Azure MFA Extensions and Network Policy Server

Half legacy but half cloud. Many organizations use NPS for securing their wlan and lan traffic or just to authenticate user based on their location inside AD or group memberships.

NPS is Microsoft radius-based access management solutions that has been the same from Server 2008 R2, no big game changers here.

Microsoft use to have an standalone on-premise version of MFA called MFA Server, but as of July 1, 2019, Microsoft no longer offers MFA Server for new deployments and organizations that want to use MFA have to move to Azure MFA.

But this is not a big deal, Microsoft offers MFA NPS Extension for NPS server to transfer organizations to the cloud based two-factor authentication.

Who can use Azure MFA?

Organization that have Azure AD Premium, EMS, or an MFA stand-alone license can use this feature.

How Azure MFA works

NPS get a authentication request example from Third-party VPN-solution with a user attribute ex. User group membership, radius will send this info to the requester. The requester acknowledges the request and sends the second authentication request for the user name.

Then radius send this request to MFA NPS Extension which will send it to Azure. Azure will check users authentication methods and send the request for authentication to user predefined device or user defined way.

When the user successfully completed the authentication Azure will send a notification to radius which will send it the vpn-solution. And user will be signed to vpn.Windows Server 2012 or above.

Only Two-way SMS isn’t supported anymore as it was completely deprecated February 24, 2021.

Use Azure AD Multi-Factor Authentication with NPS - Azure Active Directory  | Microsoft Docs

How to configure Azure MFA NPS Extension

Extension will be installed to NPS Server directly so radius can use it freely and it can be installed to Server 2012 and above.

Download MFA Extension and run the setup.exe.

When it will completes, enable tls 1.2 by running below from Administrative PowerShell.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Then you will configure the extension by running C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1 and will be asked for Global Admin credentials.

Quicktip! The new Hybrid Identity Administrator will also work for this setup.

You will need Azure tenant ID and you can find:

With Azure PowerShell


With Azure Cli

az login
az account list
az account tenant list

With M365 Cli

m365 tenant id

Or with GUI

  1. Sign in to the Azure portal.
  2. Select Azure Active Directory.
  3. Select Properties.
  4. Then, scroll down to the Tenant ID field. Your tenant ID will be in the box.
Azure Active Directory - Properties - Tenant ID - Tenant ID field

The install will ask this tenant ID to register your MFA Extension to a correct tenant.

Notes about Azure MFA NPS Extension

The certificates the script generates are valid valid for 2 years. You have to monitor their revocation period if they expire extension will stop working.

For users that are not enrolled to MFA you need to enable REQUIRE_USER_MATCH in the registry of NPS Server that has extension installed.

Navigate to HKLM\SOFTWARE\Microsoft\AzureMfa and Create a new string value named REQUIRE_USER_MATCH and set the value to TRUE

The "Require User Match" setting

You can check the successful logins with.

Get-WinEvent -Logname Security | where {$_.ID -eq '6272'} | FL

Or checking with GUI from security log.

Example Network Policy Server log

You can debug information from AzureMfa/AuthN/AuthNOptCh, AzureMfa/AuthZ/AuthZAdminCh, and AzureMfa/AuthZ/AuthZOptCh event logs.

And can see the auth request with wireshark either with radius or with destion ports with

“ip.src==IpAddressOfSource and udp port 1812” if you used the default port. And without the brackets.

Microsoft Message Analyzer showing filtered traffic

More info

or with Microsoft provided MFA health check script which will check the module

It will check the following, actually almost all the thing that could be wrong.

  1. Check accessibility to
  2. Check accessibility to
  3. Check MFA version.
  4. Check if the NPS Service is Running.
  5. Check if the SPN for Azure MFA is Exist and Enabled.
  6. Check if Authorization and Extension registry keys have the right values.
  7. Check other Azure MFA related registry keys have the right values.
  8. Check if there is a valid certificated matched with the certificates stored in Azure AD.
  9. Check the time synchronization in the Server.
  10. Compare server time with reliable time server.
  11. Check all missing updates on the server.
Example PowerShell output

Quicktip! In China Azure MFA doesn’t currently support mobile device notification as mobile phone notification services are not working in there. You can only use OTP for MFA notification.

What after Azure MFA is registered?

You can use Azure Identity protection for monitoring and reacting to risks or Defender for Identity for hunting on-premises issues for lateral movement and risky paths.

With Conditional access you will have more control for your identity login in the cloud.

Stay tuned and 2factored or passwordless if it suits you more.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *