Readme.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
QUICK START GUIDE
Deployment full details can be found in https://www.securemfa.com/downloads/mfa-tdm
 
Before you can start registering “SecureMfaThreatDetectionModule” into your ADFS farm you must complete bellow steps.
All commands must be executed in elevated PowerShell (PS) command prompt.
 
    1. Deploy latest “SecureMfaThreatDetectionModule” PowerShell module from Microsoft PSGallery using bellow PS command:
 
    Install-Module -Name SecureMFA_TDM -Repository PSGallery -Scope AllUsers
 
    NOTE: If your ADFS server doesn’t have access to the Internet you can:
    - Pull PowerShell module from Windows client which will have Internet access and copy “C:\Program Files\WindowsPowerShell\Modules\SecureMFA_TDM” folder from client’s computer into ADFS server (same location).
    - As alternative you can download “SecureMFA_TDM” nupkg file manually from https://www.powershellgallery.com/ website. Rename nupkg file’s extension into ZIP. Unzip content into a folder “SecureMFA_TDM” and place it into PS Modules default location on the server. That will work the same way as pulling package with native windows PS Tools.
 
    2. Within “C:\Program Files\WindowsPowerShell\Modules\SecureMFA_TDM” directory update “SecureMfaThreatDetectionModule.json” file.
    - If you will use blocks authentication requests for risky IPs feature you need to configure blockip_ sections.
    - If you will use risk level assessment by Azure AD Identity Protection to allow or block users based on their risk score level you will need to add your Azure account details: tenantname, clientid and clientsecret from your environment.
 
    3. If you need to generate verbose logs in windows events for troubleshooting reasons change verboselog value from “false” to “true”. Please note that verbose logging can affect your servers’ performance, use it only for troubleshooting reasons. Don’t enable “verboselog” in production environments as it may reveal configuration secrets
 
    4. If ADFS servers (Not Web Application Servers) cannot access the internet directly for the Azure AD Identity Protection API endpoint, you need to configure your proxy server settings..
 
    6. Before a SecureMfaThreatDetectionModule will be invoked by AD FS, it must be registered in the system. with PowerShell command which performs the necessary installation actions including installation in the GAC, and registration in AD FS farm.
    - Bellow PS command will install OTP authentication provider on the MAIN ADFS node:
     
    Install-SecureMfaThreatDetectionModule
 
    - Bellow PS command will install OTP authentication provider on OTHER ADFS node(s):
     
    Install-SecureMfaThreatDetectionModule -NotMainNode
 
    NOTE: If you are using federation server farm that uses Windows Internal Database, you must start installation using the primary federation server of the farm as a MAIN node.
    Installation needs to be executed on ADFS farm server (not web application proxy servers).