In this blog post i will show you how to setup a Microsoft VPN connection with the new NPS Extension for Azure AD MFA.
This is new service that the Microsoft NPS team just released, that adds an Extension to the Windows Network Policy Server.
When using the NPS extension for Azure MFA, the authentication flow includes the following components:
- NAS/VPN Server receives requests from VPN clients and converts them into RADIUS requests to NPS servers.
- NPS Server connects to Active Directory to perform the primary authentication for the RADIUS requests and, upon success, passes the request to any installed extensions.
- NPS Extension triggers a request to Azure MFA for the secondary authentication. Once the extension receives the response, and if the MFA challenge succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim, issued by Azure STS.
- Azure MFA communicates with Azure Active Directory to retrieve the user’s details and performs the secondary authentication using a verification method configured to the user.
The following diagram illustrates this high-level authentication request flow: