A long time has passed since Microsoft purchased PhoneFactor back in 2012, but it seems like the days of the old “pfweb” portal are finally over. The new “MFA Server” blade in the Azure RM portal is now in Preview and you can find it under the Security section of the Azure AD Directory blade.
As you can see from the screenshot below, most of the settings have been migrated and get their own separate tabs in the MFA Server blade now. The biggest reorganization is with the Reports section, which now features a single Activity report tab. The Bypassed or Blocked users reports are not available and neither is the Fraud Alerts report. The email-notification feature for Fraud Alerts, Account Lockout and One-time Bypass is replaced with a global Notifications list, without the granular controls.
Some of the settings configurable form the blade apply across *both* Azure MFA and MFA Server, the selection is controlled via the Replication group dropdown where available. As a reminder, the Replication group selection was shown on the left navigation menu in the old portal, but only for tenants that use both modalities.
And that’s pretty much it. The changes are minimal, just with a fresh new look. The lack of a generic audit log for changes performed in the blade is unfortunate though, but I’m sure this will arrive once the MFA blade is in GA.
For the time being, the PhoneFactor portal is still active and you can continue using it. Getting to it however is becoming more and more challenging, now that almost all Azure resources are using the RM portal.
- From the O365 portal, select Users, click More, Setup Multi-factor authentication. Once the “User portal” loads, click the Service settings tab and scroll down to the end, then click the Go to the portal link.
- As an alternative to the above, you can also access the “User portal” via the classic Azure portal – select the AAD instance in question, go to the Configure tab and press Manage service settings under the MFA group.
- From the classic Azure portal, by selecting the AAD instance in question, going to the MFA providers tab and clicking the Manage button. This is basically a smart link to your PFWeb instance, and it will look something like this: https://manage.windowsazure.com/ActiveDirectory/MfaCustomer/Manage/OWJOX7JBZXKG
Lastly, remember that some MFA settings are only configurable via the MFA section in the “User portal” we have in Azure AD. Those include Trusted IPs or controlling app passwords creation. The first two options mentioned above can get you to that part of the service.
2 thoughts on “Say goodbye to PhoneFactor, meet the new Azure MFA Server blade”
Hi Jeremy, sorry for the late reply here. I believe they are specific to MFA server only. You might recall that in the old portal we had separate entries for Azure MFA and MFA Server settings, and some of the settings visible in the new MFA blade simply don’t apply to Azure MFA.
In other news, the old portal seems to be gone now, none of the methods I listed above will help you access it anymore.
I’ve asked this question via Github straight from this docs.ms page: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next
I’m wondering which settings in the MFA Server blade apply to just Azure MFA, just MFA server, or both.
Any idea? I wish it was documented slightly more thoroughly, even though the docs pages are pretty great.