One hour to higher safety: Learn how to leverage Azure MFA to safe an current VPN resolution

Editor’s notice: In response to the coronavirus disaster gripping the world, TechGenix is republishing a number of current articles, tutorials, and product opinions that comprise related data for IT professionals as their jobs change dramatically. On this glorious tutorial, initially revealed June 27, 2018, we stroll you thru the steps on leveraging Azure MFA to make sure that distant customers connecting to the community by way of VPN are who they are saying they’re.

In a time when increasingly more focus is being positioned on community safety, increasingly more companies are wanting towards multifactor authentication to make sure that the individuals logging into their networks are who they are saying they’re. With the rising variety of distant customers accessing networks remotely by way of VPNs, it is smart that increasingly more companies are turning to multifactor authentication options, corresponding to Azure MFA, to guard their networks over these VPN connections.

Whereas there are a lot of multifactor authentication choices obtainable, one of many less complicated options to deploy relies on Azure Energetic Listing. On this article, I’ll discuss a bit of bit about an Azure-backed MFA solution for VPN access, the way it works, and learn how to add it to an current VPN resolution.

The everyday VPN resolution

In most environments, the everyday VPN resolution includes a firewall/VPN system corresponding to a Cisco ASA or possibly one thing like a FortiGate system, together with a domain-joined Community Coverage Server. The VPN system is configured as a shopper within the Community Coverage Server and entry to VPN is managed by way of group membership in AD.

Within the above situation, issues usually appear to be this:

Azure MFA

Whereas the everyday VPN resolution described above works, the inherent flaw is that if somebody loses a laptop computer or offers up a password to a phishing assault, it’s fairly simple for an intruder to get entry to the community by way of VPN.

Enter multifactor authentication

Deploying a VPN resolution that leverages Azure MFA gives an added layer of safety and helps make sure that distant customers connecting to the community by way of VPN are who they are saying they’re. By leveraging Azure Energetic Listing and the NPS Extension (each obtainable from Microsoft), a company can very simply deploy or improve an current VPN resolution to 1 that provides MFA safety.

The Azure MFA VPN resolution

An Azure-backed MFA VPN resolution requires a couple of further parts along with the everyday VPN system and NPS server. These further parts embrace:

  • Azure Tenant
  • Premium Azure AD Subscription
  • NPS Extension
  • Azure AD Join

In an Azure MFA VPN resolution, the secondary MFA authentication for VPN customers is carried out towards Azure AD accounts which have been synced to Azure AD within the Azure Tenant by way of Azure AD Join. The premium Azure AD Subscription is critical because it gives the required licensing to allow MFA in Azure AD. The NPS Extension is a bit of software program that’s put in on the on-premises NPS server. This software program securely communicates with Azure AD and facilitates the secondary authentication when somebody makes an attempt to hook up with the VPN.

A typical Azure MFA VPN resolution appears to be like one thing like this:


Making ready for an Azure MFA VPN

Earlier than deploying a multifactor VPN resolution based mostly on Azure AD MFA, you need to first provision an Azure tenant and an Azure AD subscription throughout the tenant. The Azure AD subscription have to be a minimum of Premium P1. The free model of Azure Energetic Listing that comes with a deployment of Workplace 365 / Trade On-line doesn’t assist multifactor authentication for VPN.

Provisioning an Azure tenant is as simple as clicking this link. As soon as the Azure tenant is provisioned, you possibly can join an Azure AD Premium P1 subscription proper out of your Azure portal.

With an Azure tenant and Azure AD subscription in place, it’s best to deploy Azure AD Connect in your on-prem Energetic Listing setting in order that the on-prem Energetic Listing consumer accounts may be synced to Azure Energetic Listing. That is obligatory as a result of the MFA preferences can be set on the Azure AD accounts which can be synced from on-prem. Moreover, the NPS Extension that you’ll ultimately set up on the prevailing NPS server will talk straight with the Azure AD subscription to validate MFA standing and credentials.

As soon as the Azure tenant is in place and the on-prem customers are being synced to Azure Energetic Listing, you possibly can allow MFA to your customers that can be utilizing the VPN by following the steps beneath:

  • Browse to the Azure Portal and login
  • Click on on “Azure Active Directory” within the left pane
  • Click on “Users”
  • Click on “Multi-Factor Authentication”

From there, choose the customers for whom you want to allow MFA and click on “Enable.” It will allow MFA for the chosen customers.

MFA enrollment for customers

After enabling MFA to your Azure AD customers, and earlier than they start utilizing the VPN, the customers who can be utilizing the MFA VPN should enroll in Azure MFA and arrange their MFA preferences by following the directions beneath:

  • Sign in here
  • Observe the prompts to arrange a verification methodology

With the Azure AD customers configured for MFA and enrolled, the prevailing VPN resolution may be upgraded to leverage the Azure-backed MFA options that are actually obtainable.

Learn how to deploy an Azure MFA VPN resolution

This text assumes that you’ve got a working VPN resolution already in place and are leveraging an NPS server. With an NPS server already in place, you simply have to make a couple of adjustments to make it work with Azure-backed MFA. The primary change is the set up of the NPS Extension on the NPS server. The second change is the creation and set up of a certificates on the NPS server in order that it may securely talk with the Azure AD subscription/listing.

Putting in the NPS Extension

The NPS extension permits the NPS server to carry out secondary MFA authentication towards Azure AD. The extension may be downloaded here. Set up of the NPS extension is painless and consists of only a handful of “Next” prompts, adopted by a “Done” immediate.


