Azure MFA server - couple of issues

Category: azure multifactorauthentication

Question

Vick Vega on Fri, 16 Aug 2019 14:23:07


Hello,
Azure MFA server on-prem, latest version.
1. I would like to add multiple admin users into MFA. Those users would be designated MFA Administrators for users defined in MFA. Usually the process is to wait until users will be synced from AD (in our case), then go to MFA Admin UI, edit each user that is going to be "promoted to the admin" and add various admin permissions. I have created a "default admin user" in the portal, exported all the users into CSV, removed all unneeded users, aside from admin. Now I have a "admin template" in CSV. Duplicated the "template row" for several dozen of "admins". Since all the other attributes will be populated during the sync with AD, I really need just the username to be able to import the handful of "MFA Admin" users into MFA. I also would like to have MFA send an email to users on import notifying them that they should now login to the User Portal and setup their Auth App.
So I populate the "username" field and "email field" and import a SINGLE user into MFA. User is imported with all the "admin" settings as well as email is sent to the user asking to login to portal and configure Auth App for second factor.
However, this approach DOES NOT work, when multiple users are imported into MFA. The "Welcome email" is NOT sent, although I import several dozen of users with username and email fields populated.
Does anyone else also noticed such behavior?

2. Some other system sends Web Service SDK calls to IIS site running on MFA server.
In some cases the users is transferred with capital letters, such as Username@domain.com. When this happens MFA server can't find the users in the MFA users list although - username@domain.com exists there and rejects and drops the connection.
Is there any way to force MFA to not consider the case of the username provided during Web Service SDK calls?
The selection in "Company Settings" -> "Username resolution" is set to the third option ->"User Windows security identifiers ..." and the domain portion is blank.

3. For some reason MFA user portal is not displayed properly in IE 11, see screenshot. What is required to have it work properly?


Thank you.

Replies

Marilee Turscak - MSFT on Wed, 21 Aug 2019 21:39:25


Hi Vick,

I believe that the issues you mentioned may be product limitations, depending on which types of permissions you are adding. You need a global admin role to administer MFA settings and there's no other way to delegate those permissions. You can only have five global admin accounts in the tenant. 

User Voice is the best place to add this type of feedback. https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/17429305-delegate-permissions-for-managing-mfa

I'll also check with the product team to see if there is a workaround.

What sorts of custom permissions are you trying to add from the template?


Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!



Vick Vega on Wed, 21 Aug 2019 22:05:03


It's for MFA server on-prem. Nothing special really. Just several options un-checked.
Example: