# Configuring Azure MFA

Before reading this section, please read the following important note.

{% hint style="warning" %}
**Note:** As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates, and generate activation credentials as usual: <https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-deploy>.\
For new deployments, it is recommended to use Azure NPS Extension <https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension> or Azure MFA Service along with SAML configuration in RAS.
{% endhint %}

## **Configure Azure MFA**

Depending on the user location, there are four scenarios for the cloud MFA service:

<table><thead><tr><th width="289">User location</th><th>MFA in the cloud</th><th>MFA Server</th></tr></thead><tbody><tr><td>Microsoft Entra ID</td><td>Yes</td><td></td></tr><tr><td>Microsoft Entra ID and on-premises AD using federation with AD FS (is required for SSO)</td><td>Yes</td><td>Yes</td></tr><tr><td>Microsoft Entra ID and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - no password sync</td><td>Yes</td><td>Yes</td></tr><tr><td>Microsoft Entra ID and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - with password sync</td><td>Yes</td><td></td></tr><tr><td>On-premises Active Directory</td><td> </td><td>Yes</td></tr></tbody></table>

An Azure account with Global Administrator role is required to download and activate MFA Server. Syncing with Microsoft Entra ID (via AD Connect) or a custom DNS domain aren't required to setup an MFA Server which runs exclusively on-premises.

Users need to be imported into MFA Server and be configured for MFA authentication.

Parallels RAS authenticates users with MFA Server using the RADIUS second level authentication provider. MFA Server thus needs to be configured to allow RADIUS client connections from the RAS server.

The authentication process goes through the following stages:

![](https://content.gitbook.com/content/djZAnEUWE2gAOnzhy2ZY/blobs/qNTAezOk1QxrLFfXe7kp/azure_mfa_diagram.png)

In stage 2 the user can be authenticated using either RADIUS or Windows AD. A prompt to enter the credentials twice (in stage 1 and 6) is avoided by enabling the option to forward the password.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.parallels.com/landing/ras-admin-guide/parallels-ras-21-administrators-guide/connection-and-authentication-settings/multi-factor-authentication/using-radius/configuring-azure-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.