SOLVED

Azure MFA using NPS without local domain?

%3CLINGO-SUB%20id%3D%22lingo-sub-1316709%22%20slang%3D%22en-US%22%3EAzure%20MFA%20using%20NPS%20without%20local%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1316709%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20have%20a%20site%20where%20I%20want%20to%20protect%20the%20VPN%20service%20using%20(RADIUS)%20and%20Azure%20MFA.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20site%20currently%20doesn't%20have%20a%20local%20active%20directory%20domain%20controller.%20The%20users%20connecting%20to%20the%20VPN%20are%20Azure%20AD%20users%20(P1).%26nbsp%3B%3CBR%20%2F%3EI'm%20hoping%20not%20to%20need%20to%20set%20up%20a%20local%20domain%20controller%2C%20but%20just%20keep%20the%20NPS%20server%20in%20a%20workgroup.%20Is%20this%20possible%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1316709%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMFA%20AzureAD%20NPS%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1317446%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20using%20NPS%20without%20local%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1317446%22%20slang%3D%22en-US%22%3EHi%20Jay%2C%3CBR%20%2F%3E%3CBR%20%2F%3ENot%20possible%20with%20NPS%2C%20I%20actually%20used%20the%20NPS%20extension%20for%20Azure%20P2S%20last%20year%2C%20you%20don%E2%80%99t%20need%20to%20have%20MFA%20server%20but%20you%20must%20have%20Local%20domain%20to%20do%20the%20authentication%20part.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20may%20have%20to%20look%20for%20different%20Radius%20setup%20like%20DUO%20for%20instance!%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fauthentication%2Fhowto-mfa-nps-extension%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1318140%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20using%20NPS%20without%20local%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1318140%22%20slang%3D%22en-US%22%3EWhat%20kind%20of%20VPN%20provider%20are%20you%20using.%3CBR%20%2F%3E%3CBR%20%2F%3EThere%20are%20a%20lot%20of%20VPN%20providers%20that%20have%20native%20authentication%20to%20Azure%20AD.%3CBR%20%2F%3ECheck%20out%20this%20Reddit%20article%20for%20some%20examples%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.reddit.com%2Fr%2Fsysadmin%2Fcomments%2Fdb05ih%2Fvpn_with_azure_ad_authentication%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.reddit.com%2Fr%2Fsysadmin%2Fcomments%2Fdb05ih%2Fvpn_with_azure_ad_authentication%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1318589%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20using%20NPS%20without%20local%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1318589%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3BThat's%20a%20good%20suggestion.%20I%20did%20look%20at%20that%2C%20unfortunately%2C%20my%20hardware%20firewall%20doens't%20support%20it%20and%20I%20need%20to%20resort%20to%20RADIUS.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1318597%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20MFA%20using%20NPS%20without%20local%20domain%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1318597%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3BFair%20enough%2C%20I've%20just%20implemented%20an%20NPS%20server%20with%20the%20Extension%20(leaning%20on%20a%20local%20AD%20too).%20I%20like%20DUO%20very%20much%2C%20it%20can%20do%20things%20MS%20should%20have%20done%20out%20of%20the%20box%20a%20long%20time%20ago%20(like%20easy%20RDP%20MFA).%20But%20the%20idea%20is%20to%20have%20everything%20using%20the%20same%20authentication%20(and%20I'm%20now%20using%20SAML%20to%20AzureAD%20on%20all%20webservices)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, I have a site where I want to protect the VPN service using (RADIUS) and Azure MFA. 

The site currently doesn't have a local active directory domain controller. The users connecting to the VPN are Azure AD users (P1). 
I'm hoping not to need to set up a local domain controller, but just keep the NPS server in a workgroup. Is this possible? 

4 Replies
best response confirmed by JayBeeFinalBeta (Occasional Contributor)
Solution
Hi Jay,

Not possible with NPS, I actually used the NPS extension for Azure P2S last year, you don’t need to have MFA server but you must have Local domain to do the authentication part.

You may have to look for different Radius setup like DUO for instance!

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
What kind of VPN provider are you using.

There are a lot of VPN providers that have native authentication to Azure AD.
Check out this Reddit article for some examples: https://www.reddit.com/r/sysadmin/comments/db05ih/vpn_with_azure_ad_authentication/

@Thijs Lecomte That's a good suggestion. I did look at that, unfortunately, my hardware firewall doens't support it and I need to resort to RADIUS. 

@Moe_Kinani Fair enough, I've just implemented an NPS server with the Extension (leaning on a local AD too). I like DUO very much, it can do things MS should have done out of the box a long time ago (like easy RDP MFA). But the idea is to have everything using the same authentication (and I'm now using SAML to AzureAD on all webservices)