Connect VPN using Azure MFA NPS extension

Azure MFA have a extension for Microsoft NPS (Network policy server) that can be used to connect on-premise Active Directory to Azure MFA for strong authentication. Today the team that I was working on investigated if this can be used WITHOUT synchronized (hybrid) identities and had a successful result.

The environment and setup

  • Cloud identities only (
  • Local Active Directory with users (
  • NPS server joined to Active Directory
  • NPS extension installed and configured
  • Cloud identity have a license that allows Azure MFA (EMS suite in our case)
  • Cloud user have enrolled and registered for Azure MFA
  • Cloud user have set primary authentication option to either MFA app or Call
    (any option requiring additional input won't work)
Why have a Active Directory with cloud only identities ? 
This is a "fairly" uncommon scenario but happens in large enterprises. They often have a IDM solution managing different identities (same sign on; ID & PWD) for many applications, domains, Azure AD, etc. The Active Directory replaces a internal user directory in the VPN server (or similar).

NPS server & Azure MFA NPS Extension 
The NPS server is a RADIUS server which can be used with any service supporting RADIUS. The Azure MFA NPS extension adds the possibility to do strong authentication using the NPS environment. This creates a good solution for strong authentication using Azure MFA.

The NPS Extension can also be configured to match on another attribute than UPN using NPS extension advanced options.

What happens during logon ?

  1. User / application connects to the VPN gateway
  2. VPN gateway contacts the RADIUS server for authentication
  3. NPS server authenticates the user (ID & PWD) and continues if successful
  4. Fetches the UPN of the authenticated account
  5. Hands off the UPN to Azure MFA server for strong authentication
  6. Azure MFA check primary authentication method and challenges the user
  7. User responds to challenge (in Authenticator App or answers the call + #)
  8. If strong authentication is successful the NPS extension hands off OK to NPS server
  9. NPS server respons back to VPN gateway with successful authentication
  10. VPN gateway connects user to the network



drmanhattan said...

MFA NPS is bugged af way

Unknown said...

Hi. I would mine to get more info on the subject. It would app some value to the article. But thanks anyway.