Merge pull request #233144 from Justinha/mfa-faq-2

prmerger-automator[bot] · web-flow · commit a758f90c308b · 2023-04-03T13:46:09.000Z
revised MFA
diff --git a/articles/active-directory/authentication/multi-factor-authentication-faq.yml b/articles/active-directory/authentication/multi-factor-authentication-faq.yml
@@ -7,25 +7,25 @@ metadata:
   ms.service: active-directory
   ms.subservice: authentication
   ms.topic: faq
-  ms.date: 11/03/2022
+  ms.date: 04/03/2023
   ms.author: justinha
   author: justinha
   manager: amycolannino
-  ms.reviewer: michmcla
+  ms.reviewer: jpettere
   ms.collection: M365-identity-device-management
 title: Frequently asked questions about Azure AD Multi-Factor Authentication
 summary: |
   This FAQ answers common questions about Azure AD Multi-Factor Authentication and using the Multi-Factor Authentication service. It's broken down into questions about the service in general, billing models, user experiences, and troubleshooting.
   
   > [!IMPORTANT]
-  > In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+  > In September 2022, Microsoft announced deprecation of Multi-Factor Authentication Server. Beginning September 30, 2024, Multi-Factor Authentication Server deployments will no longer service multifactor authentication (MFA) requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users’ authentication data](how-to-migrate-mfa-server-to-azure-mfa-user-authentication.md) to the cloud-based Azure AD MFA service by using the latest Migration Utility included in the most recent [MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
   
 
 sections:
   - name: General
     questions:
       - question: |
-          How does Azure Multi-Factor Authentication Server handle user data?
+          How does Azure AD Multi-Factor Authentication Server handle user data?
         answer: |
           With Multi-Factor Authentication Server, user data is only stored on the on-premises servers. No persistent user data is stored in the cloud. When the user performs two-step verification, Multi-Factor Authentication Server sends data to the Azure AD Multi-Factor Authentication cloud service for authentication. Communication between Multi-Factor Authentication Server and the Multi-Factor Authentication cloud service uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) over port 443 outbound.
           
@@ -69,7 +69,14 @@ sections:
           
           ## Billing
           Most billing questions can be answered by referring to either the [Multi-Factor Authentication Pricing page](https://azure.microsoft.com/pricing/details/multi-factor-authentication/) or the documentation for [Azure AD Multi-Factor Authentication versions and consumption plans](concept-mfa-licensing.md).
+
+      - question: |
+          Does Azure AD Multi-Factor Authentication throttle user sign-ins?
+        answer: |
+          Yes, in certain cases that typically involve repeated authentication requests in a short time window, Azure AD Multi-Factor Authentication will throttle user sign-in attempts to protect telecommunication networks, mitigate MFA fatigue-style attacks and protect its own systems for the benefit of all customers. 
           
+          Although we don't share specific throttling limits, they are based around reasonable usage. 
+            
       - question: |
           Is my organization charged for sending the phone calls and text messages that are used for authentication?
         answer: |
@@ -103,7 +110,7 @@ sections:
         answer: |
           If your organization purchases MFA as a standalone service with consumption-based billing, you choose a billing model when you create an MFA provider. You can't change the billing model after an MFA provider is created. 
           
-          If your MFA provider is *not* linked to an Azure AD tenant, or you link the new MFA provider to a different Azure AD tenant, user settings, and configuration options aren't transferred. Also, existing Azure MFA Servers need to be reactivated using activation credentials generated through the new MFA Provider. Reactivating the MFA Servers to link them to the new MFA Provider doesn't impact phone call and text message authentication, but mobile app notifications will stop working for all users until they reactivate the mobile app.
+          If your MFA provider is *not* linked to an Azure AD tenant, or you link the new MFA provider to a different Azure AD tenant, user settings, and configuration options aren't transferred. Also, existing MFA Servers need to be reactivated using activation credentials generated through the new MFA Provider. Reactivating the MFA Servers to link them to the new MFA Provider doesn't impact phone call and text message authentication, but mobile app notifications will stop working for all users until they reactivate the mobile app.
           
