References pulled from

Network Policy Server (NPS) Extension for Azure Multi-Factor Authentication (AZMFA)

Recently, I was working to update some of our labs and I came across our old Azure MFA Server, which we were using for some demoes for on-premises LDAP, IIS & RADIUS resources. Microsoft originally released this to just be supported for VPN scenarios, but recently opened it up for other use cases that previously needed Azure MFA Server. Recently, Microsoft has taken a lot of the core functionality (save for LDAP and some IIS) and moved it to a new extension that sits on top of the Windows Server role for NPS. This not only allows for a reduction in server footprint, but MOST importantly, allows IT to not have to maintain separate 2FA stores for on-premises workloads (as done within the MFA Server database) and the methods configured within Azure MFA.

For instance, prior to this, if you deployed Azure MFA server for, say NetScaler, on-premises and O365 services, you actually had 2 different stores of primary/secondary 2FA methods. Not only that, but if you used the Azure Authenticator app, it actually means you had 2 accounts with the same information that had to be registered and maintained. For many reasons, taking this down into a single instance, stored in Azure AD, reduces the complexity and overhead quite a bit.

Let’s take a look at how to deploy this with a Citrix NetScaler, whether it be on-premises or in Azure πŸ™‚


The NPS extension for Azure MFA is meant to integrate with an existing NPS instance or instances deployed on-premises, in this case for RADIUS authentication.

NOTE: The NPS instances for the NPS extension MUST ONLY be used for RADIUS clients enforcing MFA, as all RADIUS requests that pass through the NPS instance will require MFA. So if you plan on having some other resources use NPS that don’t enforce or need 2FA, ensure you have 2 separate instances or farms, 1 for MFA, 1 without the extension.

The architecture is as follows, you can have multiple NPS servers for HA as needed.

From <>


The NPS extension is meant to work with your existing infrastructure. Make sure you have the following prerequisites before you begin.


The NPS Extension for Azure MFA is available to customers with licenses for Azure Multi-Factor Authentication (included with Azure AD Premium, EMS, or an MFA subscription).


Windows Server 2008 R2 SP1 or above. I highly recommend deploying on Server 2016! πŸ™‚


These libraries are installed automatically with the extension.

The Microsoft Azure Active Directory Module for Windows PowerShell is installed, if it is not already present, through a configuration script you run as part of the setup process. There is no need to install this module ahead of time if it is not already installed.

Azure Active Directory

If users are going to authenticate through the NPS extension, note that their users HAVE to be synchronized with Azure AD and MUST be registered for Azure MFA. This can either be done by pre-registering the users through or you can enforce the use of a synchronized Mobile or Office phone (from AD if populated) through PowerShell.

Do ensure to note the Azure AD tenant ID, as you will need that later on.

Prepare your environment

Before you install the NPS extension, you want to prepare you environment to handle the authentication traffic.

Enable the NPS role on a domain-joined server

The NPS server connects to Azure Active Directory and authenticates the MFA requests. Choose one server for this role. We recommend choosing a server that doesn’t handle requests from other services, because the NPS extension throws errors for any requests that aren’t RADIUS.

  1. On your server, open the Add Roles and Features Wizard from the Server Manager Quickstart menu.
  2. Choose Role-based or feature-based installation for your installation type.
  3. Select the Network Policy and Access Services server role. A window may pop up to inform you of required features to run this role.
  4. Continue through the wizard until the Confirmation page. Select Install.

Determine which authentication methods your users can use

There are two factors that affect which authentication methods are available with an NPS extension deployment:

  • The password encryption algorithm used between the RADIUS client (VPN, Netscaler server, or other) and the NPS servers.
    • PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code.
    • CHAPV2 and EAP support phone call and mobile app notification.
  • The input methods that the client application (VPN, Netscaler server, or other) can handle. For example, does the VPN client have some means to allow the user to type in a verification code from a text or mobile app?

When you deploy the NPS extension, use these factors to evaluate which methods are available for your users. If your RADIUS client supports PAP, but the client UX doesn’t have input fields for a verification code, then phone call and mobile app notification are the two supported options.

You can disable unsupported authentication methods in Azure.

Enable users for MFA

Before you deploy the full NPS extension, you need to enable MFA for the users that you want to perform two-step verification. More immediately, to test the extension as you deploy it, you need at least one test account that is fully registered for Multi-Factor Authentication.

Use these steps to get a test account started:

  1. Sign in to with a test account.
  2. Follow the prompts to set up a verification method.
  3. Either create a conditional access policy or change the user state to require two-step verification for the test account.

Your users also need to follow these steps to enroll before they can authenticate with the NPS extension.

Install the NPS extension

Download and install the NPS extension for Azure MFA

  1. Download the NPS Extension from the Microsoft Download Center.
  2. Copy the binary to the Network Policy Server you want to configure.
  3. Run setup.exe and follow the installation instructions. If you encounter errors, double-check that the two libraries from the prerequisite section were successfully installed.

Run the PowerShell script

The installer creates a PowerShell script in this location: C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive). This PowerShell script performs the following actions:

  • Create a self-signed certificate.
  • Associate the public key of the certificate to the service principal on Azure AD.
  • Store the cert in the local machine cert store.
  • Grant access to the certificate’s private key to Network User.
  • Restart the NPS.

Unless you want to use your own certificates (instead of the self-signed certificates that the PowerShell script generates), run the PowerShell Script to complete the installation. If you install the extension on multiple servers, each one should have its own certificate.

  1. Run Windows PowerShell as an administrator.
  2. Change directories.
    cd “C:\Program Files\Microsoft\AzureMfa\Config”
  3. Run the PowerShell script created by the installer.

  4. Sign in to Azure AD as an administrator.

  5. PowerShell prompts for your tenant ID. Use the Directory ID GUID that you copied from the Azure portal in the prerequisites section.

  6. PowerShell shows a success message when the script is finished.

Repeat these steps on any additional NPS servers that you want to set up for load balancing.


If you use your own certificates instead of generating certificates with the PowerShell script, make sure that they align to the NPS naming convention. The subject name must be CN=<TenantID>,OU=Microsoft NPS Extension.

Configure NPS for RADIUS Authentication

Open up the NPS console and add the new RADIUS client. Choose the SNIP source IP from the NetScaler that will be sending the request and generate a passphrase.

NOTE: NetScaler’s do not accept long shared secrets, so I truncated mine to 31 characters for use.

Then setup your Network policy as Unspecified

Make sure to configure your NAS Identifier

Setup the Access Permission

And configure your Authentication methods. MS-CHAP-v2 should be fine in this case, just

Now time to setup our NetScaler. First, let’s setup a new RADIUS server, you can see our old one in there from before.

Make sure to setup the timeout to 10s from the default, otherwise it will, well, timeout.

And add in your NAS ID setup prior

And make sure mschapv2 is setup


Now let’s create our new RADIUS policy using the new RADIUS server

And link it to our VPN virtual server

Out with the old!

In with the new!

Time to test!

Let’s hit our NetScaler logon page (don’t mind the bad cert, it’s a lab :))

Ah, we got our Azure MFA prompt from my primary Azure AD method!

And confirming in the logs here that the request indeed came through the server


Leave a Reply

Your email address will not be published. Required fields are marked *