Last week I wrote about the importance of using Multifactor and Modern Authentication, but what if I told you there was more; that you can utilize Microsoft Azure MFA for RADIUS challenge response!
That’s right you can use Microsoft Azure MFA for multifactor authentication for locally secured resources that utilize RADIUS authentication. Prior to July of 2019 Microsoft provided a download called Azure Multi-Factor Authentication Server, this server installed locally on your network would act as a RADIUS server and an access point for MFA communication. Unfortunately Microsoft no longer activates new instances of the Azure MFA Server, so what are new customers to do if they want to take full advantage of Microsoft MFA?
The answer is quite simple, install a local Windows based server on your network and install the Azure NPS Extension. The Network Policy Server Extension is a conduit between your local network and the Azure Active Directory, installing the NPS Extension is easy and requires minimal configuration to integrate with Azure Active directory. The installer creates a self-signed certificate which is then shuttled and installed in the Azure Active Directory based on your tenant configuration, this installation creates a TLS connection from the NPS server to Azure Active directory securing the connection.
Proceed to configure your local RADIUS clients to utilize the NPS Server with the NPS extension installed thus extending the use of the Microsoft Azure MFA capability. This is a huge benefit for companies that are moving or moved to Microsoft 365 but still have local clients that require MFA authentication such as VPN and other applications that require RADIUS authentication. The NPS Extension allows companies to utilize one MFA Application on the end user devices thus reducing confusion, frustration and cost.
Sounds great right? There has to be a catch! Well there are some requirements that need to be met to utilize Azure MFA with the NPS Extension and here they are in no particular order:
· You need to be licensed to use the Azure MFA Service, Azure P1 and above or Azure Enterprise Mobile Security organizations are allowed to utilize this service.
· The local on premise identities need to be synced with Azure Active Directory, since the initial authentication request is made to the local Active Directory, naturally the secondary request is to be made against Azure.
· Proper configuration of the NPS server is critical to ensure the proper RADIUS protocol and challenge response is extended.
For more information on how to configure Azure NPS check out this paper from Microsoft.
As always if you need further assistance or would like to learn more about Komodo Cloud and what services we offer please reach out!
-Take care and stay well,
Joseph Noga
CTO Komodo Cloud