Azure MFA - NPS Extension - No MFA prompt on logon

Dave K 91 Reputation points
2020-05-20T14:53:44.87+00:00

Hi guys, I'm hoping somebody can help here.

I have a brand new build of an RDS environment hosted in Azure on Server 2019. All RDS roles are on one server and then there's a separate NPS server to handle Azure MFA authentication.

The RDS side of things is looking fine. I've presented a simple collection and can log onto the web server, sign in, and RDP into the collection. Thats the easy bit.

The problem I'm having is integrating Azure MFA into the sign in. I had actually configured this for a previous environment and all went fine, unsure why this setup is different.

I've followed these instruction to the letter but I cannot get the MFA prompt to kick in.

http://microsoftplatform.blogspot.com/2017/02/securing-rd-gateway-with-mfa-using-new.html

The problem is that MFA doesnt kick in and my test account logs in every time, without needing the 2nd factor of authentication.

MFA is definitely enforced on my account and license applied on my O365 account. If I log into the Azure portal from the same desktop I get an MFA prompt at that stage, so MFA appears to be ok. Its just the integration into the RDS environment.

I really would appreciate some help as I'm under a bit of pressure to demo this in the next few days.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-05-20T16:17:40.293+00:00

    Hi @Dave K There seems to be some configuration issues with NPS Server configuration. I would suggest you to compare your NPS configuration with the settings mentioned in below sections of this document: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#configure-nps-components-on-remote-desktop-gateway

    • Configure NPS components on Remote Desktop Gateway
    • Configure NPS on the server where the NPS extension is installed

    For debugging you can look into Network Policy and Access Services event log filter on the NPS Server as highlighted below:

    8448-capture.jpg

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,971 Reputation points MVP
    2020-05-20T16:31:51.2+00:00

    Hello @Dave K ,

    One-time bypass applies to MFA server and see it is configured here: https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/OneTimeBypass/fromProviders/

    Thanks,
    Manu