There are not any configuration choices to decide on when putting in the extension as all it’s doing is basically including some DLL libraries to the NPS server.

Securing communication between NPS and Azure AD

As soon as the NPS extension is put in on the NPS server, a certificates have to be generated to permit safe communication between the NPS server and the Azure Energetic Listing. This certificates is created and put in by operating the “AzureMfsNpsExtnConfigSetup.ps1” PowerShell command, discovered within the “c:Program FilesMicrosoftAzureMfaConfig” listing on the NPS server the place the NPS Extension is put in.

To create the certificates, the PowerShell command requires the listing GUID of the Azure AD.

Procuring the Azure AD GUID is straightforward sufficient. Merely observe the steps beneath:

  • Browse to the Azure Portal and log in
  • Click on on “Azure Active Directory” within the Left Pane
  • Click on “Properties”

Copy the worth from the Listing ID subject that you simply see and put it aside off to a textual content file someplace.

Azure MFA

After acquiring the Azure AD GUID, create the certificates and set up connectivity to the Azure AD by following the directions beneath:

  • Run Home windows PowerShell as an administrator
  • Change to the “C:Program FilesMicrosoftAzureMfaConfig” listing
  • Run the AzureMfaNpsExtnConfigSetup.ps1 script (you’ll want to preface command with .)
  • Register to Azure AD as an administrator when prompted
  • Present your Azure AD Listing ID that you simply saved earlier

The method above creates a self-signed certificates on the NPS server and secures communications between the NPS server and the Azure AD. It associates the general public key of the certificates to the service principal on Azure AD and shops the certificates within the native machine retailer on the NPS server. The community consumer is granted entry to the certificates’s non-public key.

Azure MFA

In any case of that is accomplished, the NPS service is mechanically restarted.

A phrase about authentication

Though your current VPN/NPS resolution might already be configured, that you must decide which encryption protocols that you must use to assist Azure-backed MFA — as a result of not all encryption protocols assist all MFA verification strategies.

For instance, PAP helps cellphone calls, one-way textual content messages, cell app notification, and cell app verification code, whereas CHAPV2 and EAP assist cellphone calls and cell app notification solely.

Two key elements have an effect on which authentication strategies can be found with an NPS extension deployment:

  • password encryption algorithm used between the VPN and the NPS server
  • enter strategies that the VPN shopper software helps

For instance, in case your VPN shopper software program doesn’t supply a subject that permits the consumer to kind in a verification code from a textual content or cell app, you aren’t going to have the ability to use one-way textual content messaging as a secondary verification methodology. As such, you can use PAP, CHAPV2, and EAP encryption protocols. Alternatively, in case your VPN shopper does make a subject obtainable to enter a code from a textual content or cell app into (and that’s the secondary authentication methodology that you simply need to use), you would wish to make use of PAP, since CHAPV2 and EAP solely assist cellphone name and cell app notifications.

With that mentioned, earlier than you deploy the NPS extension, take into account your current setting and the way these elements influence your configuration.

Deploying the answer

By default, as soon as the NPS Extension is deployed, customers who haven’t been enabled for MFA in Azure AD can be denied entry to the VPN. As such, you might discover it helpful to permit non-MFA-enabled customers to nonetheless connect with the VPN till you’re able to go to manufacturing.


To permit non-MFA-enabled customers to entry VPN, open the Registry Editor on the NPS server and set the “REQUIRE_USER_MATCH” worth within the “HKLMSOFTWAREMicrosoftAzureMfa” registry key to “FALSE” when you are testing. If it doesn’t exist already, create it. In any other case, customers who aren’t enabled for MFA can be blocked from connecting to VPN. You’ll be able to set the worth to “TRUE” when you find yourself prepared to maneuver the answer into manufacturing.

Check your new Azure-backed MFA VPN by making an attempt to login to the VPN with a consumer account that has been synced to Azure Energetic Listing and who has had MFA enabled. Be certain that your take a look at consumer receives the anticipated secondary authentication immediate (cellphone name, textual content message, app notification, and so forth.). In case your take a look at consumer doesn’t efficiently authenticate, affirm that the authentication settings that you’ve got configured within the NPS server insurance policies assist your most well-liked MFA verification methodology.

After confirming that your take a look at consumer can log in to the VPN, you possibly can set the “REQUIRE_USER_MATCH” worth to “TRUE” to implement MFA authentication for the VPN.

Pulling all of it collectively

You’ll be able to add Azure MFA authentication to your current VPN resolution to additional safe your community by leveraging the multifactor authentication performance obtainable in Azure Energetic Listing. Doing so requires you to provision an Azure tenant and an Azure Energetic Listing P1+ subscription. With these provisioned, sync your on-prem customers to Azure AD with Azure AD Join. As soon as your on-prem customers are synced to Azure AD, you possibly can allow MFA for them in Azure Energetic Listing.

After your customers are synced to Azure AD and have been enrolled in MFA, set up the NPS Extension in your NPS server and create and set up the self-signed cert utilizing the PowerShell script that the NPS Extension creates. With the certificates put in, set up safe connectivity between the NPS server and Azure AD in order that the NPS Extension can leverage the MFA provided by Azure AD.

The general effort to finish this course of is lower than one hour. Isn’t the safety of your community price an hour of your time?

Put up Views:

report this advert

Learn Subsequent

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *