question

sbadmin-7232 avatar image
0 Votes"
sbadmin-7232 asked sbadmin-7232 published

Azure MFA NPS Plugin not working with Sign-In with email as alternate id

Hi,

we set up the Azure MFA NPS Extension in a Test Environment.

Until now we had only [username]@[tenant].onmicrosoft.com as login name active in Azure. Because of the NPS Extension we set up Sign-in to Azure AD with email as an alternate login ID, which works flawless in Browser / Outlook etc.

Our steps with NPS MFA:

  • first try with the on-premises UPN (which is a local domain) did not work (no surprise here)

  • added the [username]@[tenant].onmicrosoft.com as AD attribute on premises, set up the NPS Extenstion to use it as alternate login id and the MFA login worked as expected

  • activated Sign-in to Azure AD with email as an alternate login ID, configured the NPS extension to use mail as login ID and we get the following error:

    NPS Extension for Azure MFA: CID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx : Request Discard for user [mailaddress] with Azure MFA response: UserNotFound and message: The specified user was not found.,,,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

First thought was, maybe we didn't wait long enough for the settings to apply, but the weekend passed and there is no change.

Any ideas?




azure-ad-multi-factor-authentication
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So the core problem is:

Browser login with mail works; NPS MFA with mail says "UserNotFound"

0 Votes 0 ·
MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered sbadmin-7232 commented

Hello @sbadmin-7232 ,

Since you are syncing email as UPN you need to set the reg key to email when configuring the alternative login method.

Have you synced the user to Azure AD? If you are using domain\username to connect to via RDP, can you check if the OnpremiseSamAccountName attribute in Azure AD user properties contains the SAMAccount name of the onprem user?

To check the SAMaccountname in Azure, you can log in to https://developer.microsoft.com/en-us/graph/graph-explorer# with the same user by clicking the "Sign-in using Microsoft" button on the left and making a GET call: https://graph.microsoft.com/beta/me/. In response look for the value of onPremisesSamAccountName attribute.

In order to complete the authentication, the username or password need to be correct, the connection needs to be stable, and the conditions specified in the NPS Connection Request and Network Policies need to be met. If MFA is required, the MFA challenge needs to be successful and the connection attempt needs to be authenticated and authorized. Otherwise you may see the "request discard" message.

(Related discussion here.)


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Since you are syncing email as UPN

No, we have [user]@[localdomain] on premise and [user]@[tenant]. onmicrosoft.com online.

need to set the reg key to email

Did that and the AuthZOptCh Log shows its using the mail address.

synced the user to Azure AD?

Yes.

OnpremiseSamAccountName attribute in Azure AD user properties contains the SAMAccount name of the onprem user?

Yes.


So the problem is after activating [howto-authentication-use-email-signin][1] login with email in browser works but NPS MFA shows UserNotFound


[1]: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin
0 Votes 0 ·
sbadmin-7232 avatar image
0 Votes"
sbadmin-7232 answered sbadmin-7232 published

Since you are syncing email as UPN you need to set the reg key to email when configuring the alternative login method.

We are not syncing email as UPN. We have [user]@[localdomain] onpremises and [user]@[tenant]. onmicrosoft.com as azure UPN.
We activated [howto-authentication-use-email-signin][1]
We set the reg key to email as described in [howto-mfa-nps-extension-advanced][2]

Have you synced the user to Azure AD?

Yes.

If you are using domain\username to connect to via RDP, can you check if the OnpremiseSamAccountName attribute in Azure AD user properties contains the SAMAccount name of the onprem user?

We are using VPN with the SamAccountName only.
The OnpremiseSamAccountName is the same as the SAMAccount name of the onprem user

[1]: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin
[2]: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced#alternate-login-id
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.