MFA with Azure P2S VPN or RDS Connection

The Azure Gateway can be integrated with NPS and Azure Active Directory to create a low cost MFA login system for client P2S VPNs. A similar NPS setup can be used to secure RDS Connectivity, these RDS services do not have to be created on Azure.

Each user gets is required to sign in to portal.azure.com, this will enable them to setup MFA to send an approval message to their mobile device (email, pin code do not work for this type of radius deployment). The P2S VPN supports Windows and now also Mac when configured to utilise radius authentication.

Basic Architecture Basic Architecture

Components Needed

• vNET
• vNET Gateway (any SKU but Basic)
• Active Directory Domain
• NPS Server
    ○ Windows Server 2016 Server with the NPS role installed
• Azure AD with the Domain Name registered. 
    ○ Users should be Synced for the active directory domain
            ○ Multi-factor user licences must be assigned to the user in Azure AD

Setup

Create base environment up in Azure.

In the P2S properties of the VPN client should be configured to utilise Radius Authentication, provide the Server IP of the Radius server and a shared secret which will need to be also setup on the NPS Server.

P2S Settings

In Active Directory create a user group for VPNUsers and required users to this group. Configure AD Connect to sync the users to the directory. Its important the the custom domain of the internal domain is registered in Azure AD.

Once the NPS role has been configured run the Radius server for Wireless or Wired Connections wizard. Selecting the AD group as users who can authenticate.

The NPS extension for Azure MFA links the NPS server to the Azure AD and does the magic redirect when the user logs in. Detailed setup steps can be found here: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension

Once the user authenticates to the VPN an MFA authentication request will be sent to the users phone, email to verify the connection.