           Learn more about MFA providers in [Getting started with an Azure Multi-Factor Auth Provider](concept-mfa-authprovider.md).
           
@@ -112,14 +119,14 @@ sections:
         answer: |
           In some instances, yes.
           
-          If your directory has a *per-user* Azure Multi-Factor Authentication provider, you can add MFA licenses. Users with licenses aren't counted in the per-user consumption-based billing. Users without licenses can still be enabled for MFA through the MFA provider. If you purchase and assign licenses for all your users configured to use Multi-Factor Authentication, you can delete the Azure Multi-Factor Authentication provider. You can always create another per-user MFA provider if you have more users than licenses in the future.
+          If your directory has a *per-user* Azure AD Multi-Factor Authentication provider, you can add MFA licenses. Users with licenses aren't counted in the per-user consumption-based billing. Users without licenses can still be enabled for MFA through the MFA provider. If you purchase and assign licenses for all your users configured to use Multi-Factor Authentication, you can delete the Azure AD Multi-Factor Authentication provider. You can always create another per-user MFA provider if you have more users than licenses in the future.
           
-          If your directory has a *per-authentication* Azure Multi-Factor Authentication provider, you're always billed for each authentication, as long as the MFA provider is linked to your subscription. You can assign MFA licenses to users, but you'll still be billed for every two-step verification request, whether it comes from someone with an MFA license assigned or not.
+          If your directory has a *per-authentication* Azure AD Multi-Factor Authentication provider, you're always billed for each authentication, as long as the MFA provider is linked to your subscription. You can assign MFA licenses to users, but you'll still be billed for every two-step verification request, whether it comes from someone with an MFA license assigned or not.
           
       - question: |
           Does my organization have to use and synchronize identities to use Azure AD Multi-Factor Authentication?
         answer: |
-          If your organization uses a consumption-based billing model, Azure Active Directory is optional, but not required. If your MFA provider isn't linked to an Azure AD tenant, you can only deploy Azure Multi-Factor Authentication Server on-premises.
+          If your organization uses a consumption-based billing model, Azure Active Directory is optional, but not required. If your MFA provider isn't linked to an Azure AD tenant, you can only deploy Azure AD Multi-Factor Authentication Server on-premises.
           
           Azure Active Directory is required for the license model because licenses are added to the Azure AD tenant when you purchase and assign them to users in the directory.
           
@@ -172,10 +179,10 @@ sections:
         answer: |
           In some cases, yes.
           
-          For one-way SMS with Azure MFA Server v7.0 or higher, you can configure the timeout setting by setting a registry key. After the MFA cloud service sends the text message, the verification code (or one-time passcode) is returned to the MFA Server. The MFA Server stores the code in memory for 300 seconds by default. If the user doesn't enter the code before the 300 seconds have passed, their authentication is denied. Use these steps to change the default timeout setting:
+          For one-way SMS with MFA Server v7.0 or higher, you can configure the timeout setting by setting a registry key. After the MFA cloud service sends the text message, the verification code (or one-time passcode) is returned to the MFA Server. The MFA Server stores the code in memory for 300 seconds by default. If the user doesn't enter the code before the 300 seconds have passed, their authentication is denied. Use these steps to change the default timeout setting:
           
           1. Go to `HKLM\Software\Wow6432Node\Positive Networks\PhoneFactor`.
-          2. Create a **DWORD** registry key called *pfsvc_pendingSmsTimeoutSeconds* and set the time in seconds that you want the Azure MFA Server to store one-time passcodes.
+          2. Create a **DWORD** registry key called *pfsvc_pendingSmsTimeoutSeconds* and set the time in seconds that you want the MFA Server to store one-time passcodes.
           
