Upgrade the PhoneFactor Agent to Microsoft Entra Multifactor Authentication Server
To upgrade the PhoneFactor Agent v5.x or older to Microsoft Entra Multifactor Authentication Server, uninstall the PhoneFactor Agent and affiliated components first. Then the Multifactor Authentication Server and its affiliated components can be installed.
Important
In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Microsoft Entra Multifactor Authentication service by using the latest Migration Utility included in the most recent Microsoft Entra Multifactor Authentication Server update. For more information, see Microsoft Entra Multifactor Authentication Server Migration.
To get started with cloud-based MFA, see Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication.
Uninstall the PhoneFactor Agent
First, back up the PhoneFactor data file. The default installation location is C:\Program Files\PhoneFactor\Data\Phonefactor.pfdata.
If the User portal is installed:
Navigate to the install folder and back up the web.config file. The default installation location is C:\inetpub\wwwroot\PhoneFactor.
If you added custom themes to the portal, back up your custom folder below the C:\inetpub\wwwroot\PhoneFactor\App_Themes directory.
Uninstall the User portal either through the PhoneFactor Agent (only available if installed on the same server as the PhoneFactor Agent) or through Windows Programs and Features.
If the Mobile App Web Service is installed:
Go to the install folder and back up the web.config file. The default installation location is C:\inetpub\wwwroot\PhoneFactorPhoneAppWebService.
Uninstall the Mobile App Web Service through Windows Programs and Features.
If the Web Service SDK is installed, uninstall it either through the PhoneFactor Agent or through Windows Programs and Features.
Uninstall the PhoneFactor Agent through Windows Programs and Features.
Install the Multifactor Authentication Server
The installation path is picked up from the registry from the previous PhoneFactor Agent installation, so it should install in the same location (for example, C:\Program Files\PhoneFactor). New installations have a different default install path (for example, C:\Program Files\Multifactor Authentication Server). The data file left by the previous PhoneFactor Agent should be upgraded during installation, so your users and settings should still be there after installing the new Multifactor Authentication Server.
If prompted, activate the Multifactor Authentication Server and ensure it's assigned to the correct replication group.
If the Web Service SDK was previously installed, install the new Web Service SDK through the Multifactor Authentication Server User Interface.
The default virtual directory name is now MultiFactorAuthWebServiceSdk instead of PhoneFactorWebServiceSdk. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you have to change the URL in any applications that reference the Web Service SDK, such as the User portal and Mobile App Web Service, to point at the correct location.
If the User portal was previously installed on the PhoneFactor Agent Server, install the new multifactor authentication User portal through the Multifactor Authentication Server User Interface.
The default virtual directory name is now MultiFactorAuth instead of PhoneFactor. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should select the User portal icon in the Multifactor Authentication Server and update the User portal URL on the Settings tab.
If the User portal and/or Mobile App Web Service was previously installed on a different server from the PhoneFactor Agent:
Go to the install location (for example, C:\Program Files\PhoneFactor) and copy one or more installers to the other server. There are 32-bit and 64-bit installers for both the User portal and Mobile App Web Service. They're called MultiFactorAuthenticationUserPortalSetupXX.msi and MultiFactorAuthenticationMobileAppWebServiceSetupXX.msi.
To install the User portal on the web server, open a command prompt as an administrator and run MultiFactorAuthenticationUserPortalSetupXX.msi.
The default virtual directory name is now MultiFactorAuth instead of PhoneFactor. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should select the User portal icon in the Multifactor Authentication Server and update the User portal URL on the Settings tab. Existing users need to be informed of the new URL.
Go to the User portal install location (for example, C:\inetpub\wwwroot\MultiFactorAuth) and edit the web.config file. Copy the values in the appSettings and applicationSettings sections from your original web.config file that was backed up before the upgrade into the new web.config file. If the new default virtual directory name was kept when installing the Web Service SDK, change the URL in the applicationSettings section to point to the correct location. If any other defaults were changed in the previous web.config file, apply those same changes to the new web.config file.
Note
When upgrading from a version of Microsoft Entra Multifactor Authentication Server older than 8.0 to 8.0+ that the mobile app web service can be uninstalled after the upgrade
Next steps
Install the users portal for the Microsoft Entra Multifactor Authentication Server.
Configure Windows Authentication for your applications.