You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -32,7 +32,7 @@ There are multiple possible end states to your migration, depending on your goal
32
32
| <br> | Goal: Decommission MFA Server ONLY | Goal: Decommission MFA Server and move to Azure AD Authentication | Goal: Decommission MFA Server and AD FS |
|MFA provider | Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. | Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. | Change MFA provider from MFA Server to Azure AD Multi-Factor Authentication. |
35
-
|User authentication |Continue to use federation for Azure AD authentication. | Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** Seamless Single Sign-On (SSO).| Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** SSO. |
35
+
|User authentication |Continue to use federation for Azure AD authentication. | Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** Seamless single sign-on (SSO).| Move to Azure AD with Password Hash Synchronization (preferred) or Passthrough Authentication **and** SSO. |
36
36
|Application authentication | Continue to use AD FS authentication for your applications. | Continue to use AD FS authentication for your applications. | Move apps to Azure AD before migrating to Azure AD Multi-Factor Authentication. |
37
37
38
38
If you can, move both your multifactor authentication and your user authentication to Azure. For step-by-step guidance, see [Moving to Azure AD Multi-Factor Authentication and Azure AD user authentication](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md).
@@ -55,34 +55,31 @@ Microsoft’s MFA server can be integrated with many systems, and you must evalu
55
55
56
56
### Migrating MFA user information
57
57
58
-
Common ways to think about moving users in batches include moving them by regions, departments, or roles such as administrators.
59
-
Whichever strategy you choose, ensure that you move users iteratively, starting with test and pilot groups, and that you have a rollback plan in place.
58
+
Common ways to think about moving users in batches include moving them by regions, departments, or roles such as administrators. You should move user accounts iteratively, starting with test and pilot groups, and make sure you have a rollback plan in place.
60
59
61
-
While you can migrate users’ registered multifactor authentication phone numbers and hardware tokens, you can't migrate device registrations such as their Microsoft Authenticator app settings.
62
-
Users will need to register and add a new account on the Authenticator app and remove the old account.
60
+
You can use the [MFA Server Migration Utility](how-to-mfa-server-migration-utility.md) to synchronize MFA data stored in the on-premises Azure MFA Server to Azure AD MFA and use [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md) to reroute users to Azure MFA. Staged Rollout helps you test without making any changes to your domain federation settings.
63
61
64
62
To help users to differentiate the newly added account from the old account linked to the MFA Server, make sure the Account name for the Mobile App on the MFA Server is named in a way to distinguish the two accounts.
65
-
For example, the Account name that appears under Mobile App on the MFA Server has been renamed to On-Premises MFA Server.
66
-
The account name on the Authenticator App will change with the next push notification to the user.
63
+
For example, the Account name that appears under Mobile App on the MFA Server has been renamed to **On-Premises MFA Server**.
64
+
The account name on Microsoft Authenticator will change with the next push notification to the user.
67
65
68
66
Migrating phone numbers can also lead to stale numbers being migrated and make users more likely to stay on phone-based MFA instead of setting up more secure methods like Microsoft Authenticator in passwordless mode.
69
67
We therefore recommend that regardless of the migration path you choose, that you have all users register for [combined security information](howto-registration-mfa-sspr-combined.md).
70
68
71
-
72
69
#### Migrating hardware security keys
73
70
74
-
Azure AD provides support for OATH hardware tokens.
75
-
In order to migrate the tokens from MFA Server to Azure AD Multi-Factor Authentication, the [tokens must be uploaded into Azure AD using a CSV file](concept-authentication-oath-tokens.md#oath-hardware-tokens-preview), commonly referred to as a "seed file".
71
+
Azure AD provides support for OATH hardware tokens. You can use the [MFA Server Migration Utility](how-to-mfa-server-migration-utility.md) to synchronize MFA settings between MFA Server and Azure AD MFA and use [Staged Rollout](../hybrid/how-to-connect-staged-rollout.md) to test user migrations without changing domain federation settings.
72
+
73
+
If you only want to migrate OATH hardware tokens, you need to [upload tokens to Azure AD by using a CSV file](concept-authentication-oath-tokens.md#oath-hardware-tokens-preview), commonly referred to as a "seed file".
76
74
The seed file contains the secret keys, token serial numbers, and other necessary information needed to upload the tokens into Azure AD.
77
75
78
76
If you no longer have the seed file with the secret keys, it isn't possible to export the secret keys from MFA Server.
79
77
If you no longer have access to the secret keys, contact your hardware vendor for support.
80
78
81
79
The MFA Server Web Service SDK can be used to export the serial number for any OATH tokens assigned to a given user.
82
-
Using this information along with the seed file, IT admins can import the tokens into Azure AD and assign the OATH token to the specified user based on the serial number.
80
+
You can use this information along with the seed file to import the tokens into Azure AD and assign the OATH token to the specified user based on the serial number.
