Azure MFA NPS extension replacing MFA Server
Within Azure there are multiple ways to setup MFA. Where you would install MFA server in the past, there is a new extension. Microsoft is going to leave the MFA server behind in the near future (security updates will remain being published for now).
Besides the NPS extension and the MFA on-premise server the best practice is to run MFA from the Azure cloud where possible. But that isn’t always an option. So let’s move on to the NPS extension. Lets start with the requirements.
Requirements:
– Server 2016/2019 with ADFS version 4
– Server 2016/2019 hosting NPS services which performs Radius authentication.
– Users must be synchronized between local Active directory and Azure Active Directory
– Azure AD Premium or EM+S license must be assigned to the user
– NPS Extension for Azure MFA (Download link: https://aka.ms/npsmfa)
How does it look like in a simple overview? As shown in the picture below, we have 2 scenario’s. First one is a user working from home and connects with his VPN Client to the VPN device (Example: Cisco Any Connect with Cisco ASA VPN) using a IPSEC VPN. The VPN device uses the on-premise NPS server(s) to authenticate the user, which authenticates to the local AD, and from there on to the Azure MFA cloud service which sends the 2nd authentication message to the user. Once both authentication methods are approved, the user will be logged on. The same applies for the web applications. This could be ADFS, RDS, Citrix or any other (custom) application.
Installation of the NPS Extension is straight forward…
Microsoft has written a nice document how to implement the plugin with the extension for your VPN solution:
https://docs.microsoft.com/eu-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
And they did one as well for the Remote Desktop gateway:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
Want to help improve this article? please let me know by replying on this article.
I’ve recently started a site, the info you offer on this site has helped me tremendously. Thank you for all of your time & work.
You really make it seem so easy with your presentation but I find this topic to be actually something which I think I would never understand. It seems too complicated and very broad for me. I’m looking forward for your next post, I will try to get the hang of it!
Thank you for another informative web site. Where else could I get that kind of info written in such a perfect way? I have a project that I’m just now working on, and I’ve been on the look out for such info.
Generally I don’t read post on blogs, but I wish to say that this write-up very forced me to try and do so! Your writing style has been amazed me. Thanks, quite nice post.
Nice article, it is easy to get confused with the multiple configuration options and a good working example like this is a major help.
Hi,
Understood that O365 also come with MFA functionality. Can I setup same way using O365’s MFA without Azure AD Premium plan?
Thanks in advance,
Netlynker
Hi,
Yes you can! All Office 365 services come with free MFA support. If you want to set it up, go to a user in the Office 365 portal, and select MFA setup.
Cor