
The Azure MFA NPS Extension simplifies multi-factor authentication setup by eliminating the need for a dedicated server or infrastructure. This extension allows organizations to leverage their existing Network Policy Server (NPS) infrastructure to deploy Azure Multi-Factor Authentication (MFA).
This streamlined setup process reduces the complexity and cost associated with deploying MFA. By integrating NPS with Azure MFA, organizations can centralize their authentication and authorization processes.
The Azure MFA NPS Extension supports both on-premises and cloud-based NPS servers.
Here's an interesting read: Azure Auth Json Website Azure Ad Authentication
Azure MFA Configuration
To set up Azure MFA with the NPS extension, you'll need to configure multifactor authentication for users. For assistance, see the articles "Planning a cloud-based Microsoft Entra multifactor authentication deployment" and "Set up my account for two-step verification".
The NPS extension requires a self-signed certificate for secure communications. You can use a Graph PowerShell script to configure the certificate, which performs several actions, including creating a self-signed certificate and storing it in the local machine store.
A unique perspective: Azure Mfa Authentication Methods
To use the script, you'll need to run Graph PowerShell as an administrator and enter your Microsoft Entra administrative credentials and tenant ID. The account must be in the same Microsoft Entra tenant as the extension.
The script is case sensitive and requires UPPER CASE format for all values. You'll need to create a new string value named REQUIRE_USER_MATCH in HKLM\SOFTWARE\Microsoft\AzureMfa, and set the value to TRUE or FALSE.
Here are the possible settings for the REQUIRE_USER_MATCH registry key:
If you set the value to FALSE, you can create a registry entry that allows challenged users to provide a second authentication factor if they are enrolled in Microsoft Entra multifactor authentication.
Azure MFA Prerequisites
To set up Azure MFA with the NPS extension, you'll need to have the following prerequisites in place.
You must have a VPN infrastructure to integrate MFA with.
The Network Policy and Access Services role is also required.
You'll need a Microsoft Entra multifactor authentication license.
Windows Server software must be installed.
Libraries are necessary for the setup.
Microsoft Entra ID must be synced with on-premises Active Directory.
A Microsoft Entra GUID ID is also required.
Organizations must have a license for Azure MFA to use the NPS extension.
Azure MFA is available through Azure AD Premium, Enterprise Mobility and Security, or an MFA standalone license.
However, consumption-based licenses like per user or per authentication aren't compatible with the NPS extension.
The free Azure AD tier and Office 365/Microsoft 365 Apps licenses also won't work with the NPS extension.
On-premises servers must run Windows Server 2012 or higher to work with the NPS extension.
To complete the NPS extension configuration, you'll need to install the Visual C++ Redistributable package and the Azure AD PowerShell module.
The NPS extension requires internet access and must be able to connect to specific URLs over ports 80 and 443.
Here are the specific URLs that the NPS extension needs to connect to:
- https://adnotifications.windowsazure.com
- https://login.microsoftonline.com
- https://credentials.azure.com
All users who will rely on the NPS extension for MFA must be synchronized to Azure AD via Azure AD Connect.
Implementing the NPS extension also requires all authentication to use MFA.
Check this out: Azure Nps Extension
Azure MFA Troubleshooting
If the configuration is not working as expected, begin troubleshooting by verifying that the user is configured to use MFA. Have the user sign in to the Microsoft Entra admin center.
To isolate the cause of the issue, you can use a script to run against Azure MFA NPS Extension servers to perform some basic checks. The script will help detect any issues and provide a quick summary of each available option.
You can check accessibility to https://login.microsoftonline.us, https://adnotifications.windowsazure.us, and https://strongauthenticationservice.auth.microsoft.us. This will help identify any connectivity issues.
Review the Event Viewer logs, specifically within the AzureMFA event list, to help administrators with troubleshooting. Error details are also available within the Custom Views option of the Event Logs for Network Policy and Access Services.
Restart the NPS and run verification tests to check that the system is working as expected. Verify the certificates, check Azure AD Connect account synchronization, and NPS internet access.
Here are some common issues found in many NPS extension implementations:
Azure MFA Health Check
Azure MFA Health Check is a crucial step in ensuring the smooth operation of your Azure MFA NPS Extension. It allows you to perform some basic checks to detect any issues.
You can run a script against Azure MFA NPS Extension servers to perform these checks. The script offers several options, including isolating the cause of an issue, checking a full set of tests, and testing MFA for a specific user.
To isolate the cause of the issue, the script will export MFA RegKeys, restart NPS, test, import RegKeys, and restart NPS. This will help you determine if the issue is related to NPS or MFA.
The script also allows you to check a full set of tests when not all users can use the MFA NPS Extension. This includes testing access to Azure and creating an HTML report.
If you need to troubleshoot a specific user's issue, you can use the script to test MFA for a specific UPN.
Readers also liked: How to Disable Mfa for a User in Azure
In addition to these options, the script can also be used to collect logs to contact Microsoft support. This will provide you with an HTML report containing the necessary logs.
Here are the specific tests that the script can perform:
- Check accessibility to https://login.microsoftonline.us
- Check accessibility to https://adnotifications.windowsazure.us
- Check accessibility to https://strongauthenticationservice.auth.microsoft.us
Azure MFA Certificates
You'll need to configure certificates for secure communications and assurance when using the NPS extension.
The NPS components include a Graph PowerShell script that configures a self-signed certificate for use with NPS. This script creates a self-signed certificate, associates the public key of the certificate to the service principal on Microsoft Entra ID, stores the certificate in the local machine store, grants the network user access to the certificate's private key, and restarts the NPS service.
If you want to use your own certificates, you'll need to associate the public key of your certificate with the service principal on Microsoft Entra ID and follow the same steps as the script.