83
81
The user will also need to be contacted at the time of import to supply OTP information from the device to complete the registration.
84
-
Refer to the GetUserInfo > userSettings > OathTokenSerialNumber topic in the Multi-Factor Authentication Server help file on your MFA Server.
85
-
82
+
Refer to the help file topic **GetUserInfo** > **userSettings** > **OathTokenSerialNumber** in Multi-Factor Authentication Server on your MFA Server.
86
83
87
84
### More migrations
88
85
@@ -91,19 +88,19 @@ The decision to migrate from MFA Server to Azure AD Multi-Factor Authentication
91
88
- Your willingness to use Azure AD authentication for users
92
89
- Your willingness to move your applications to Azure AD
93
90
94
-
Because MFA Server is deeply integrated with both applications and user authentication, you may want to consider moving both of those functions to Azure as a part of your MFA migration, and eventually decommissioning AD FS.
91
+
Because MFA Server is integral to both application and user authentication, consider moving both of those functions to Azure as a part of your MFA migration, and eventually decommission AD FS.
95
92
96
93
Our recommendations:
97
94
98
95
- Use Azure AD for authentication as it enables more robust security and governance
99
96
- Move applications to Azure AD if possible
100
97
101
-
To select the user authentication method best for your organization, see [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/choose-ad-authn.md).
98
+
To select the best user authentication method for your organization, see [Choose the right authentication method for your Azure AD hybrid identity solution](../hybrid/choose-ad-authn.md).
102
99
We recommend that you use Password Hash Synchronization (PHS).
103
100
104
101
### Passwordless authentication
105
102
106
-
As part of enrolling users to use Microsoft Authenticator as a second factor, we recommend you enable passwordless phone sign-in as part of their registration. For more information, including other passwordless methods such as FIDO and Windows Hello for Business, visit [Plan a passwordless authentication deployment with Azure AD](howto-authentication-passwordless-deployment.md#plan-for-and-deploy-microsoft-authenticator).
103
+
As part of enrolling users to use Microsoft Authenticator as a second factor, we recommend you enable passwordless phone sign-in as part of their registration. For more information, including other passwordless methods such as FIDO2 security keys and Windows Hello for Business, visit [Plan a passwordless authentication deployment with Azure AD](howto-authentication-passwordless-deployment.md#plan-for-and-deploy-microsoft-authenticator).
107
104
108
105
### Microsoft Identity Manager self-service password reset
109
106
@@ -128,14 +125,13 @@ Check with the service provider for supported product versions and their capabil
128
125
- The NPS extension doesn't use Azure AD Conditional Access policies. If you stay with RADIUS and use the NPS extension, all authentication requests going to NPS will require the user to perform MFA.
129
126
- Users must register for Azure AD Multi-Factor Authentication prior to using the NPS extension. Otherwise, the extension fails to authenticate the user, which can generate help desk calls.
130
127
- When the NPS extension invokes MFA, the MFA request is sent to the user's default MFA method.
131
-
- Because the sign-in happens on non-Microsoft applications, it's unlikely that the user will see visual notification that multifactor authentication is required and that a request has been sent to their device.
128
+
- Because the sign-in happens on non-Microsoft applications, the user often can't see visual notification that multifactor authentication is required and that a request has been sent to their device.
132
129
- During the multifactor authentication requirement, the user must have access to their default authentication method to complete the requirement. They can't choose an alternative method. Their default authentication method will be used even if it's disabled in the tenant authentication methods and multifactor authentication policies.
133
130
- Users can change their default multifactor authentication method in the Security Info page (aka.ms/mysecurityinfo).
134
131
- Available MFA methods for RADIUS clients are controlled by the client systems sending the RADIUS access requests.
135
-
- MFA methods that require user input after they enter a password can only be used with systems that support access-challenge responses with RADIUS. Input methods might include OTP, hardware OATH tokens or the Microsoft Authenticator application.
132
+
- MFA methods that require user input after they enter a password can only be used with systems that support access-challenge responses with RADIUS. Input methods might include OTP, hardware OATH tokens or Microsoft Authenticator.
136
133
- Some systems might limit available multifactor authentication methods to Microsoft Authenticator push notifications and phone calls.
137
134
138
-
139
135
>[!NOTE]
140
136
>The password encryption algorithm used between the RADIUS client and the NPS system, and the input methods the client can use affect which authentication methods are available. For more information, see [Determine which authentication methods your users can use](howto-mfa-nps-extension.md).
141
137
@@ -162,5 +158,5 @@ Others might include:
162
158
163
159
-[Moving to Azure AD Multi-Factor Authentication with federation](how-to-migrate-mfa-server-to-azure-mfa-with-federation.md)
164
160
-[Moving to Azure AD Multi-Factor Authentication and Azure AD user authentication](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md)
165
-
161
+
-[How to use the MFA Server Migration Utility](how-to-mfa-server-migration-utility.md)
0 commit comments