Azure MFA NPS extension replacing MFA Server

Within Azure there are multiple ways to setup MFA. Where you would install MFA server in the past, there is a new extension. Microsoft is going to leave the MFA server behind in the near future (security updates will remain being published for now).

Besides the NPS extension and the MFA on-premise server the best practice is to run MFA from the Azure cloud where possible. But that isn’t always an option. So let’s move on to the NPS extension. Lets start with the requirements.

– Server 2016/2019 with ADFS version 4
– Server 2016/2019 hosting NPS services which performs Radius authentication.
– Users must be synchronized between local Active directory and Azure Active Directory
– Azure AD Premium or EM+S license must be assigned to the user
– NPS Extension for Azure MFA (Download link:

How does it look like in a simple overview? As shown in the picture below, we have 2 scenario’s. First one is a user working from home and connects with his VPN Client to the VPN device (Example: Cisco Any Connect with Cisco ASA VPN) using a IPSEC VPN. The VPN device uses the on-premise NPS server(s) to authenticate the user, which authenticates to the local AD, and from there on to the Azure MFA cloud service which sends the 2nd authentication message to the user. Once both authentication methods are approved, the user will be logged on. The same applies for the web applications. This could be ADFS, RDS, Citrix or any other (custom) application.

Installation of the NPS Extension is straight forward…

Microsoft has written a nice document how to implement the plugin with the extension for your VPN solution:

And they did one as well for the Remote Desktop gateway:

Want to help improve this article? please let me know by replying on this article.


Add a Comment

Your email address will not be published. Required fields are marked *