In an earlier blog post,  I walked through various options on how to use Microsoft Authenticator with Workspace ONE Access (formerly known as VMware Identity Manager). In the final option, we talked about using the Microsoft Azure MFA Server.  However, as of July 1st, 2019, Microsoft is no longer offering the MFA Server for new deployments.


Microsoft does however provide another option to leverage Azure MFA by using the Network Policy Server extension for Azure.


In the blog I will walk through the process of configuring a Network Policy Server along with the NPS Extension.




Install and Configure the Network Policy Server

  1. Using the Server Manager -> Add Role and Features
    Screen Shot 09-25-19 at 01.42 PM.PNG
  2. Click Next
  3. Select Role-Based or feature-based Installation
  4. Select the Server from the Server Pool and click next
  5. Add the Network Policy and Access Services
    Screen Shot 09-25-19 at 01.43 PM.PNG
  6. Add the dependency features.
  7. Add the Network Policy Server
    Screen Shot 09-25-19 at 01.44 PM.PNG
  8. Complete the rest of the wizard to install the Network Policy Server.


Download and Install the NPS Extension

  1. Go to Download NPS Extension for Azure MFA from Official Microsoft Download Center
  2. Download the NPS Extension for Azure MFA Installer.
  3. Run the installer
    Screen Shot 09-25-19 at 01.49 PM 002.PNG
  4. Click Install


Configure the NPS Extension

  1. Run Windows Powershell as an Administrator
  2. At the powershell prompt, cd to "c:\Program Files\Microsoft\AzureMfa\Config"
  3. Run ".\AzureMfaNpsExtnConfigSetup.ps1"
  4. You will be prompted to authenticate with Azure.
  5. After successful authentication, you will be prompted to enter your tenant id. This is your Directory ID which can be copied from your Azure Console:
  6. This script will create a self signed certificate for you.


Configure your NPS Server

  1. Access your NPS Server (via Admin Tools)
  2. Under standard configuration, select "Radius server for Dial-up or VPN Connections"
  3. Click Configure VPN or Dial-up
  4. Select "Virtual Private Network (VPN) Connections"
  5. Provide a friendly name ie. Workspace ONE
  6. Click Next
  7. Under Radius Clients -> Click Add
  8. Provide a friendly Name, IP Address and a Shared Secret
  9. Click OK and Next
  10. Select Microsoft Encrypted Authentication version 2 (MS-CHAPv2)
  11. Click Next
  12. Under Groups, - Select a group that includes your MFA Users.
  13. Click Next for IP Filters
  14. Click Next for Encryption Settings
  15. Click Next for Realm Name (leave blank)
  16. Click Finish
  17. Click on Policies -> Connection Request Policies
  18. Double Click on the new "Workspace ONE Policy"
  19. Change the type to Unspecified
  20. Click on the Condition Tab
  21. Delete the NAS Port Type and Click Add
  22. Select "Access Client IPv4Address"
  23. Enter the IP Address of the Connector Server
  24. Click OK
  25. Click on Policies -> Network Policies
  26. Double Click on the new "Workspace ONE Policy"
  27. Change the Type to Unspecified
  28. Under Conditions, you should just have the group condition
  29. Under Constraints, select "Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)"
  30. Click OK.


Configure Workspace ONE Access

  1. Log into your Workspace ONE Access Admin Console
  2. Go to Identity & Access Manager -> Setup
  3. Click on your Connector Worker -> Auth Adapters
    Screen Shot 10-14-19 at 04.17 PM.PNG
  4. Click on Radius Adapter
  5. Enter your Radius Host, Ports and Secret
    Note: Do not enter an accounting port.  I was not able to get this to work with the NPS Server.

  6. Select MSChapv2 as the encryption type.
  7. Click Save
  8. In the Workspace ONE Access Console, go to Identity Providers and edit the Built-In provider.
  9. Enable the Cloud Based Radius Adapter
  10. Click Save.
  11. You can now use the Cloud Radius Adapter in your Access Policies.