Using custom multifactor authentication for activation in MIM PAM
Important
In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments no longer service multifactor authentication (MFA) requests. Customers of Azure Multi-Factor Authentication Server must move to instead use either custom MFA providers or Windows Hello or smartcard-based authentication in AD.
When configuring a PAM role, you can choose how to authorize users that request to activate the role. The choices that the PAM authorization activity implements are:
- Role owner approval
- custom multifactor authentication
If neither check is enabled, candidate users are automatically activated for their role.
Note
The PAM approach with a bastion environment provided by MIM is intended to be used in a custom architecture for isolated environments where Internet access is not available, where this configuration is required by regulation, or in high impact isolated environments like offline research laboratories and disconnected operational technology or supervisory control and data acquisition environments. If your Active Directory is part of an Internet-connected environment, see securing privileged access on where to start.
Prerequisites
In order to use custom multifactor authentication with MIM PAM, you need:
- MIM configured for custom multifactor authentication
- Phone numbers for all candidate users
Configure PAM users for custom multifactor authentication
For a user to activate a role that requires custom multifactor authentication, the user's telephone number must be stored in MIM. There are two ways this attribute is set.
First, the New-PAMUser command copies a phone number attribute from the user's directory entry in CORP domain, to the MIM Service database. Note that this is a one-time operation.
Second, the Set-PAMUser command updates the phone number attribute in the MIM Service database. For example, the following replaces an existing PAM user's phone number in the MIM Service. Their directory entry is unchanged.
Set-PAMUser (Get-PAMUser -SourceDisplayName Jen) -SourcePhoneNumber 12135551212
Configure PAM roles for multifactor authentication
Once all of the candidate users for a PAM role have their telephone numbers stored in the MIM Service database, the role can be configured to require custom multifactor authentication. This is done using the New-PAMRole or Set-PAMRole commands. For example,
Set-PAMRole (Get-PAMRole -DisplayName "R") -MFAEnabled 1
Multifactor authentication can be disabled for a role by specifying the parameter "-MFAEnabled 0" in the Set-PAMRole command.
Troubleshooting
The following events can be found in the Privileged Access Management event log:
| ID | Severity | Generated by | Description |
|---|---|---|---|
| 101 | Error | MIM Service | User did not complete custom multifactor authentication (e.g., did not answer the phone) |
| 103 | Information | MIM Service | User completed custom multifactor authentication during activation |
| 825 | Warning | PAM Monitoring Service | Telephone number has been changed |