One step closer to modernization: The MFA Server Migration Utility

Published Wednesday, August 31, 2022

Hi folks!

We are always working to keep maximize your security and productivity. We focus on solutions to make modernization as easy as possible. As customers work towards modernizing security by adopting Azure AD, they have told us they need help migrating from on-premises MFA Server to cloud-based Azure MFA. This gets them a bunch of simplification – they can retire their on-premises MFA Server *and* the ADFS deployment needed to support it. Today, I am excited to announce the availability of the new Azure MFA Server Migration Utility, which we hope will make your modernization journey much easier!

Since July of 2019, we have blocked new downloads of the on-premises MFA Server, reflecting the fact the Azure MFA is our premier MFA experience, offering lower TCO, simpler deployment, better security, and many more features than the MFA Server. The Azure MFA Server Migration Utility makes it easy for admins to take advantage of these advances and modernize their infrastructure by migrating their users from on-premises Azure MFA Server to Azure MFA.

There are two pieces to this tool:

The Azure MFA Server Migration Utility facilitates the migration of user authentication data stored on-premises, directly into Azure AD, all without requiring any re-registration or action from their end-users. It is included in the latest update of Azure MFA Server.
Staged Rollout for Azure MFA functionality within Azure AD, allowing admins to selectively test and move users to Azure MFA without requiring any changes to federation settings.

Getting started

Step 1: Upgrade your primary Azure MFA Server

Install the latest Azure MFA Server update on your primary Azure MFA Server. If the remaining machines in your MFA Server deployment are running on version 6.1.0 or higher, no other servers need to be upgraded.

Step 2: Target users for migration

Once installed, open the new Migration Utility.

Migrating user data is as easy as selecting the Azure AD group containing users (or nested groups of users) you wish to migrate, defining the various registered MFA methods that should be moved to Azure AD, and then clicking “Migrate Users”.

Step 3: Target users for Azure MFA

Once user data has been migrated, use Staged Rollout for Azure MFA to ease migrations by determining which users should use Azure MFA, based on targeted group membership:

Since no changes to your tenant or federation settings are required, carrying out testing is extremely low-risk and can be done with as many or as few users as you wish.

Once testing and migrations have been completed, you can quickly and easily retire your entire MFA Server deployment, instantly reducing infrastructure and maintenance costs, while boosting the availability and reliability of your MFA Service. Head on over to the MFA Server Migration documentation page to get started!

As always, we’re excited to get your feedback and learn from you!

-Alex Weinert, Director of Identity Security (Twitter:@alex_t_weinert)

Learn more about Microsoft identity: