Forum Discussion

pwb's avatar
pwb
Copper Contributor
Nov 10, 2025

NPS Extension for azure MFA and multiple tenants?

Hi, is it possible to setup one NPS server with the Extension for Azure MFA to authenticate against multiple tenants? The onprem AD has azure ad connector for each domain and the users are in sync with there tenants. Its a RDS setup with one RD Gateway and one NPS server and multiple RD servers. I need email address removed for privacy reasons and email address removed for privacy reasons etc. to authenticate with MFA, but i can only get the users on the tenant thats linked in the NPS Extension for Azure MFA to work. I dont think its possible to setup more than one tenant in one NPS server (Extension for azure MFA). I get this error in the NPS log

NPS Extension for Azure MFA: CID:xxxxxxxxxxxxxxx : Access Rejected for user email address removed for privacy reasons with Azure MFA response: AccessDenied and message: Caller tenant:'xxxxxxxxxxxxxxxxxxxxxxx' does not have access permissions to do authentication for the user in tenant:'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',,,xxxxxxxxxxxxxxxxxxxxxx

The ID in the Caller tenant and the user tenant in the error is correct, so something have to work? I cat find a way to allow the Caller tenant to access users in the user tenant.

MFA
microsoft entra

1 Reply

  • devjelly's avatar
    devjelly
    MCT
    Dec 23, 2025

    Hi pwb​, dont know if you are still looking for an answer here but I think you’re running into a design limitation of the NPS extension rather than a simple misconfiguration.

    The NPS extension is explicitly registered to one Microsoft Entra tenant when you run AzureMfaNpsExtnConfigSetup.ps1, where you sign in as a GA and provide a single tenant ID, the script creates/uses the “Azure Multi-Factor Auth Client” service principal in that tenant only.​
    Per the NPS extension configuration limitations, the extension then uses the on‑prem UPN to find the user in Microsoft Entra for secondary authentication, which assumes that UPN exists in the same tenant the extension is registered to.​

    The troubleshooting article for "AccessDenied" explicitly calls out the case where “the tenant domain and the domain of the user principal name (UPN) are not the same,” and tells you to ensure that email address removed for privacy reasons is authenticating against the Contoso tenant.​
    On top of that, Microsoft Entra will only allow a given custom domain (for example, contoso.com) to be verified in a single tenant at a time, so the same UPN namespace cannot legitimately belong to multiple tenants simultaneously.​

    Putting those together, in my opinion a single NPS extension instance can only perform MFA for users in the one tenant it’s registered to, and cross‑tenant UPNs will hit the documented AccessDenied condition rather than working as a supported multi‑tenant setup.

    Here are the reference links,

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#configuration-limitations

    https://learn.microsoft.com/en-us/previous-versions/entra/identity/authentication/howto-mfa-nps-extension-errors#errors-your-users-may-encounter

Resources