Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-09-17) Publishing Azure AD MFA Mobile App Web Service To The Outside

Posted by Jorge on 2016-09-17

For ADFS or any other application (Windows, Radius, IIS or LDAP) you have implemented the on-premises Azure AD MFA server to be able to use phone-based and/or sms-based phone authentication with or without a secret PIN code. During the installation/configuration of the Azure AD MFA server you used an internal URL instead of an external URL that is also available on the inside. Now somebody asked you to use the mobile app as the second factor and with that  request you must publish the Mobile App Web Service to the outside so that mobile phones can use when requiring to activate the mobile app on the mobile phone.

Let’s make the following assumptions:

First you need to publish the mobile app web service to the outside. For that I’ll assume you are using ADFS and WAP, so we’ll publish it through WAP.

On the WAP execute the following PowerShell CMDlet to publish the mobile app webs service through the WAP using pass through authentication:

Add-WebApplicationProxyApplication -BackendServerUrl ‘ -ExternalCertificateThumbprint ‘62012C6DAFE7AE35ABD7D8A10896A1D427C0E6F4’ -ExternalUrl ‘ -Name ‘Azure AD MFA Mobile App Web Service’ -ExternalPreAuthentication PassThrough

After you logon to the Azure AD MFA User Portal, and assuming you already have configured the Azure AD MFA server so that users can use the mobile app, and choose to activate the mobile app, you see something like…


Figure 1: Activating The Azure AD MFA Mobile App Through A Secure Web URL And A One-Time Activation Code

However, the URL displayed is not the external URL, but rather the internal URL that is not reachable my mobile devices. You could ignore that and still enter the information (the activation code and the external URL!) manually on your mobile phone, but of course you want it to display the external URL so that you can scan the QR-code.

To make it happen the Azure AD MFA User Portal displays the external URL instead of the internal URL, you need to edit the “web.config” of the MultiFactorAuth application. In that file look for “OVERRIDE_PHONE_APP_WEB_SERVICE_URL” and as the value provide the external URL. The only difference is the hostname in the URL, while the path remains unchanged.


Figure 2: The “web.config” Of The MultiFactorAuth Application Now With An External Web Service URL

After making this changing you should be able to activate the mobile app on your mobile phone through the WAP.

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########

One Response to “(2016-09-17) Publishing Azure AD MFA Mobile App Web Service To The Outside”

  1. Kurt said

    I love how you blanked out the URL but left the QR code that still exposes the URL….


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: