locked
Azure MFA SDK RRS feed

  • Question

  • Is it true that Azure MFA SDK is going to be deprecated? We are about to start a project that wants to use this as part of a websites authentication process 
    Tuesday, October 10, 2017 8:07 AM

Answers

  • No ETA as of yet. But an announcement of deprecating these SDKs should be coming soon.

    Instead of using the downloadable SDKs, we recommend one of the following:

    1. Use MFA Server and its Web Service SDK. You can import users from AD or LDAP into MFA Server and use that to store the MFA registration data. Users can register via the User Portal and all MFA methods are available, including the mobile app.

    2. Integrate your application with Azure AD so that users can sign in with their Azure AD credentials and get SSO along with O365 and other SaaS applications. You can require MFA and/or use conditional access as part of the sign-in.

    3. Publish the web app via Azure AD App Proxy and enable pre-authentication so that users can sign in with Azure AD credentials (or sign in with your federated IdP) and perform MFA (or satisfy conditional access policy) before being signed into the application.

    4. If the application is consumer-facing, implement Azure AD B2C and integrate the app with it. use B2C as the identity management system and implement sign-in, sign-up and MFA journeys as appropriate.

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Tuesday, October 10, 2017 10:39 AM

All replies

  • No ETA as of yet. But an announcement of deprecating these SDKs should be coming soon.

    Instead of using the downloadable SDKs, we recommend one of the following:

    1. Use MFA Server and its Web Service SDK. You can import users from AD or LDAP into MFA Server and use that to store the MFA registration data. Users can register via the User Portal and all MFA methods are available, including the mobile app.

    2. Integrate your application with Azure AD so that users can sign in with their Azure AD credentials and get SSO along with O365 and other SaaS applications. You can require MFA and/or use conditional access as part of the sign-in.

    3. Publish the web app via Azure AD App Proxy and enable pre-authentication so that users can sign in with Azure AD credentials (or sign in with your federated IdP) and perform MFA (or satisfy conditional access policy) before being signed into the application.

    4. If the application is consumer-facing, implement Azure AD B2C and integrate the app with it. use B2C as the identity management system and implement sign-in, sign-up and MFA journeys as appropriate.

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Tuesday, October 10, 2017 10:39 AM
  • Thank You
    Tuesday, October 10, 2017 3:52 PM
  • much appreciated, this was a useful answer with viable alternatives
    Thursday, January 25, 2018 2:45 PM
  • 1. hm, ok so the SDK in MFA server will still be supported?
    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice

    as i see it this is the date:
    "The deprecation of the Azure Multi-Factor Authentication Software Development Kit (SDK) has been announced. This feature is no longer supported for new customers. Current customers can continue using the SDK until November 14, 2018. After that time, calls to the SDK will fail."

    from the MFA server mobile service setup guide:

    After finishing the install, browse to C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService (or appropriate directory based on the virtual directory name) and edit the Web.Config file.

    • Find the key "WEB_SERVICE_SDK_AUTHENTICATION_USERNAME" and change value="" to value="DOMAIN\User" where DOMAIN\User is a Service Account that is a part of "PhoneFactor Admins" Group.
    • Find the key "WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD" and change value="" to value="Password" where Password is the password for the Service Account entered in the previous line.
    • Find the pfMobile App Web Service_pfwssdk_PfWsSdk setting and change the value from http://localhost:4898/PfWsSdk.asmxto the Web Service SDK URL (Example: https://mfa.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx).

    Save the Web.Config file and close Notepad.

    For all VPN/RADIUS related services we have another multipurpose tenant with Azure AD enabled where the MFA server is registered, since the user's aren't synced out via MFA, and MFA server works without having all the users in the same Azure AD.
    and since this setup is working for user's that isn't synced out via Azure AD Connect.

    2. we use a custom setup of the Azure AD Connect, syncing from one AD to 100'eds off different tenants
    all tenants authenticate to O365 via on-premises ADFS.

     3. i have also looked at using the newer MFA NPS extension for VPN authentication, the problem with this is that it's not built for multi tenancy, since it requires all users to be synced to on Azure AD, and since the NPS server will be linked to this one tenant/Azure AD.
    and will utilize the webservice/portal for authentication in Azure instead of the on-premises one.




    Sunday, February 4, 2018 6:59 AM
  • Hi 

    do you have anything to add to my new questions?

    it's not clear to me what SDK that will be discontinued when.

    Erlend

    Tuesday, February 6, 2018 11:23 PM
  • The SDKs that were deprecated in Nov 2017 were the downloadable SDKs (VB.NET, C#, Java, Perl, PHP, Ruby). The Web Service SDK available with MFA Server will be supported for as long as MFA Server is supported.
    Wednesday, February 7, 2018 8:35 PM
  • thanks for clarifying this!

    any thoughts about MFA NPS extension and multitenancy  support?
    Thursday, February 8, 2018 5:29 AM
  • I don't see any good options. You are correct that each NPS server is linked to a specific tenant, so you need a different NPS server for each tenant.
    Thursday, February 8, 2018 3:40 PM
  • Shawn, Where can we find documentation on different API's available in Web Service SDK to integrate in C# application? Basically we want to be able to call the MFA method when accessing specific functionality in our application.

    Example : Users login to application using MFA and then if they try to access the payment feature in the application we would like them to do MFA again to validate. 

    How can we achieve this using Web Services SDK? 

    Wednesday, April 25, 2018 9:22 PM