Hybrid Azure MFA

%3CLINGO-SUB%20id%3D%22lingo-sub-1308641%22%20slang%3D%22en-US%22%3EHybrid%20Azure%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1308641%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%20is%20It%20possible%20to%20use%20the%20On-Premise%20Azure%20MFA%20Server%20only%20for%20some%20specific%20users%20and%20the%20Azure%20MFA%20cloud%20based%20for%20the%20other%20users%20of%20the%20Organization%3F%20This%20hybrid%20implementation%20is%20needed%20because%20for%20some%20specific%20users%20we%20need%20that%20the%20OTP%20codes%20or%20OATH%20codes%20that%20we%20generate%20and%20send%20to%20these%20users%20must%20be%20used%20in%20asynchronous%20mode%2C%20and%20this%20is%20possible%20only%20through%20the%20following%20configuration%20within%20the%20Azure%20MFA%20server%3A%3C%2FP%3E%3COL%3E%3CLI%3EGo%20to%20HKLM%5CSoftware%5CWow6432Node%5CPositive%20Networks%5CPhoneFactor.%3C%2FLI%3E%3CLI%3ECreate%20a%20%3CSTRONG%3EDWORD%3C%2FSTRONG%3E%20registry%20key%20called%20%3CEM%3Epfsvc_pendingSmsTimeoutSeconds%3C%2FEM%3E%20and%20set%20the%20time%20in%20seconds%20that%20you%20want%20the%20Azure%20MFA%20Server%20to%20store%20one-time%20passcodes.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EIs%20not%20possible%20tho%20achieve%20the%20same%20result%20with%20the%20only%20use%20of%20Azure%20MFA%20cloud%20based%20service%2C%20because%20is%20not%20possible%20to%20set%20this%20storage%20time%20of%20the%20OTP%20codes%20or%20OATH%20codes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVittorio%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1308641%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1309588%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309588%22%20slang%3D%22en-US%22%3EIt's%20not%20possible%20to%20configure%20this%20for%20AAD%20indeed%20and%20I%20doubt%20it%20will%20be%20supported%20in%20the%20future.%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20keep%20in%20mind%20that%20Azure%20MFA%20server%20is%20legacy%20and%20will%20disappear%20sometime.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20advise%20you%20to%20keep%20away%20from%20it%20and%20try%20to%20find%20your%20way%20with%20AAD%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1309633%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309633%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3EThanks%20for%20the%20answer%2C%20yes%2C%20I%20know%2C%20but%20It%20is%20the%20only%20way%20that%20we%20found%20in%20order%20to%20set%20the%20time%20period%20of%20the%20OTP%20codes%20in%20order%20to%20use%20them%20in%20async%20mode.%20There%20are%20other%20way%20to%20achieve%20this%20goal%20with%20the%20Azure%20MFA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1309649%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Azure%20MFA%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1309649%22%20slang%3D%22en-US%22%3EFrom%20the%20limited%20documentation%20I%20can%20find%2C%20this%20is%20not%20possible%20for%20AAD%20MFA%3C%2FLINGO-BODY%3E
New Contributor

Hi everyone, is It possible to use the On-Premise Azure MFA Server only for some specific users and the Azure MFA cloud based for the other users of the Organization? This hybrid implementation is needed because for some specific users we need that the OTP codes or OATH codes that we generate and send to these users must be used in asynchronous mode, and this is possible only through the following configuration within the Azure MFA server:

  1. Go to HKLM\Software\Wow6432Node\Positive Networks\PhoneFactor.
  2. Create a DWORD registry key called pfsvc_pendingSmsTimeoutSeconds and set the time in seconds that you want the Azure MFA Server to store one-time passcodes.

Is not possible tho achieve the same result with the only use of Azure MFA cloud based service, because is not possible to set this storage time of the OTP codes or OATH codes.

 

Thank you in advance.

Regards,

 

Vittorio

3 Replies
It's not possible to configure this for AAD indeed and I doubt it will be supported in the future.

Please keep in mind that Azure MFA server is legacy and will disappear sometime.

I would advise you to keep away from it and try to find your way with AAD

@Thijs LecomteThanks for the answer, yes, I know, but It is the only way that we found in order to set the time period of the OTP codes in order to use them in async mode. There are other way to achieve this goal with the Azure MFA?

From the limited documentation I can find, this is not possible for AAD MFA