The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Multi-Factor Authentication!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
MFA Server Migration RRS feed

  • Question

  • What is the path for migrating on-prem MFA Server to Azure MFA? Or is it just a reinstall?
    Friday, March 23, 2018 5:29 PM

All replies

  • What is the path for migrating on-prem MFA Server to Azure MFA? Or is it just a reinstall?

    Currently, there is no migration path.

    The on-premises Azure MFA Server is a Microsoft product you install on one of your Windows Servers. You can integrate it with AD FS, RDS Gateway and RADIUS to protect applications and functionality. Azure MFA is a cloud service.

    When switching from the Azure Multi-Factor Authentication (MFA) Server to Azure MFA, please be aware of the following limitations:

    • Azure MFA Server leverages an MFA Provider in Azure. these MFA Providers offer a licensing method, labeled Per Authentication. Azure MFA, the Azure MFA Adapter for AD FS 4.0 and the Azure MFA NPS extension don't use an MFA Provider. Therefore, the Per Authentication licensing model can no longer be used by your organization.
    • There is no way to export the contents of the MFA Database to Azure MFA. Therefore, all users using the functionality need to re-enroll for multi-factor authentication, when they haven't done so already. the upside is that once users register for Azure MFA, their MFA method can also be leveraged for Azure AD Identity Protection, Conditional Access.
    • Azure MFA Server offers more authentication methods than Azure MFA does. Users will not be able to use the Phone Call with PIN, 1way-SMS with PIN, 2way-SMS, 2way-SMS with PIN or OATH TOPT token methods. Users may need to use another authentication method. Refer here for the strengths and weaknesses per method to make choices, if needed.
    • In Azure there is no Role-based Access Control for Azure MFA. Where Azure MFA Server allows for granular privileges in the User Portal for servicedesk and other personnel, in Azure people managing Multi-factor Authentication settings need Global Administrator privileges. This may impact your processes and servicedesk resolution speeds.

    Currently, your steps would basically be to:

    1. Determine the strategy for licensing.
    2. Communicate the upcoming changes to your organization, or at least the colleagues impacted.
    3. Grant the appropriate role to servicedesk personnel in Azure AD to manage multi-factor authentication settings.
    4. Implement a Conditional Access policy that requires people to perform multi-factor authentication, implement claims rules triggering multi-factor authentication based on Azure MFA through AD FS, configure the NPS extension or enforce multi-factor authentication to require it for certain accounts, so the associated people will always be prompted. When the people hit the MFA requirement for the first time, they'll be required to set it up (register).
    5. Monitor the use of Azure multi-factor authentication.
    • Proposed as answer by vijisankar Friday, March 23, 2018 8:55 PM
    Friday, March 23, 2018 8:48 PM
  • In Addition to Sander's response, it is in the road-map to build tools that will allow migration of On-premise MFA server to Azure MFA. However, there is no ETA at the moment.
    You could provide your feedback in the Azure Feedback Portal for the same.
    ---------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.


    • Proposed as answer by vijisankar Friday, March 23, 2018 9:14 PM
    Friday, March 23, 2018 9:14 PM
  • Has there been any updates since the last response to the roadmap for migration of MFA server to Azure MfA?  I have a customer that wants to do a lift and shift of the MFA server DB to Azure MFA so the users do NOT have to re-register.

    Thanks for your responses!

    Monday, January 21, 2019 4:35 PM
  • Hi, 

    The product team is still working on the migration tool kit. Tentative ETA is towards the end of calendar year.  

    Thursday, January 24, 2019 9:02 AM
    Moderator
  • I have a question regarding step 3

    "Grant the appropriate role to servicedesk personnel in Azure AD to manage multi-factor authentication settings."

    As far as I'm aware the ability to manage MFA settings is only available to global admins. Has that changed recently or am I mistaken? One big issue I see with the NPS extension is in order for the help desk to be able to reset a users secondary authentication I'd have to make them GAs.

    Wednesday, March 6, 2019 3:03 PM
  • Hi, 

    The product team is still working on the migration tool kit. Tentative ETA is towards the end of calendar year.  

    Any update on this request/feature?
    Wednesday, September 4, 2019 10:54 AM
  • Hello, what I did is to install in parallel Windows 2019 server, ADFS 2019 with direct Azure MFA support and then retired MFA server and old ADFS where is was installed.

    Wednesday, September 4, 2019 1:52 PM
  • did you have to re-enroll all your users into the new environment?
    Thursday, September 26, 2019 4:45 PM
  • I have the same question, we're eager to move our on-premise MFA server to Azure MFA without users have to enroll again.
    Thursday, October 3, 2019 8:15 AM
  • Any update on the migration tool kit?

    Monday, October 21, 2019 12:20 PM