Preview Azure MFA
One of the top requests we hear from our customers is to be able to secure their on-premises VPNs using Azure AD and our cloud-based MFA service. On 2/6 Microsoft was announcing the public preview of NPS Extension support in Azure MFA. This cool enhancement gives you the ability to protect your VPN using Azure MFA (which is included in Azure AD Premium) without having to install a new on-premises server.
This is another step along the road to realizing our vision of making Azure AD a complete, cloud based “Identity Control Plane” service that makes it easy for enterprises to assure their employees, partners and customers have access to all the right cloud and on-premises resources while assuring the highest levels of compliance and security.
About Azure MFA
Multi-factor authentication is an important tool to help safeguard data and applications while meeting user demands for a simple sign-in process. With Azure Multi-factor authentication (MFA), customers currently can choose between MFA Server (an on-premises solution) and cloud-based MFA (a cloud-based solution supported and maintained by Microsoft).
While MFA Server provides a rich set of features, more and more customers are choosing to use cloud-based MFA to secure their environment, to simplify it, reduce cost, and take advantage of powerful Azure AD features such as Conditional Access and Azure AD Identity Protection.
However, since cloud-based MFA services like Azure AD have not traditionally supported RADIUS authentication, customers who wanted to secure on-premises clients such as VPN had no choice but to deploy MFA Servers on-premises. With today’s release of the NPS Extension for Azure MFA, I’m excited to announce that we have closed this gap, and added the ability to secure RADIUS clients using cloud-based MFA!
The NPS extension for Azure MFA provides a simple way to add cloud-based MFA capabilities to your authentication infrastructure using your existing NPS servers. With the NPS extension, you’ll be able to add phone call, SMS, or phone app MFA to your existing authentication flow without having to install, configure, and maintain new servers.
How does the NPS Extension for Azure MFA work?
With the NPS Extension for Azure MFA, which is installed as an extension to existing NPS Servers, the authentication flow includes the following components:
- User/VPN Client: Initiates the authentication request.
- NAS Server/VPN Server: Receives requests from VPN clients and converts them into RADIUS requests to NPS servers.
- NPS Server: Connects to Active Directory to perform the primary authentication for the RADIUS requests and, if successful, pass the request to any installed NPS extensions.
- NPS Extension: Triggers an MFA request to Azure cloud-based MFA to perform the secondary authentication. Once it receives the response, and if the MFA challenge succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim issued by Azure STS.
- Azure MFA: Communicates with Azure Active Directory to retrieve the user’s details and performs the secondary authentication using a verification method configured for the user.
Check out the high-level authentication request flow:
I encourage you to download and install the NPS extension for Azure MFA from the Microsoft Download Center and start testing this feature.
The NPS Extension for Azure MFA is available to customers with licenses for Azure Multi-Factor authentication (included with Azure AD Premium, EMS, or an MFA subscription). In addition, you will need Windows Server 2008 R2 SP1 or above with the NPS component enabled.
All users using the NPS extension must be synced to Azure Active Directory using Azure AD Connect and be registered for MFA.
To install the extension, simply run the installation package and the PowerShell script it generates, which associates the extension with your tenant. Then, configure your RADIUS client to authenticate through your NPS Server.
The fine print
This release of the NPS Extension for Azure MFA targets new deployments and does not include tools to migrate users and settings from MFA Server to the cloud.
Like with MFA Server, once you enable MFA for a RADIUS client using the NPS Extension, all authentications for this client will be required to perform MFA. If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them. Configure RADIUS clients that you want to use MFA with to send requests to the NPS server configured with the extension, and other RADIUS clients to send requests to the NPS server that don’t have the extensions.