You ask, Microsoft listens — especially to its enterprise users with the big bucks. Announced recently, Microsoft has released a public preview of the Network Policy Server (NPS) extension in support of Azure MFA. This comes after several requests from customers who want to secure their on-premises VPNs using Azure Active Directory with Microsoft’s cloud based multi-factor authentication service, and allows enterprise administrators to protect their VPNs with Azure MFA without requiring a separate server.
Learning about Azure Multi-Factor Authentication
With Azure Multi-Factor Authentication, Microsoft’s two-step verification solution, access to secure data is only granted with at least two access methods: something you know (a password), something you have (a trusted device, key fob), or something you are (biometrics):
Azure explains the details of their MFA solution in this Channel9 video:
Those using MFA on Azure can be verified via phone call, text message, mobile app notification, or a verification code with a mobile app, and MFA is available for Office 365, Azure Administrators, or azure Multi-Factor Authentication which features a rich set of capabilities that include reporting and support for a wide range of on-premises and cloud applications.
Azure MFA is offered within MFA Server, an on-premises solution, or cloud-based MFA, which is supported by Microsoft. While an on-premises solution is a great option, going to the cloud is becoming more popular because of other useful features such as Conditional Access and Azure AD Identity Protection.
Azure MFA with RADIUS Authentication
Those who have been looking for RADIUS authentication, a technology utilized by Microsoft Forefront Threat Management Gateway to authenticate outbound Web proxy requests, incoming requests for published web servers, and VPN client requests, are now in luck. Cloud-based MFA services may have had Conditional Access and Azure AD Identity Protection, but not RADIUS authentication–not unless they deployed some MFA servers on-premises. With this announcement comes even better news for those seeking cloud-based Azure MFA with RADIUS authentication: the support is now available without having to install an on-premises solution.
The NPS extension allows cloud-based MFA capabilities using existing NPS servers, which supports phone call, SMS, or mobile application MFA to an existing authentication flow without new server deployments.
The NPS extension is simply that: an extension. Here are the steps taken for authentication:
- A user or VPN client initiates the authentication request.
- The NAS or VPN server receives the request from the VPN Client and converts them into RADIUS requests
- The NPS server then connects to Active Directory to perform primary authentication for the RADIUS requests and if successful, passes the request to any installed NPS extensions.
- The NPS extension triggers a MFA request to Azure cloud-based MFA to perform the secondary level of authentication. If it receives the desired response, the authentication request is completed and security tokens are passed to the NPS server that include a MFA claim issued by Azure secruity token service (STS).
- Azure MFA communicates with Azure AD to retrieve the user’s details and performs the secondary authentication using a verification method that is configured for the user.
Getting started with Azure MFA with RADIUS Authentication
It’s easy to roll out this new feature within Azure–just grab the NPS extension for Azure MFA from the Microsoft Download Center. Run the installation package and the PowerShell script which will associate the extension with your tenant. Then configure your RADIUS client to authenticate through your NPS server.
Who can use it?
The new option is available to anyone with licenses for Azure MFA–if you’re not sure that’s you, you’d need to have Azure AD Premium, EMS, or an MFA subscription. You’ll also need to maintain a server infrastructure with Windows Server 2008 R2 SP1 or above with the NPS component enabled.
Users must be synced to Azure Active Directory using Azure AD Connect and they have to be registered for MFA.
Microsoft’s objective is clear: Microsoft Azure AD is becoming closer to an “Identity Control Plane” service that ensures that organizations have the right type of cloud/on-premises access that follow their rigorous standards of compliance and security.
Photo credit: Shutterstock, Microsoft
Azure have recently release a RADIUS Windows 2016 server in the Azure marketplace, making it even easier to setup RADIUS with Azure https://azuremarketplace.microsoft.com/en-us/marketplace/apps/cloud-infrastructure-services.radius-2016
At Deepnet Security we have just put a web page for users of Azure and Office 365 who want to authenticate using SafeID oath tokens etc.
More details can be found from the following link;
http://www.deepnetsecurity.com/authenticators/one-time-password/safeid/hardware-mfa-tokens-office-365-azure-multi-factor-authentication/