Two-step verification should be standard across your organization. In this lab, we will review how to configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) means adding two-step verification to secure the access to data. This enhanced security requires at least two of the following:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
For this lab, we will use Azure AD credentials (something you know) and a phone (something you have).
You can read the official documentation from Microsoft about MFA in Azure.
New POST from the Lab: Part 39 – Configure Multi-Factor Authentication with #Azure MFA Service and #CitrixWorkspace https://t.co/bAktrmwsWI #CitrixCloud #Workspace #MFA pic.twitter.com/PZ7ewfjcrH
— Nicolas Ignoto (@citrixguru) August 20, 2018
Microsoft offers 2 options to setup MFA with Azure:
- MFA in the Cloud (as a Service)
- MFA Server
You can read the documentation available here: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-whichversion to find more details about the best solution for you.
Microsoft offers basic two-step verification features to Office 365 and Azure Active Directory (Azure AD) Administrators for no extra cost. For example, users assigned the Azure AD Global Administrator role in Azure AD tenants can enable two-step verification for free. But you still need to purchase licenses for standard users. However, if you wish to take advantage of advanced features then you should purchase the full version of Azure Multi-Factor Authentication (MFA).
Note: You can test that Azure MFA is working for you by opening a new browser window in InPrivate or incognito mode and browse to https://account.activedirectory.windowsazure.com.
You can take one of two approaches for requiring two-step verification. The first option (and the one we will use in this lab) is to enable each user for Azure Multi-Factor Authentication (MFA). When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on). The second option is to set up a conditional access policy that requires two-step verification under certain conditions (Source: Microsoft).
Getting started
For this lab, you need the following:
- Citrix Workspace configured in Citrix Cloud. See Lab: Part 28 – Getting started with Citrix Cloud and Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Azure AD configured in Microsoft Cloud. See Lab: Part 27 – Getting started with Microsoft Azure
- Citrix Cloud and Azure must be linked together. See Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
Configure MFA with Azure AD and Citrix Workspace
Requirements in Citrix Cloud
Go to Citrix Cloud > Identity Management and make sure that Azure Active Directory is configured and enabled. You must connect Citrix Cloud to Azure, check this post if you need more info: Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD.

Go to Citrix Cloud > Workspace Configuration and select Azure Active Directory.

Note: by enabling Azure Active Directory in Workspace Configuration, you will enforce Azure AD and prevent any other type of authentication.
Requirements in Microsoft Azure
In Microsoft Azure, go to Home > Default Directory > Users – All users and select Multi-factor Authentication.
You will be redirected to another URL (https://account.activedirectory.windowsazure.com) to manage MFA configuration for your users.

You can select 1 or multiple users to configure MFA. In this example, I’ve selected my [email protected] user. Click on Enable to Turn On MFA for this user.

Select Enable Multi-Factor Auth to confirm.

MFA is enabled.

Now next logon, you will be prompted to configure MFA for this user.
Test Multi-factor authentication with Citrix Workspace
Logon to Citrix Workspace with an account that has MFA enabled. Here we will use [email protected].

Enter your password.

First logon? Microsoft will require more information to configure MFA.

Configure how you want the verification to be done. Here we will pick phone authentication.

You will be prompted to enter the code sent by text to validate the phone number.

App password if needed for some apps.

Now you can logon for real.

Select Stay signed-in to avoid future prompts.

Citrix Workspace will take a little time to logon. I’ve noticed that with MFA, the logon is slower.

Then you are logged in with Citrix Workspace.

That’s all to configure basic Multi-factor authentication (MFA) with Citrix Workspace and Microsoft Azure AD. I hope it helped. You can learn about enhanced features available with Azure MFA like trusted IPs, custom voice messages, and fraud alerts, see the article Configure Azure Multi-Factor Authentication settings.
Cheers.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering