(2016-09-17) Publishing Azure AD MFA Mobile App Web Service To The Outside
Posted by Jorge on 2016-09-17
For ADFS or any other application (Windows, Radius, IIS or LDAP) you have implemented the on-premises Azure AD MFA server to be able to use phone-based and/or sms-based phone authentication with or without a secret PIN code. During the installation/configuration of the Azure AD MFA server you used an internal URL instead of an external URL that is also available on the inside. Now somebody asked you to use the mobile app as the second factor and with that request you must publish the Mobile App Web Service to the outside so that mobile phones can use when requiring to activate the mobile app on the mobile phone.
–
Let’s make the following assumptions:
- Internal URL for the mobile app web service: https://mfa.company.local/MultiFactorAuthMobileAppWebService/
- External URL for the mobile app web service: https://mfa.company.com/MultiFactorAuthMobileAppWebService/
–
First you need to publish the mobile app web service to the outside. For that I’ll assume you are using ADFS and WAP, so we’ll publish it through WAP.
On the WAP execute the following PowerShell CMDlet to publish the mobile app webs service through the WAP using pass through authentication:
Add-WebApplicationProxyApplication -BackendServerUrl ‘https://mfa.company.local/MultiFactorAuthMobileAppWebService/‘ -ExternalCertificateThumbprint ‘62012C6DAFE7AE35ABD7D8A10896A1D427C0E6F4’ -ExternalUrl ‘https://mfa.company.com/MultiFactorAuthMobileAppWebService/‘ -Name ‘Azure AD MFA Mobile App Web Service’ -ExternalPreAuthentication PassThrough
–
After you logon to the Azure AD MFA User Portal, and assuming you already have configured the Azure AD MFA server so that users can use the mobile app, and choose to activate the mobile app, you see something like…
Figure 1: Activating The Azure AD MFA Mobile App Through A Secure Web URL And A One-Time Activation Code
–
However, the URL displayed is not the external URL, but rather the internal URL that is not reachable my mobile devices. You could ignore that and still enter the information (the activation code and the external URL!) manually on your mobile phone, but of course you want it to display the external URL so that you can scan the QR-code.
–
To make it happen the Azure AD MFA User Portal displays the external URL instead of the internal URL, you need to edit the “web.config” of the MultiFactorAuth application. In that file look for “OVERRIDE_PHONE_APP_WEB_SERVICE_URL” and as the value provide the external URL. The only difference is the hostname in the URL, while the path remains unchanged.
Figure 2: The “web.config” Of The MultiFactorAuth Application Now With An External Web Service URL
–
After making this changing you should be able to activate the mobile app on your mobile phone through the WAP.
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Kurt said
I love how you blanked out the URL but left the QR code that still exposes the URL….
LikeLike