           >[!TIP]
           >
@@ -186,23 +193,23 @@ sections:
           For one-way SMS with Azure AD MFA in the cloud (including the AD FS adapter or the Network Policy Server extension), you can't configure the timeout setting. Azure AD stores the verification code for 180 seconds.
           
       - question: |
-          Can I use hardware tokens with Azure Multi-Factor Authentication Server?
+          Can I use hardware tokens with Multi-Factor Authentication Server?
         answer: |
-          If you're using Azure Multi-Factor Authentication Server, you can import third-party Open Authentication (OATH) time-based, one-time password (TOTP) tokens, and then use them for two-step verification.
+          If you're using Multi-Factor Authentication Server, you can import third-party Open Authentication (OATH) time-based, one-time password (TOTP) tokens, and then use them for two-step verification.
           
-          You can use ActiveIdentity tokens that are OATH TOTP tokens if you put the secret key in a CSV file and import to Azure Multi-Factor Authentication Server. You can use OATH tokens with Active Directory Federation Services (ADFS), Internet Information Server (IIS) forms-based authentication, and Remote Authentication Dial-In User Service (RADIUS) as long as the client system can accept the user input.
+          You can use ActiveIdentity tokens that are OATH TOTP tokens if you put the secret key in a CSV file and import to Multi-Factor Authentication Server. You can use OATH tokens with Active Directory Federation Services (ADFS), Internet Information Server (IIS) forms-based authentication, and Remote Authentication Dial-In User Service (RADIUS) as long as the client system can accept the user input.
           
           You can import third-party OATH TOTP tokens with the following formats:  
           
           - Portable Symmetric Key Container (PSKC)
           - CSV if the file contains a serial number, a secret key in Base 32 format, and a time interval
           
       - question: |
-          Can I use Azure Multi-Factor Authentication Server to secure Terminal Services?
+          Can I use Multi-Factor Authentication Server to secure Terminal Services?
         answer: |
           Yes, but if you're using Windows Server 2012 R2 or later, you can only secure Terminal Services by using Remote Desktop Gateway (RD Gateway).
           
-          Security changes in Windows Server 2012 R2 changed how Azure Multi-Factor Authentication Server connects to the Local Security Authority (LSA) security package in Windows Server 2012 and earlier versions. For versions of Terminal Services in Windows Server 2012 or earlier, you can [secure an application with Windows Authentication](howto-mfaserver-windows.md#to-secure-an-application-with-windows-authentication-use-the-following-procedure). If you're using Windows Server 2012 R2, you need RD Gateway.
+          Security changes in Windows Server 2012 R2 changed how Multi-Factor Authentication Server connects to the Local Security Authority (LSA) security package in Windows Server 2012 and earlier versions. For versions of Terminal Services in Windows Server 2012 or earlier, you can [secure an application with Windows Authentication](howto-mfaserver-windows.md#to-secure-an-application-with-windows-authentication-use-the-following-procedure). If you're using Windows Server 2012 R2, you need RD Gateway.
           
       - question: |
           I configured Caller ID in MFA Server, but my users still receive Multi-Factor Authentication calls from an anonymous caller.
@@ -254,5 +261,5 @@ additionalContent: |
           
     * Search the [Microsoft Support Knowledge Base](https://support.microsoft.com) for solutions to common technical issues.
     * Search for and browse technical questions and answers from the community, or ask your own question in the [Azure Active Directory Q&A](/answers/topics/azure-active-directory.html).
-    * Contact Microsoft professional through [Azure Multi-Factor Authentication Server support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, and the ID of the user who saw the error.
+    * Contact Microsoft professional through [Multi-Factor Authentication Server support](https://support.microsoft.com/oas/default.aspx?prid=14947). When contacting us, it's helpful if you can include as much information about your issue as possible. Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, and the ID of the user who saw the error.
     * If you're a legacy PhoneFactor customer and you have questions or need help with resetting a password, use the [phonefactorsupport@microsoft.com](mailto:phonefactorsupport@microsoft.com) e-mail address to open a support case.
