Hi All,
I've migrated a tenant, like for like.
As part of the tenant migration, we have MFA setup for NPS on our VPN client.
So I followed the following process:
- Ran the script, AzureMfaNpsExtnConfigSetup.ps1 as followed in this article: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#run-the-powershell-script
- Logged in with the new tenant global admin
- Entered the new Tenant ID
- Restarted NPS service
I then attempted to connect to the VPN with MFA and was let in.
However, there is an intermittent issue that occurs on some occasions for random users. A user attempts to connect the VPN and isn't prompted for MFA, or the VPN times out.
When this happens, I've noticed the following in the event logs (I've obscured the tenant and CID guids):
NPS Extension for Azure MFA: CID: cid-guid-here : Access Rejected for user ******@domain.co.uk with Azure MFA response: AccessDenied and message: Caller tenant:'old-tenant-id-goes-here' does not have access permissions to do authentication for the user in tenant:'new-tenant-id-goes-here',,,
As you can see, the connection is still attempting to authenticate with the old tenancy, which has now been decommissioned and Azure AD Connect uninstalled.
In an attempt to resolve I have:
- Upgraded/Reinstalled the NPS extensions
- Removed the old certificates from the server and Azure (Remove-MsolServicePrincipalCredential)
- Ensured latest windows updates
- Ran the NPS health checker powershell script
- Temporarily disabling MFA
- Ensuring user has correct license
- Ensured user account is setup correctly with correct password, mfa settings, correct UPN
- Checked sign-in logs in old tenancy - none
The error I encounter is AccessDenied and the following MFA NPS Extension error suggests the UPN is incorrect - which it isn't. (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors#errors-your-users-may-encounter)
Has anyone came across this issue, and how do you resolve?
Thanks,
Jonathan