question

SamCook-3516 avatar image
0 Votes"
SamCook-3516 asked ·

NPS extension with Azure MFA

Hi there,
It been few days since Im scratching my head with issue and wondering if someone can help.
My NPS server seems not forwarding the AUTH request to Azure for MFA, local authentication works fine.
I have configure everything as per the below guide...
https://techcommunity.microsoft.com/t5/microsoft-identity-manager/step-by-step-protecting-rd-gateway-with-azure-mfa-and-nps/m-p/1217077#
and event view on NPS shows the below message and discarding the auth request..
NPS Extension for Azure MFA: CID: xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx : Request Discard for user user@domain.com with Azure MFA response: UserNotFound and message: The specified user was not found.,,,xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx.

I wondering if anyone came across this issue and know how to fix it ?
Thank you all in advanced.

azure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@SamCook-3516, To check SAMaccountname on Azure, you can login to https://developer.microsoft.com/en-us/graph/graph-explorer# with the same user by clicking on Sign-in using Microsoft button on the left and make GET call: https://graph.microsoft.com/beta/me/. In response look for the value of onPremisesSamAccountName attribute.

If you are logging in to RDP session using UPN, can you confirm if you are syncing onprem UPN as Cloud UPN or syncing email as UPN? If you are syncing email as UPN you would need to configure Alternate Login ID.



· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much again, Aman.

I struggling with this over a month, since I'm syncing email as UPN that's why it was not working
As soon as I use the alternative login method and change the reg key to email, it worked.

Thanks again for your time and help !

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@SamCook-3516
Have you synced the user to Azure AD? If you are using domain\username to connect to via RDP, can you check if the OnpremiseSamAccountName attribute in Azure AD user properties contains the SAMAccount name of the onprem user?

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Amanpreet,

Thank you so much for your reply.
yes onprem users are being synced to the Azure and have proper license assigned and register for the MFA.

How do I check the SAMaccountname on azure AD ?

I checked and user SAMaccountname attribute on onprem ad does match with the UPN on Azure, if that's what you asked.
Please let me know, thanks

0 Votes 0 ·