Half legacy but half cloud. Many organizations use NPS for securing their wlan and lan traffic or just to authenticate user based on their location inside AD or group memberships.
NPS is Microsoft radius-based access management solutions that has been the same from Server 2008 R2, no big game changers here.
Microsoft use to have an standalone on-premise version of MFA called MFA Server, but as of July 1, 2019, Microsoft no longer offers MFA Server for new deployments and organizations that want to use MFA have to move to Azure MFA.
But this is not a big deal, Microsoft offers MFA NPS Extension for NPS server to transfer organizations to the cloud based two-factor authentication.
Table of Contents
Who can use Azure MFA?
Organization that have Azure AD Premium, EMS, or an MFA stand-alone license can use this feature.
How Azure MFA works
NPS get a authentication request example from Third-party VPN-solution with a user attribute ex. User group membership, radius will send this info to the requester. The requester acknowledges the request and sends the second authentication request for the user name.
Then radius send this request to MFA NPS Extension which will send it to Azure. Azure will check users authentication methods and send the request for authentication to user predefined device or user defined way.
When the user successfully completed the authentication Azure will send a notification to radius which will send it the vpn-solution. And user will be signed to vpn.Windows Server 2012 or above.
Only Two-way SMS isn’t supported anymore as it was completely deprecated February 24, 2021.
How to configure Azure MFA NPS Extension
Extension will be installed to NPS Server directly so radius can use it freely and it can be installed to Server 2012 and above.
Download MFA Extension https://aka.ms/npsmfa and run the setup.exe.
When it will completes, enable tls 1.2 by running below from Administrative PowerShell.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Then you will configure the extension by running C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1 and will be asked for Global Admin credentials.
Quicktip! The new Hybrid Identity Administrator will also work for this setup.
You will need Azure tenant ID and you can find:
With Azure PowerShell
Connect-AzAccount
Get-AzTenant
With Azure Cli
az login
az account list
az account tenant list
With M365 Cli
m365 tenant id
Or with GUI
- Sign in to the Azure portal.
- Select Azure Active Directory.
- Select Properties.
- Then, scroll down to the Tenant ID field. Your tenant ID will be in the box.
The install will ask this tenant ID to register your MFA Extension to a correct tenant.
Notes about Azure MFA NPS Extension
The certificates the script generates are valid valid for 2 years. You have to monitor their revocation period if they expire extension will stop working.
For users that are not enrolled to MFA you need to enable REQUIRE_USER_MATCH in the registry of NPS Server that has extension installed.
Navigate to HKLM\SOFTWARE\Microsoft\AzureMfa and Create a new string value named REQUIRE_USER_MATCH and set the value to TRUE
You can check the successful logins with.
Get-WinEvent -Logname Security | where {$_.ID -eq '6272'} | FL
Or checking with GUI from security log.
You can debug information from AzureMfa/AuthN/AuthNOptCh, AzureMfa/AuthZ/AuthZAdminCh, and AzureMfa/AuthZ/AuthZOptCh event logs.
And can see the auth request with wireshark either with radius or with destion ports with
“ip.src==IpAddressOfSource and udp port 1812” if you used the default port. And without the brackets.
More info https://wiki.wireshark.org/Radius
or with Microsoft provided MFA health check script which will check the module
It will check the following, actually almost all the thing that could be wrong.
- Check accessibility to https://login.microsoftonline.com
- Check accessibility to https://adnotifications.windowsazure.com
- Check MFA version.
- Check if the NPS Service is Running.
- Check if the SPN for Azure MFA is Exist and Enabled.
- Check if Authorization and Extension registry keys have the right values.
- Check other Azure MFA related registry keys have the right values.
- Check if there is a valid certificated matched with the certificates stored in Azure AD.
- Check the time synchronization in the Server.
- Compare server time with reliable time server.
- Check all missing updates on the server.
Quicktip! In China Azure MFA doesn’t currently support mobile device notification as mobile phone notification services are not working in there. You can only use OTP for MFA notification.
What after Azure MFA is registered?
You can use Azure Identity protection for monitoring and reacting to risks or Defender for Identity for hunting on-premises issues for lateral movement and risky paths.
With Conditional access you will have more control for your identity login in the cloud.
Stay tuned and 2factored or passwordless if it suits you more.
RSS - Posts