Azure: How to unregister and register ADFS Authentication Provider (MFA)

When Azure subscription is changed,due to a provider change, Azure Multi-Factor Authentication(AKA, MFA) must be unregistered and registered again by following method.
1. Un-register MFA provider, on ADFS Global Authentication Policy, uncheck WindowsAzureMultiFactorAuthentication checkbox.
Go to PowerShell prompt, then run
PS C:\Program Files\Multi-Factor Authentication Server> Unregister-AdfsAuthenticationProvider –Name"WindowsAzureMultiFactorAuthentication"
WARNING: PS0103: The authentication provider was successfully unregistered from the policy store.  Restart the A
D FS Windows Service on each server in the farm.
Restart ADFS services
PS C:\Program Files\Multi-Factor Authentication Server> net stop adfssrv
The Active Directory Federation Services service is stopping.....
The Active Directory Federation Services service was stopped successfully.
PS C:\Program Files\Multi-Factor Authentication Server> net start adfssrv
The Active Directory Federation Services service is starting....
The Active Directory Federation Services service was started successfully.
Go back to ADFS Global Authentication Policy and see if there is no "WindowsAzureMultiFactorAuthentication"
2. Register MFA provider again,
To register again, run following from PowerShell prompt
PS C:\Program Files\Multi-Factor Authentication Server> .\Register-MultiFactorAuthenticationAdfsAdapter.ps1
WARNING: PS0114: The authentication provider was successfully registered with the policy store.  To enable this
provider, you must restart the AD FS Windows Service on each server in the farm.
Restart ADFS services
PS C:\Program Files\Multi-Factor Authentication Server> net stop adfssrv
The Active Directory Federation Services service is stopping.....
The Active Directory Federation Services service was stopped successfully.
PS C:\Program Files\Multi-Factor Authentication Server> net start adfssrv
The Active Directory Federation Services service is starting....
The Active Directory Federation Services service was started successfully.
Go back to ADFS Global Authentication Policy and see if "WindowsAzureMultiFactorAuthentication" is back.

Comments

Post a Comment

Popular posts from this blog

ADFS WAP: How to configure SSO with RDWeb

Image
1.  System Deploy ADFS : th-adfs2012.mfalab3.com ADFS WAP : th-adfs2012wap.mfalab3.com RDWeb : th-rds.mfalab3.com A public IP for ADFS WAP points to ADFS/RDS as well 2.  Setting on ADFS Create a Relying Parth Trust 3.  Setting on ADFS WAP Create WAP Application, Add-WebApplicationProxyApplication -Name 'rdweb' -ExternalUrl 'https://th-rds.mfalab3.com/rdweb/' -BackendServerURL 'https://th-rds.mfalab3.com/rdweb/' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName rdweb1 -ExternalCertificateThumbprint '67D438BDDBB455E53CA83D6F5DEC34CC546F711A' 4.  Setting on RDS Important : Change authentication method to “Windows” https://social.technet.microsoft.com/Forums/office/en-US/999f56fa-a218-41b0-86ee-2845269d93ef/rdweb-authentication?forum=winserverTS 5.  Setting on the Client Computers 6. See how it works
Read more

Secure RDWeb using Azure Multi-Factor Authentication

Image
1. Change RDWeb authentication mode from "Forms" to "Windows" Edit C:\Windows\Web\RDWeb\Pages\web.config     <authentication mode="Windows"/> <!--     <authentication mode="Forms">         <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />     </authentication> --> . . . <system.webServer> <!--     <modules runAllManagedModulesForAllRequests="true">       <remove name="FormsAuthentication" />       <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />     </modules>     <security>         <authentication>             <windowsAuthentication enabled="false" />             <anonymousAuthentication enabled="true&q
Read more

Collect AzureStack Update Verbose log

Image
The following commands will collect "UpdateVerboseLog". 1. Create a PEP session, in this example $pepsession is the name of established PEP session $pepsession = New-PSSession -ComputerName ercs_ip -ConfigurationName PrivilegedEndpoint -Credential (get-credential) 2. Collect verbose log $log = Invoke-Command -Session $pepsession -ScriptBlock { Get-AzureStackUpdateVerboseLog } 3. Save it to local folder $log > “c:\temp\UpdateVerboseLog.txt” 4. Example
Read more