You might like: How to Use Microsoft Azure
To use the script, provide the extension with your Microsoft Entra administrative credentials and the Microsoft Entra tenant ID that you copied earlier. The account must be in the same Microsoft Entra tenant as you wish to enable the extension for.
Here are the steps to run the script:
- Run Graph PowerShell as an administrator.
- Change the directory to "c:\Program Files\Microsoft\AzureMfa\Config" and select Enter.
- Enter .\AzureMfaNpsExtnConfigSetup.ps1 and select Enter.
- Enter your Microsoft Entra administrator credentials and password and select Sign in.
- Paste the tenant ID that you copied earlier and select Enter.
- Reboot the server.
Network Policy and Access Services
The Network Policy and Access Services role is a crucial component for configuring RADIUS for a VPN configuration. This role provides the RADIUS server and client functionality.
To install the Network Policy and Access Services role, you'll need to install it on a server other than your VPN server. This is a best practice, as recommended by Microsoft.
For Windows Server 2012 or later, you can install the Network Policy and Access Services role service by following the instructions in the article "Install a NAP Health Policy Server". Note that NAP is deprecated in Windows Server 2016.
For your interest: Windows Azure Multi Factor Authentication Server
Here are some key details to keep in mind when installing the Network Policy and Access Services role:
The NPS extension requires the Network Policy and Access Services role to be installed, and it's compatible with Windows Server 2008 R2 SP1 or later.
Configuring Azure MFA with Citrix ADC
Configuring Azure MFA with Citrix ADC requires careful setup to ensure seamless integration with your VPN server.
The REQUIRE_USER_MATCH registry key is case sensitive and must be set in UPPER CASE format.
To configure the NPS extension, you'll need to install and set up the Azure MFA server.
If all your VPN users are not enrolled in Microsoft Entra multifactor authentication, you can either set up another RADIUS server to authenticate users who are not configured to use MFA or create a registry entry that allows challenged users to provide a second authentication factor.
To create the registry entry, you'll need to add a new string value named REQUIRE_USER_MATCH in HKLM\SOFTWARE\Microsoft\AzureMfa.
Set the value to TRUE or FALSE. If the value is set to TRUE or is blank, all authentication requests are subject to an MFA challenge. If the value is set to FALSE, MFA challenges are issued only to users who are enrolled in Microsoft Entra multifactor authentication.
You should only use the FALSE setting in testing or in production environments during an onboarding period.
Network Policy and Access Services Role
The Network Policy and Access Services role is a crucial component in setting up Network Policy and Access Services. It provides RADIUS server and client functionality.
To install this role, you'll need to install the Network Policy and Access Services role on a member server or domain controller in your environment. This is recommended in the article, which assumes this setup for configuring RADIUS for a VPN configuration.
You should install the Network Policy and Access Services role on a server other than your VPN server. This is a best practice to ensure that your VPN server is not overwhelmed with authentication requests.
If you're using Windows Server 2012 or later, you can install the Network Policy and Access Services role service by following the instructions in the article "Install a NAP Health Policy Server". However, note that NAP is deprecated in Windows Server 2016.
The article also recommends installing NPS on a domain controller, as this is a best practice for NPS.
Windows Server and Management
Windows Server and Management is a crucial aspect of Azure MFA NPS extension. Windows Server 2008 R2 SP1 or later is required for the NPS extension, with the Network Policy and Access Services role installed.
To manage Windows Server, you'll need to consider the various options available. Microsoft offers a range of services, including Azure Active Directory and Azure Information Protection.
Azure Active Directory is more than just Active Directory in the cloud, with premium editions offering additional features. The premium editions stack up as follows:
- Azure Active Directory (Azure AD) Free: Offers basic directory services and authentication.
- Azure AD Premium: Adds advanced features, including identity protection and access reviews.
- Azure AD Premium P1: Includes additional features, such as privileged identity management and identity protection.
- Azure AD Premium P2: Offers advanced threat protection and security features.
By choosing the right edition, you can find the best fit for your organization's needs.
Microsoft Entra ID
To get the Microsoft Entra ID, you need to know its GUID, which can be found by following the instructions in the next section.
The GUID of the Microsoft Entra ID is required to install the NPS extension.
You can find the GUID of the Microsoft Entra ID in the instructions provided for getting Microsoft Entra multifactor authentication.
The Microsoft Entra ID is used in conjunction with the NPS extension to enable multifactor authentication.
Factors to Consider
When you're planning to deploy the Azure MFA NPS extension, it's essential to consider a few key factors.
The size of your deployment can significantly impact your decision, as it will determine whether you can reuse an existing server or need to set up a dedicated one.
You'll also need to think about the authentication methods available within the NPS extension deployment. Two main factors affect this: the password algorithm used and the input method for second-factor verification.
The password algorithm used between the RADIUS client and the NPS extension is crucial. You have three options: PAP, CHAPV2, or EAP.
PAP is the most versatile option, supporting every authentication method within Azure AD MFA, including phone call, one-way text message, mobile app notification, open authentication hardware tokens, and mobile app verification code.
CHAPV2 and EAP, on the other hand, only support phone call and mobile app notification.
Ultimately, the choice of password algorithm will depend on your specific needs and requirements.
Recommended read: Azure App Insights vs Azure Monitor
Sources
- https://christiaanbrinkhoff.com/2017/02/17/how-to-configure-azure-mfa-for-citrix-netscaler-gateway-radius-by-using-the-new-nps-extension/
- https://github.com/Azure-Samples/azure-mfa-nps-extension-health-check
- https://community.watchguard.com/watchguard-community/discussion/3829/azure-mfa-with-nps-extension
- https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-vpn
- https://www.techtarget.com/searchwindowsserver/tip/Azure-MFA-NPS-extension-boosts-authentication-capabilities
Featured Images: pexels.com