question

Naseem-1842 avatar image
0 Votes"
Naseem-1842 asked Saas-8690 answered

MFA NPS Error

Hi,

I have Azure subscription, Azure AD 2 and I enabled MFA and I enrolled all the users, I synced the AD with Azure AD, Also I configured azure MFA with NPS server.

Im getting this error when I run the health-check script:
User1@domain.com has not a valid license for MFA, it's a warning message to be legal from licensing side... Test FAILED
Test will continue to detect additional issue(s), Please make sure to assign a valid MFA License for the user (AD Premium, EMS or MFA standalone license

the health check script:
https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-nps-extension-health-check/azure-mfa-nps-extension-health-check/


Thanks

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KAREDD-MSFT avatar image
0 Votes"
KAREDD-MSFT answered KAREDD-MSFT edited

In Azure AD, you have to assign the licenses to the users directly. Can you confirm if you assigned the Azure AD P2 license to the user.

You can follow the steps listed here to do this: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/license-users-groups

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Naseem-1842 avatar image
0 Votes"
Naseem-1842 answered Naseem-1842 edited

Hi @KAREDD-MSFT

Yes the user account has Azure AD 2 with Microsoft 365 E5.

Also I found this Event in %SystemRoot%\System32\Winevt\Logs\AuthZOptCh.evtx

NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User@Domain.com with response state AccessReject, ignoring request

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Naseem-1842 avatar image
0 Votes"
Naseem-1842 answered paulpedroza commented

6971-screen-shot-2020-03-31-at-101249-pm.png



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Naseem-1842,


Could you solve this problem? I am having the same problem and my users have the correct licenses, but the NPS Extension does not work.


Thanks a lot.


Paul


0 Votes 0 ·
NaseemAljaradi-5143 avatar image
1 Vote"
NaseemAljaradi-5143 answered

Hi @paulpedroza


I solved the problem,
before I start you need to know that there are two types of methods to use the NPS, Microsoft doesn't have any documents about the second method.


1- Method 1 application send both primary and secondary requests to the NPS, for example, Cisco VPN with Azure MFA
10855-screen-shot-2020-06-29-at-123933-am.png
2- Method 2 application send only secondary request to the NPS server and send the primary to another service to take care of it (in this case the NPS server doesn't care about the primary if is authorized or not because there is another service will challenge the primary request, for example:
AWS workspaces with Azure MFA


AWS Ad connect only send a secondary request to the NPS server and send the primary request to the active directory server so the active directory will chick the username and password and the NPS server will take care of azure MFA code method only:
10856-screen-shot-2020-06-29-at-123736-am.png


Issue
The problem here is that the MFA Extension is waiting for the message "access accepted "for the primary request from the NPS but because the NPS doesn't receive the primary request so doesn't send a message to the NPS Extension with "access accepted". to fix this issue you need to ignore the primary request and allow all the request without any challenge then the MFA Extension will receive "access accepted" from the NPS for any primary request and start the process the secondary request with MFA Extension, here is how you can ignore the primary request:


Create new connection request policies (For each client)
1- In the conditions add client friendly name (Roadies client name)
2- Sittings > authentication > check Accepting Users Without Validating Credentials.
3- save


make sure that you have another service that checks the primary request also make sure that the users can log in with the correct MFA code only sometimes if you change the MFA setting on azure and the users didn’t update their MFA after the changes on azure they will be able to log in even with wrong MFA code or without even import any MFA info.


I hope this helps you with your issue.
Thanks
Naseem Aljaradi







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

paulpedroza avatar image
0 Votes"
paulpedroza answered

@NaseemAljaradi-5143,



Thank you very much for your help. It helped me understand the mistake I was making.



Regards,


Paul Pedroza


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Saas-8690 avatar image
0 Votes"
Saas-8690 answered

In our case, with the same errors, the solution was enable the next two SPN:

Get-MsolServicePrincipal -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" | fl *

Get-MsolServicePrincipal -AppPrincipalId "1f5530b3-261a-47a9-b357-ded261e17918" | fl *

Source: https://s4erka.wordpress.com/2019/01/25/azuremfa-nps-troubleshooting/

Thanks Sergii!!!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.