locked
Azure MFA Server licenses RRS feed

  • Question

  • Hi Folks,

    Recently there has been a change in the licensing structure for the Azure MFA Server. Page (https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-authprovider) is showing “Effective September 1st, 2018 new auth providers may no longer be created. Existing auth providers may continue to be used and updated. Multi-factor authentication will continue to be an available feature in Azure AD Premium licenses.”

    The situation: A few days ago I have created a new tenant for Azure. There are no licenses attached and only connected to a CCP partner so the usages will be paid.

    The Problem: I tried to create a new Azure MFA Provider but the message showed Effective September 1st, 2018 creating new auth providers is disabled. Is my statement correct that if I buy 1 Azure AD Premium license (Premium P1) a new Auth provider is created and I can use the Azure MFA Server for the complete on premise environment?

    There reason I ask is because we don’t have our users in Azure AD and only want to use the Azure AD MFA server in combination with the Remote Desktop Gateway.

    Michael

    Monday, October 29, 2018 8:48 AM

Answers

  • Hi carlod-it,

    I just confirmed this with the product team. You cannot create an auth provider but it is still supported to use MFA Server with RDG. MFA is per user licensing now, rather than auth providers. An Azure MFA Auth provider is used to take advantage of the features provided by Azure MFA for users who do not have licenses. 

    In answer to your second question, yes. You do need either a Premium P1 or P2 license because MFA is sold as part of those licenses. New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication MFA will continue to be an available feature in Azure AD Premium License. You get a subset of features in Office 365 subscriptions with MFA.

    Tuesday, October 30, 2018 5:16 PM
    Owner

All replies

  • Hi Michael,

    No, there are no auth providers. It is full MFA or nothing going forward. If you have an auth provider you can keep using it but you cannot create any new ones, even with the Premium license. 

    Monday, October 29, 2018 4:39 PM
    Owner
  • Hi Marilee,

    Thanks for the feedback. So assigning a license wont do the trick. Whats do i need to do to enable a full MFA Server? 

    As i far as i know when you click on Providers -> The provider name -> Server settings -> activation keys;  there I find the keys to authenticate the full MFA server. Where can i find this settings now ?

    Thanks,

    Michael

    Monday, October 29, 2018 4:56 PM
  • You don't need to use a provider anymore. You can just activate your MFA server after installing and go. The "generate" button is shown in the guide:

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy#download-the-mfa-server



    Monday, October 29, 2018 11:20 PM
    Owner
  • After reading the manual:

    1. Sign in to the Azure portal as an administrator.
    2. Select Azure Active Directory > MFA Server.
    3. Select Server settings.

    As you can see there is no MFA Server to download the software or even generate a key. If i click on the Get a free premium trail to use this feature they are referring to :

    • ENTERPRISE MOBILITY + SECURITY E5
    • AZURE AD PREMIUM P2

    But i my case there are no users in the Azure AD. Only the tenant administrator. So the questions remains  do i need to activate AZURE AD PREMIUM P2 on the admin tenant to have acces to the full version of Azure MFA Server?


    Tuesday, October 30, 2018 6:51 AM
  • After reading the manual:

    1. Sign in to the Azure portal as an administrator.
    2. Select Azure Active Directory > MFA Server.
    3. Select Server settings.

    As you can see there is no MFA Server to download the software or even generate a key. If i click on the Get a free premium trail to use this feature they are referring to :

    • ENTERPRISE MOBILITY + SECURITY E5
    • AZURE AD PREMIUM P2

    But i my case there are no users in the Azure AD. Only the tenant administrator. So the questions remains  do i need to activate AZURE AD PREMIUM P2 on the admin tenant to have acces to the full version of Azure MFA Server?



    I have the same question before purchasing Azure AD premium, did you get an answer to this, thanks in advanced
    Tuesday, October 30, 2018 4:37 PM
  • No answer yet carlod-it.  waiting for Marilee
    Tuesday, October 30, 2018 4:40 PM
  • Ok thanks, I just wanna make sure when purchasing azure ad premium I can install on premise mfa server, I need this for my pan globalprotect clients
    Tuesday, October 30, 2018 4:50 PM
  • Hi carlod-it,

    I just confirmed this with the product team. You cannot create an auth provider but it is still supported to use MFA Server with RDG. MFA is per user licensing now, rather than auth providers. An Azure MFA Auth provider is used to take advantage of the features provided by Azure MFA for users who do not have licenses. 

    In answer to your second question, yes. You do need either a Premium P1 or P2 license because MFA is sold as part of those licenses. New customers may no longer purchase Azure Multi-Factor Authentication as a standalone offering effective September 1st, 2018. Multi-factor authentication MFA will continue to be an available feature in Azure AD Premium License. You get a subset of features in Office 365 subscriptions with MFA.

    Tuesday, October 30, 2018 5:16 PM
    Owner
  • Thanks for the reply, we may go with premium p1 then
    Wednesday, October 31, 2018 4:47 PM
  • One more question: If i enable 1 licence Premium P1, MFA server will be enabled and i can confirm i have acces the download and keys.

    Is the usage of the MFA server still billed true his own usage. So for every enabled user in Azure MFA Server you have to pay €1.18 ?

    In this case we only need to pay once for Premium P1 and there rest will be billed true our CCP partner ?

    Wednesday, October 31, 2018 8:41 PM
  • I have subscribed to P1 and purchased two licenses and I was able to create username and password for on-premise MFA server that is in format xxxxxxxxxx@azureadmin.com with some generic password with which I have successfully activated on-premise MFA server to be used with remote desktop gateway.

    Then, I removed P1 license from a test user, tested again and it still works.

    Is this a normal behavior, a bug of Microsoft expects you to buy licenses without limiting you in technical sense?

    Of Microsoft is requiring a license only if you use it through their NPS Extension for Azure MFA?

    So, can someone confirm again that the pricing of $1.4 per user is no longer available? Pricing that you can find on this link https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication Is that what's considered by standalone Azure Multi-Factor Authentication (MFA) services or I'm missing something?

    If everything works fine, how can Microsoft charge me P1 if I didn't subscribe to one?



    Wednesday, May 1, 2019 3:55 AM