Using Azure MFA with RADIUS for VPN Access
We need to have staff use MFA when connecting to our VPN connection. Luckily Microsoft Azure has an MFA extension that you can install on your NPS RADIUS server!
Installation
Downlead the NPS Extension from Microsoft to your NPS server and run the installer. BY default, the NPS Extension will install to C:\Program Files\Mircosoft\AzureMfa.
Once installed, open PowerShell as Administrator and change directories
cd "C:\Program Files\Microsoft\AzureMfa\Config"
Then run the setup script. The script will ask to download and install NuGet, which will install and setup various settings.
.\AzureMfaNpsExtnConfigSetup.ps1
When the script finally runs, you’ll be asked to sign in to your Azure instance. You’re account will require Global Admin Access for this step.
Next, you’ll be asked to enter your Tenant ID. This can be found by doing the following:
- Sign into the Azure Portal
- Select Azure Active Directory > Properties
- Copy the Directory ID
Paste the Tenant ID into PowerShell and hit Enter. The Script will finish the setup and restart the NPS service. Once completed, please Enter to continue.
That’s it. You should be good to go and test the deployment. If all goes well, when you attempt to connect to your VPN, you’ll be prompted to approve the connection in the Microsoft Authenticator app.
More information from Microsoft can be found here:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension