Entra ID MFA

    Note: Entra ID MFA is an Advanced Authenticator available as part of the Professional edition of ADSelfService Plus.

    This authentication method is available only for AD accounts.

    If your organization employs Microsoft Entra ID and uses Entra ID MFA to secure sign-ins, you can extend its use by configuring it as an authentication method within ADSelfService Plus. This simplifies the configuration process for administrators, allows centralized MFA management from ADSelfService Plus, and provides a seamless authentication experience for end users.

    How it works

    How Entra ID MFA works with ADSelfService Plus:

    Entra ID MFA architecture in ADSelfServicePlus

    1. The user attempts to perform a self-service action or access a protected endpoint.
    2. The multi-factor authentication page is loaded, and the user initiates Microsoft Entra ID.
    3. The ADSelfService Plus server sends a RADIUS request to the Network Policy Server (NPS).
    4. The NPS extension for Microsoft Entra ID MFA contacts the Microsoft cloud and triggers an MFA request.
    5. If Microsoft Authenticator push notification or phone call-based verification methods are enabled for Entra ID MFA, the verification request is triggered directly.
    6. If Microsoft Authenticator verification code, hardware token-based, or SMS-based verification code methods are enabled for Microsoft Entra ID MFA, the NPS extension returns a RADIUS challenge response to the ADSelfService Plus server and the user is prompted for the verification code.
    7. Once Microsoft Entra ID MFA is successful, the NPS extension returns a RADIUS accept response to the ADSelfService Plus server and the user is granted access.

    Microsoft Entra ID MFA offers the following authenticators to secure access:

    • Microsoft Authenticator app-based push notifications.
    • Microsoft Authenticator app-based verification codes.
    • Phone call-based verification.
    • SMS-based verification.
    • OATH hardware tokens using Yubico, DeepNet Security, and more.

    Prerequisites

    1. A server must be configured as the NPS, and have the Entra ID NPS extension installed and configured using these steps.
    2. A RADIUS client must be configured in the NPS for the ADSelfService Plus server.
    3. In the NPS, primary authentication must be skipped by selecting the Accept users without validation credentials option under Connection Request Policy > Authentication.
      Note:
      • Make sure the Connection Policy where authentication is skipped applies only for ADSelfService Plus' RADIUS client to avoid unauthenticated access to other RADIUS clients in the same NPS.
      • If Entra ID MFA needs to be removed, don't uninstall the Entra ID NPS extension without disabling Entra ID MFA in ADSelfService Plus.
    4. End users must be enrolled in Microsoft Entra ID MFA.

    Configuration steps

    1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    2. From the Choose the Policy drop-down, select a policy.
    3. Click Entra ID MFA.
    4. Enter the necessary information in the NPS Server, NPS Authentication Port, Authentication Method, Shared Secret (set while configuring the RADIUS client. Refer to prerequisite 2), Username Pattern, and Request Timeout Settings fields.
      • For OATH hardware tokens, SMS-based verification, and Microsoft Authenticator app-based verification code methods, PAP must be selected as the Authentication Method.
      • For Microsoft Authenticator app-based push notification and mobile call-based verification methods, it's recommended that the Request Timeout Settings be set to at least 60 seconds.
    5. Click Test Connection & Save.

    Entra ID MFA configuration in ADSelfServicePlus

    Authenticator management

    To modify the configuration:

    1. Navigate to Configuration > Self-Service > Multi-factor Authentication > Authenticators Setup.
    2. Select Entra ID MFA.
    3. Click Modify and change the information provided wherever necessary.
    4. If the configuration needs to be removed, click Remove Configuration.
    5. Click Test Connection & Save.

    Deploying the authenticator for MFA

    Once the authenticator is configured, you can deploy it as an MFA method to secure sensitive actions like password resets and unlocks, protected endpoints, and logging into ADSelfService Plus. Click on the respective links to learn how.

    Setting up user enrollment

    The last step is setting up the process for users to enroll for the MFA method and utilize it for identity verification. Click here for more information on the various enrollment options available in ADSelfService Plus for your users.

    Tip

    You can see how the enrollment settings you configure will be presented to your users, here.