Muokkaa

Jaa


Microsoft Entra recommendation: Migrate from MFA server to Microsoft Entra multifactor authentication (MFA)

Microsoft Entra recommendations provide you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to migrate from MFA server to Microsoft Entra MFA. This recommendation is called MfaServerDeprecation in the recommendations API in Microsoft Graph.

Description

Azure Multi-Factor Authentication Server (MFA Server) is scheduled for retirement on September 30th, 2024. In an effort to help organizations migrate to Microsoft Entra MFA, this Microsoft Entra recommendation identifies tenants with MFA server activity. This recommendation identifies tenants with active users and MFA attempts for MFA Server in the last 7 days. MFA Server client integrations, including a list of affected clients are also surfaced as a part of this recommendation.

Value

MFA Server is a component for deploying and managing MFA on-premises. In 2019, Microsoft stopped allowing new deployments of MFA Server and investing in feature enhancements. In September 2022, Microsoft formally announced the deprecation of MFA Server.

Cloud-based, Microsoft Entra multifactor authentication offers better resiliency, availability, and data compliancy. Migrating to Microsoft Entra MFA helps you improve your security posture by giving you access to the latest phishing-resistant authentication methods and more fine-grained access controls. It also helps reduce cost and deployment complexity by no longer having to maintain an on-premises component.

Action plan

  1. Learn how to migrate MFA Server to Microsoft Entra MFA.

  2. Migrate MFA user information from on-premises to Microsoft Entra.

  3. Use Staged Rollout to reroute users to authenticate against Microsoft Entra instead of MFA Server.

  4. Identify and migrate any MFA Server dependencies, such as applications using RADIUS or LDAP authentication.

  5. Update domain federation settings and decommission MFA Server.

Next steps