microsoft Certified Professional and a Microsoft Most Valuable Professional (MVP) with over a decade of experience in IT.

Latest posts by Sander Berkouwer (see all)

• Turn the tables on your organization with Adaxes 2018.1’s Web Interface and reporting capabilities - Thu, Sep 20 2018
• Review: Softerra Adaxes – Automating Active Directory management - Thu, Jun 4 2015
• Azure Multi-Factor Authentication – Part 8: Delegating Administration - Tue, Apr 28 2015

Delegation best practices

I consider it a best practice to have at least two user objects assigned as Global Administrator in the Azure Active Directory. This account can manage all details for the subscription. One account can be a Microsoft account (with a complex and documented password), and the other account can be a synchronized on-premises admin account, enabled with Multi-Factor Authentication.

This will ensure continuity in managing the subscription. For admins in your organization to whom you don’t want to give access to billing information, you can assign them to the Service Administrator role. You can assign your service desk heroes to the User Administrator role so they can troubleshoot user synchronization problems. For the on-premises Multi-Factor Authentication Server, implementation delegation, luckily, is much more granular.

Log access, administrator access, and user administration can all be delegated separately. As a rule of thumb, assign the least amount of delegation for people to perform their jobs and delegate at the group level, not at the user level, where possible.

Assigning organizational roles in Azure Active Directory

Because the Azure Multi-Factor Authentication service is part of the Azure Active Directory, you delegate administration for it through Azure Active Directory roles. Perform these steps to delegate administration in Azure Active Directory:

1. Log on to https://manage.windowsazure.com.
2. Scroll down a bit in the left pane and click Active Directory.
3. With the Default Directory selected, click the arrow pointing to the right, next to the default directory
4. Click USERS in the ribbon, directly underneath the default directory text.
5. Click the arrow pointing to the right of the user object within the Azure Active Directory for which you want to delegate administration.
6. Scroll down a bit in the main pane until you reach the Role section.
   
7. From the drop-down menu for the ORGANIZATIONAL ROLE, select the appropriate role.
8. Click SAVE in the grey ribbon at the bottom of the window.

Repeat these steps for accounts that you want to delegate access to.

Delegating administration of the server

When we want to delegate access to admins, we delegate four things.

Allowing interactive logon to administrators

Allowing interactive access

To allow Remote Desktop access on a Windows Server, and then the rights to access the Multi-Factor Authentication Server management console, the colleague you want to delegate access to needs to be a local administrator on all Windows Servers running Multi-Factor Authentication Server. The easiest way to do this is to add the global security group PhoneFactor Admins to the local administrators group by applying a Group Policy Preference on a separate Organization Unit (OU) containing all the Windows Servers running Multi-Factor Authentication Server. Tip! If you’re not comfortable giving your service account local administrator rights, you can use another group from Active Directory instead. Alternatively, you could perform this by hand:

1. Log on to the Windows Server running Multi-Factor Authentication Server with an account with sufficient permissions to change local group memberships. By default, this is the local administrator account or an account that is a member of the Domain Admins or Enterprise Admins
2. Right-click Start.
3. Select Computer Management from the context menu.
4. In the left navigation pane of the Computer Management window, expand Local Users and Groups.
5. Click Groups.
6. In the main pane, click to select the Administrators
7. Right-click the group and then select Add to group… from the context menu.
8. On the Administrators Properties window, click Add….
   
9. Type the name of the PhoneFactor Admins group and click Check Names.
10. Click OK.
11. On the Administrators Properties window, click OK.
12. Close the Computer Management
13. Log off.

Perform these steps on all the Windows Servers running Multi-Factor Authentication Server within the environment.

Adding admin colleagues to the PhoneFactor Admins group

Now, all you need to do is add your colleague admins to the PhoneFactor Admins group in Active Directory Domain Services. When they no longer need access, you can remove them. Note: Do not remove the service account that runs the Web Service SDK, the User Portal, and the Mobile Portal.

