Azure AD MFA integration with Citrix Netsclaer

Question

Hi ,

Just wanted to clarify my doubt on MFA with Citrix NetScaler VDI (Virtual Desktop).

Q1. Azure AD cloud MFA will have to use NPS setup for triggering MFA to end user when accessing Citrix VDI so this makes NPS server mandatory ? In my views Yes it's a required setup.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
Reference: https://christiaanbrinkhoff.com/2017/02/17/how-to-configure-azure-mfa-for-citrix-netscaler-gateway-radius-by-using-the-new-nps-extension/

Q2. SAML SSO with Citrix Netscaler will not leverage MFA when accessing Virtual Desktop ? In my Views no it will not work trigger MFA when accessing any Virtual Desktop because it uses different protocol.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/citrix-netscaler-tutorial#scenario-description

Q3. Does Azure MFA for Virtual Desktop support hardwaretokens ? Will it work or not on hardtokens. In my view it should work.

let me know your suggestions here.

Answer 1

Citrix NetScalers can be licensed with an AAA module. This module can interact with Azure AD (and AD FS) using claims-based authentication. In the case of federating with Azure AD, Conditional Access can be used to require multi-factor authentication. An NPS Server is not required in this scenario.

The reason why we see a lot of organization take the NPS Server route is because they are migrating from other RADIUS-based solutions like Azure MFA Server and RSA SecurID Access. In these migration scenarios, the RADIUS component is simply switched out. It is a method that allows for easy roll-back. Additionally, the pricing of the AAA module is steep.

Azure Multi-factor Authentication supports OATH-based tokens.
This feature is currently in private preview.