Migrated Tenancy and MFA NPS Extension intermittently fails

Jonathan / Spud 56 Reputation points
2022-10-10T20:59:42.92+00:00

Hi All,

I've migrated a tenant, like for like.

As part of the tenant migration, we have MFA setup for NPS on our VPN client.

So I followed the following process:

  1. Ran the script, AzureMfaNpsExtnConfigSetup.ps1 as followed in this article: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#run-the-powershell-script
  2. Logged in with the new tenant global admin
  3. Entered the new Tenant ID
  4. Restarted NPS service

I then attempted to connect to the VPN with MFA and was let in.

However, there is an intermittent issue that occurs on some occasions for random users. A user attempts to connect the VPN and isn't prompted for MFA, or the VPN times out.

When this happens, I've noticed the following in the event logs (I've obscured the tenant and CID guids):

NPS Extension for Azure MFA: CID: cid-guid-here : Access Rejected for user ******@domain.co.uk with Azure MFA response: AccessDenied and message: Caller tenant:'old-tenant-id-goes-here' does not have access permissions to do authentication for the user in tenant:'new-tenant-id-goes-here',,,  

As you can see, the connection is still attempting to authenticate with the old tenancy, which has now been decommissioned and Azure AD Connect uninstalled.

In an attempt to resolve I have:

  1. Upgraded/Reinstalled the NPS extensions
  2. Removed the old certificates from the server and Azure (Remove-MsolServicePrincipalCredential)
  3. Ensured latest windows updates
  4. Ran the NPS health checker powershell script
  5. Temporarily disabling MFA
  6. Ensuring user has correct license
  7. Ensured user account is setup correctly with correct password, mfa settings, correct UPN
  8. Checked sign-in logs in old tenancy - none

The error I encounter is AccessDenied and the following MFA NPS Extension error suggests the UPN is incorrect - which it isn't. (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors#errors-your-users-may-encounter)

Has anyone came across this issue, and how do you resolve?

Thanks,

Jonathan

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2022-10-11T10:31:06.953+00:00

    Hello @Jonathan / Spud ,

    Thanks for posting your query on Microsoft Q&A platform. From the description I could understand that the issue is happening intermittently. Since the NPS extension connects to both your on-premises and cloud directories, you might encounter an issue where you're on-premises user principal names (UPNs) don't match the names in the cloud. To solve this problem, use alternate login IDs.

    To configure alternate login IDs, go to HKLM\SOFTWARE\Microsoft\AzureMfa and edit the registry values as per: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced#alternate-login-id

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.