How to move the MFA Service Provider from one Azure subscription to another

Be in mind the following procedure in case you may need to do it.
A couple of days ago a customer decided to create a new Azure subscription and move the MFA service provider from one Azure subscription to the new one.
After hearing this request, the first thing that came to my mind was scary.
But after a few minutes of calm this is what I did.

1- I create a new MFA Provider in a new Azure subscription

2- In each one of MFA server, I delete all files in the following path C:\Program Files\Multi-Factor Authentication Server\Data” except database named Phonefactor.pfdata

3- Note when you delete those files you will lose the MFA provider and subscription association, thus Activation credentials will be required next time you open MFA Manager Console.

4- Generate new Activation credentials from the new subscription. 


5- Activate the license using the new Activation credentials.

6- Activation process will recreate the previous deleted files and will associate the MFA servers with the new Azure Subscription

7- Once the service has been activated you can delete the old MFA provider.

Note that users who are enrolled for phone call or text authentication will not be impacted by this change, but the mobile app push notifications may will stop working for some users that are using the app. If this happened users will need to reactivate the mobile app after the change to start using it again.

Under my scenario, using SMS (one-way) and OATH token , the experience was great and no re-enroll process was required.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s