Allowing log access

When you want to allow colleagues access to the Multi-Factor Authentication logs on Windows Servers running Multi-Factor Authentication Server (located in C:\Program Files\Multi-Factor Authentication Server\Logs, by default), those colleagues need to be a member of the local administrators group, by default. This takes care of log access for the group we delegated access to for interactive logon, but we can make this more granular using a second group. First, create the group in Active Directory as a global security group. Then, log on interactively to the Windows Server running Multi-Factor Authentication Server and perform these actions:

1. Open File Explorer using the This PC tile on the Start screen.
2. Navigate to Local Disk (C:), then Program Files, then Multi-Factor Authentication Server.
3. Scroll down a bit in File Explorer’s main pane and click the Logs folder to select it.
4. Right-click the Logs folder and select Properties from the bottom of the context menu.
5. Click the Security tab
   
6. Click the Edit… button.
7. On the Permissions for Logs window, click Add…
8. Type the name of the group you want to assign access, and then click Check Names.
9. Click OK.
10. On the Permissions for Logs window, click OK.
11. On the Logs Properties window, click the Sharing
12. Click the Advanced Sharing
    
13. Select Share this folder.
14. Give the share an appropriate name or accept the default share name. Add a $ to the end of it to hide it from other Windows-based devices.
15. Click OK.
16. On the Logs Properties window, click Close.
17. Close File Explorer.
18. Log off.

Now, members of the group will have Read access to the logs when they navigate to the share.

Delegating user and authentication management

The Multi-Factor Authentication User Portal not only allows colleagues to set their authentication preferences but also offers fine-grained delegation options, suitable for both administrators and service desk heroes. Additionally, in complex environments, you can use tags to define the delegation scope. Without tags, delegation for the User Portal applies to all users. Perform these steps to delegate management via the Multi-Factor Authentication User Portal:

1. Log on to the Windows Server running Multi-Factor Authentication Server with an account with sufficient permissions to manage Multi-Factor Authentication.
2. Open the Multi-Factor Authentication Server management console.
3. In the left pane, click User Portal.
4. Click the Administrators
5. Click the Add… button
   
6. In the Username field, type the name of the colleague you want to delegate access to via the Multi-Factor Authentication User Portal, or use the Select User… button to select the user object from the Multi-Factor Authentication database.
7. Select the appropriate permissions from the two lists of delegated management options:
   • Add user
   • One-Time Bypass
   • Bypass seconds
   • Change method
   • Change mode
   • Change phone
   • Change PIN
   • Change language
   • User information
   • OATH token
   • Enable/Disable
   • Block/Unblock user
   • Remove user
   • Test authentication
   • Activate mobile app
   • Deactivate mobile app
   • Verify security questions
   • Receive notifications
     Tip! Use the Check All and Clear All links to quickly make your selections.
8. Click Add.
9. Close the Multi-Factor Authentication Server management console.
10. Log off.

Delegating notifications

User objects added as Administrators for the User Portal automatically receive notifications when you set the Send notifications to User Portal administrators with the Receive Notifications permission on the Settings tab of the Email section in the Multi-Factor Authentication Server management console. You may want to send notifications to users who are not Multi-Factor Authentication admins. For example, in a mail-based, automated service desk incident registration process, you can add users’ email addresses to the list of email addresses that also receive notifications. Here are the steps:

1. Log on to the Windows Server running Multi-Factor Authentication Server with an account with sufficient permissions to manage Multi-Factor Authentication.
2. Open the Multi-Factor Authentication Server management console.
3. In the left pane, click Email.
4. In the main pane, select Send notifications to User Portal administrators with the Receive Notifications permission if it is not already selected.
5. In the “Send notifications to these email addresses” field, add email addresses for the additional users who should receive notifications.
6. Close the Multi-Factor Authentication Server management console.
7. Log off.

Resetting the service account password

In some cases—for instance, when you leave the organization or when you want to change the password yearly (for security compliance)—you might want to change the password for the service account that runs the Web Service SDK, the User Portal, and the Mobile Portal. Make sure to change the password for the service account in the following locations during a service window of at least 15 minutes:

• The identity of each of the application pools in the Internet Information Services (IIS) Management console.
• The Web.config file in the folder for the User Portal (C:\Inetpub\wwwroot\MultiFactorAuth by default)
• The Web.config file in the folder for the Mobile Web App (C:\Inetpub\wwwroot\MultiFactorAuthMobileAppWebService by default)
• The MultiFactorAuthenticationAdfsAdapter.config file on the AD FS Server, when you’ve used it to configure the Multi-Factor Authentication AD FS Adapter; afterward, run Register-MultiFactorAuthenticationAdfsAdapter.ps1 again

Concluding

Delegation of management for Multi-Factor Authentication via the User Portal is really fine-grained. Depending on your situation, after delegating, you can walk away from your Multi-Factor Authentication implementation without worrying about the multiple ways your admin colleagues might be able to perform career euthanasia…

In the next post you will learn how to enable Multi-Factor Authentication for your users with PowerShell.