Azure Multi-Factor Authentication Server Deployment – P2 [Updated March 2017]

Please check part one here:

Azure Multi-Factor Authentication Server Deployment – P1

You can also check the following relevant posts:

The installation of the the on premise MFA server consists of the following:

  1. The installation of the MFA Server and Management console
  2. The installation of three web services:
    1. User Portal
    2. SDK
    3. Mobile App service

The user portal is an IIS site that your users can log on to, and perform many tasks like:

  • Change their mobile number that MFA server will use to perform the second factor authentication. You can configure the MFA server to sync mobile numbers from AD and not allow users to change their mobile numbers via this portal.
  • Set couple of security questions. These questions can be used by an IT Operator to verify the identity of the user, if the user calls the help desk and ask him to change the second factor method ( Mobile App notifications instead of mobile call for example)
  • Activate their mobiles so that they can receive notifications in case of Mobile App options.

The SDK service is used for custom integration with the MFA server and it is a requirement to install if you want to use the mobile app notification feature, as the mobile app service will connect to the SDK IIS virtual directory in order to connect to the MFA server.

The Mobile App Service is the service that mobile apps connects to, in order to submit the verification. This service should be published externally and should resolve to external DNS name.

You can install the portals in different server than the MFA server itself. For simplicity, i will choose to install the MFA server and the three portals in the same Windows 2012 R2 machine.

Installing the MFA Server

I will be using Windows 2012 R2 server for my MFA and portals. Now that you have downloaded the Azure MFA server, run the installation wizard, and click next until it is installed. No conflagration needed at this time.

You can check the hardware and software requirements here.


Now open the MFA console and activate the product using the activation keys you obtained from the Azure management portal where you downloaded the MFA server. Make sure the server can connect to internet using http/https for the activation to work. Also make sure the server always can connect to internet using these ports as the server needs to connect to Azure for every authentication request  verification.


Installing Azure MFA User Portal

The User Portal is an IIS web site to allow users to enroll in Azure MFA and maintain their accounts. Mainly, users can log on there, and choose if they want the second factor to be a phone call, SMS, or push notification on the mobile app. Also you can give users the ability to change their phone number if you want.

You can install the User Portal in a different server than the MFA server, but for simplicity, I recommend to install all portals on the MFA server itself. Here is a link that can help you with the installation steps for more complex deployments.

You should have IIS installed including and IIS 6 meta base compatibility for IIS 7 or higher. I choose to install the user portal on the same MFA server. During the installation of the user portal, a security group is created in AD, so make sure the account that is used to install the user portal can create security group in AD.




To install the user portal, open the MFA Server management console, go to the User Portal node and check the settings available.

I usually remove the OATH token method because i will not be using it, and also i remove the security questions option, as this seemed a possible way to bypass the security and making it less secure.

MFA User Portal

Now, click Install User Portal. The wizard will tell you that it will create the following:

  • Security group in AD, placed under the built in Users container, called PhoneFactor Admins. 
  • User account called named PFUP_MFAServerName , where MFAServerName is the name of the MFA server.
  • Adds the previously created account to the previously created security group.

Note: do not check the box (Skip automatic Active….). doing that means you have to create the group and user manually.

I also set the PhoneFactor Admins security group as member of the local administrators group in the


Next, you be prompted with the IIS web site to use (leave as default), and the virtual directory for the user portal. I usually change this to “Enroll” so that users will browse to https://servername/enroll instead of https://servername/MultiFactorAuth.

MFA Config3

Now open the IIS, you can see the virtual directory called (Enroll). This is where end users will connect to manage their MFA profiles. For me, i also created a certificate and enforce HTTPS for the whole web site.

MFA Config4

Install the MFA SDK 

The SDK should be secured with SSL. Installing it is straight forward. Just open the MFA management console, go to Web Service SDK, and then run the installation. I will install it on the MFA Server itself as we did with the user portal.

MFA Config5

You may need to install Basic Authentication feature before you move on.

MFA Config6

MFA Config7

If you open IIS, you can see the SDK virtual directory.

MFA Config8

Install the MFA Mobile App Web Service

You should install the MFA SDK before proceeding with the MFA Mobile App Web Service. I will install the MFA mobile app web service on the same server also.

To start the installation, go to C:\Program Files\Azure Multi-Factor Authentication, choose the 32 or 64 bit installation file (MultiFactorAuthenticationMobileAppWebServiceSetup64) , and tun the installation file, change the virtual directory if needed.

MFA Config9

MFA Config10

I usually change the virtual directory to something like PA (Phone App) instead of the long default one. Now go to your AD, and reset the account the is created by the wizard during the user portal deployment ( the account that is member of the PhoneFactor admins group).

Now browse to C:\inetpub\wwwroot\PA (or appropriate directory based on the virtual directory name) and edit the web.config file. Enter the user account that you have reset, and the password between the quotes in shown in the below section. It is recommended to use a qualified username (e.g. domain\username or machine\username).

MFA Config11

Next change the URL shown below to your SDK virtual directory. Example is : https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx

MFA Config12


Azure Multi-Factor Authentication MSDN Library