Apply MFA for IIS Apps

UserLock can enforce multi-factor authentication (MFA) on IIS-based applications such as Outlook Web Access (OWA), RDWeb, SharePoint, CRM, or custom intranet sites. When a user signs in, the IIS UserLock agent redirects them to a dedicated MFA web application where they enroll and validate their MFA code before accessing the protected resource.

Published March 18, 2025
Useful resources

Prerequisites

  • The IIS applications must be protected by the UserLock IIS agent using HTTP Module technology.

  • The IIS MFA feature must be installed on the IIS server.

  • The IIS MFA server must be accessible both internally (private network) and externally (Internet).

  • The external router/firewall must allow traffic to the IIS MFA port and redirect it to the server.

Example: An Exchange Client Access Server typically meets these requirements.

Step 1. Install the IIS agent

  1. Run the UserLock console.

  2. In the Environment ▸ Machines page, go to the line of the IIS server that will be hosting the IIS applications to protect with UserLock. In the IIS agents columns, open the agent button and click on Install.

  3. On that IIS server, configure each application to use the UserLock IIS agent (HTTP Module). See protecting IIS applications with UserLock agent.

Step 2. Install the IIS MFA feature

The IIS MFA feature is now included in the default UserLock installation.

If UserLock is not installed on the server:

  1. Run the UserLock installer and select Custom setup.

  2. From Modules, select IIS MFA.

If UserLock is already installed:

  1. Open Control Panel → Programs → UserLock → Change.

  2. Add the IIS MFA feature.

Step 3. Configure the MFA application in IIS

  1. Launch the Configuration Wizard from the Start menu.

  2. Click Configure next to MFA for IIS.

  3. Select the IIS website where the MFA app should be added.

  4. Complete the wizard to deploy the application.

Step 4. Register the MFA app in UserLock

  1. Open the UserLock console.

  2. Go to ⚙️ Server settings ▸MFA

  3. Enter the URL of the IIS MFA app you configured.

  4. Use Test to validate the connection.

  5. Click Save button to save.

Step 5. Apply MFA to IIS sessions

To enforce MFA on IIS connections, you need to create a new access policy.

👉️ Follow the general steps described in Configure an access policy until you reach the Policy type selection. At this step, choose Multi-factor authentication.

You will then arrive on the MFA rules form.

  1. Set MFA application to Enabled.

  2. Choose configuration mode:

    • All at once (same settings for all session types)

    • Distinct setting per session type (recommended, so you can configure MFA separately for IIS connections).

  3. Configure IIS session rules

    • For Connection type, choose whether MFA applies to all IIS logons, only remote ones, or only from outside IPs.

    • For MFA frequency, select how often MFA is required (at every logon, at first logon of the day, when connecting from a new IP, etc.).

  4. Save the rules
    The policy is now active and will enforce MFA on IIS connections.

Note

For the detailed meaning of the Connection type and MFA frequency options, see the MFA policies reference.

Step 6. Test MFA on IIS apps

  1. Browse to the protected IIS application (e.g., OWA).

  2. On the first login, the user is prompted to complete their MFA enrollment (QR code).

  3. On subsequent logins, only MFA validation is required.

Useful resources

Limitations

  • For Microsoft Exchange, IIS MFA supports OWA and Exchange Control Panel (ECP) only.

  • Unsupported Exchange apps remain excluded by default in the advanced settings.