locked
MFA Design Queries RRS feed

  • Question

  • Hello Experts, I have a client who will be deploying MFA servers on Prem of 2FA, before they do that they have some queries, Kindly address this in as much detail as possible, I could not able to find even a single doc which talks about it. We tried different versions but still see the same behavior, don't know if that is a product by design or we are doing something wrong. Following are the concerns we have:

    1. Unexpected behaviors - If an admin changes one users “Send Email” setting, ALL other users send email is also checked
    2. Inconsistent settings between MFA servers - Master server shows “Send Email” checked for all users, Slave server shows it Unchecked
    3. Inconsistencies between Admins - One admin sees all users checked, another admin sees all users Unchecked from the SAME server, even after having both admins completely log out. Whether the email sends or doesn’t send is dependent on the admins setting who is modifying the users account.For example, if I check “send email” and modify a user’s phone number they will get an email, but if Angela had the users unchecked and modified a user’s phone number they would not receive an email. FYI. We are running MFA server 8.0.0.3.We require these settings to work as documented to do a phased roll out to over 4,000 associates. We need newly hired associates to be sent an email from the MFA server without us having to intervene and keep track of each associate that is being hired or transferred to departments that have already been on boarded into MFA. We are using Security Groups to control this setting within the MFA server.
    4. Users Group - ALL Associates/Employees are brought into MFA Disabled and Send Email unchecked.
    5. Enabled Group – As we on board associates, we add departments to this security group. The settings are set to have Send Email checked and Enabled Checked. Associates are brought in with minimal information to ensure the email should be sent according to the documentation on the server (User Enrollment - An email is sent to a user added that is enabled, but incomplete (no phone specified, mobile app not activated, or no OATH token secret key specified); disabled and set to succeed authentication; or disabled, set to fail authentication, and not previously enrolled.  The email is only sent if Allow User Enrollment is checked in the User Portal section). We do allow user enrollment.
    6. As an FYI, not sure if this is expected behavior but we have also experienced users who enrolled themselves and the security group settings seems to override them logging in and enabling themselves. Example: Upon roll out to a department, we manually send an email to that department giving them 2 weeks to enroll themselves in MFA before we add their department to the Enabled group. At that time, they are only in the Users Group. The associate will go out to the MFA User Portal and enroll themselves in MFA but once the Synchronization takes place, the Enabled is unchecked on the users account in the MFA User Portal.

     



    CreedHameed

    Wednesday, August 15, 2018 3:38 PM

All replies

  • Check this link to manage the user settings with azure multifactor authentication.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userdevicesettings

    you need to choose how to enable enabled by changing user state

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

    • Proposed as answer by samyyysam Wednesday, August 15, 2018 6:51 PM
    • Unproposed as answer by CreedHameed Thursday, August 16, 2018 3:11 PM
    Wednesday, August 15, 2018 6:51 PM
  • Hello Experts,

    Can you please help me with this? Looking forward to hear from Microsoft.


    CreedHameed

    Monday, August 20, 2018 3:56 PM
  • Hello Creed,

    Let me know did you performed the steps showed in the doc

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy#send-users-an-email

    Check whether you  configured the SMTP mail server in email settings option on MFA server correctly?

    1. Click the Email icon in the MFA Server and configure the name or IP of the mail server. If the mail server requires authentication, add a username/password. Click the "Send emails to users" checkbox.

    2. On the Email Content tab, edit the first email template. Fill in the From address and then copy it to your clipboard. Click Apply and then Next which opens the next template. Paste the email address. Keep going until all templates have a populated From address.

    When you import a new user, either the New User or User Enrollment email should be sent to the user. When you update a user's phone number, it should send the Updated User email. So to test with a user that has already been imported, you can change a digit in the user's phone number in the Users-->Edit User screen and click Apply.

    Information about the Email settings can be found by clicking the Help link in the top right corner of the MFA Server after clicking the Email icon. 

    • Proposed as answer by samyyysam Tuesday, August 21, 2018 7:56 PM
    Tuesday, August 21, 2018 7:56 PM
  • The Send Email checkbox isn't a real user setting, it simply indicates whether the customer wants to send an email to the user being added or the user being modified.

    The value is saved as an admin preference in the registry. So, if the admin checks the checkbox on one user, it keeps this preference for all users. When MFA Server UX is exited, it saves the preference, so that it can be restored the next time the UX is launched by the same admin.

    Since the registry preferences are specific to the server, therefore the setting doesn't automatically propagate to slave servers.

    This checkbox isn't used very frequently from the Add/Edit User dialogs since most customers either import or sync users from Active Directory or another Directory Service. For import, this is also just a preference. For synchronization items, it is saved with the item.

    -----------------------------------------------------------------------------------------------

    If this answer was helpful, click “Mark as Answer” or Up-Vote. To provide additional feedback on your forum experience, click here.

    • Proposed as answer by vijisankar Monday, August 27, 2018 7:46 PM
    Monday, August 27, 2018 7:46 PM
  • Hello Vijisankar,

    Thank you for the information, you mean to say that send email checkbox under user properties is not real? If an admin check it, the users will get email? why my users not having send email checked, when I import them from AD? And can you please also help me my another concerns. 

    Thank you,

    Warm Regards,


    CreedHameed

    Tuesday, August 28, 2018 1:59 AM
  • From the official guide:

    "The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab."

    https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa

    Wednesday, August 29, 2018 11:48 PM
    Owner
  • Hi Creed, 

    We ask that you not mark community replies as "Abusive" unless they are actually malicious. Those replying in this thread are only trying to help and we want to support community members helping each other as much as possible. 


    Thursday, August 30, 2018 4:10 PM
    Owner