Microsoft Entra MFA Server to be Deprecated
Are you aware that MFA Server is poised for deprecation?
Microsoft has been providing multi-factor authentication servers (MFA Server), previously known as Phone Factor, to enhance security for on-premises operations for a number of years. However, with the gradual rise of Entra ID MFA and its growing ease of use, it has been assuming a more prominent role, particularly with its capacity to extend protection to on-premises workloads through Entra Application Proxy.
In fact, as far back as July 2019, it was announced that new deployments of MFA Server would cease to be supported, suggesting that complete deprecation was inevitably on the horizon. Microsoft has recently confirmed that the MFA Server will cease operations on September 30, 2024. Consequently, the service will no longer process or handle MFA requests. Further information on this can be found here: Link
So, what's the recommended course of action?
The most logical step is to transition from the MFA Server infrastructure to Entra ID MFA. The next steps depend on the purpose for which the service was utilised:
If its use was focused on user authentication in conjunction with an existing ADFS server, there are choices to be made. One can; continue to employ federation for Entra ID authentication, or alternatively; consider moving towards Entra ID Password-Hash or Pass-through authentication.
In instances where the service was being leveraged for application authentication, the options remain open. Either the application's access through the ADFS server can be retained using federation, or a bolder move can be undertaken by transferring the applications to Entra ID Enterprise applications.
Ideally, the path of least resistance would involve shifting the entirety of one's infrastructure to the cloud. This would necessitate leaving behind any on-premises remnants and embracing Entra ID MFA, password-hash synchronisation and Entra ID Enterprise applications.
By doing so, not only would conditional access be at one's disposal – a security feature that transcends the boundaries of standard MFA – but also an extra layer of security for accounts and applications would be in place. However, the real world seldom mirrors the ideal, thanks to specific organisational requirements and limitations. It is, therefore, paramount to craft a meticulous migration plan that takes into account the advantages and limitations of each option.
Enter Venture 1 – a specialist in precisely this type of migration. Our expertise allows us to equip you with the information required to make an informed decision, while also guiding you through the deployment and transition process to the new solution. For more insight, do not hesitate to get in touch. Your digital security is of utmost importance and we are here to ensure it remains steadfast.
Author: Siva Sivasandrarajah - Senior Consultant, Venture 1