Share via

Network Policy Server (NPS) infrastructure with Microsoft Entra multifactor authentication Script is failing on me

John Emanuel 0 Reputation points
2025-03-24T20:16:43.53+00:00

We use an RDP gateway that uses MFA.  It stopped working this morning and i've been trying to track down the cause of it.  Looks to be an expired certificate between our NPS server and an Azure Enterprise app. 

 

I've been through a rabbit hole of this, https://baswijdenes.com/fix-the-request-was-discarded-by-a-third-party-extension-dll-file/ I couldn't get connect-msolservice to work, i'm guessing because that got deprecated and i realized the updated version of the script below uses msgraph and not msol.  

So i was looking at Microsoft's doc on this, https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#run-the-powershell-script and it says to just run the script.  And I ran that, but i'm erroring out after the certificate gets created,  

Update-MgServicePrincipal : The request is currently not supported on the targeted entity set

Status: 400 (BadRequest)

ErrorCode: BadRequest

Date: 2025-03-24T18:15:06

Headers:

Transfer-Encoding : chunked

Vary : Accept-Encoding

Strict-Transport-Security : max-age=31536000

request-id : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

client-request-id : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"East US 2","Slice":"E","Ring":"5","ScaleUnit":"005","RoleInstance":"BN2PEPF00003681"}}

Date : Mon, 24 Mar 2025 18:15:05 GMT

At C:\Program Files\Microsoft\AzureMfa\config\AzureMfaNpsExtnConfigSetup.ps1:80 char:1

  • Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -Ke ...
  • 
    + CategoryInfo          : InvalidOperation: ({ ServicePrinci...vicePrincipal }:<>f__AnonymousType2`3) [Update-MgServicePrincipal_UpdateExpanded], Exception

    + FullyQualifiedErrorId : BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgServicePrincipal_UpdateExpanded

cleanUpAndErrorOut : Configuration Script exiting with error:

At C:\Program Files\Microsoft\AzureMfa\config\AzureMfaNpsExtnConfigSetup.ps1:81 char:1

  • cleanUpAndErrorOut $errorMsg $certX509[0].Thumbprint
  • 
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException

    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,cleanUpAndErrorOut

Looking through the doc more, there's this troubleshooting step,  

How to fix the error "Service principal was not found" while running AzureMfaNpsExtnConfigSetup.ps1 script?

   If for any reason the "Azure Multi-factor Auth Client" service principal was not created in the tenant, it can be manually created by running PowerShell.  

Connect-MgGraph -Scopes 'Application.ReadWrite.All'New-MgServicePrincipal -AppId 00001111-aaaa-2222-bbbb-3333cccc4444 -DisplayName "Azure Multi-Factor Auth Client"

but when I run that it errors out telling me  

New-MgServicePrincipal : The appId '00001111-aaaa-2222-bbbb-3333cccc4444' of the service principal does not reference a valid application object.  

Status: 400 (BadRequest)  

I looked in my Azure Enterprise Applications and I do have an Azure Multi-Factor Auth Client, but the Application ID is "981f26a1-7f43-403b-a875-f8b09b8cd720" and I can't modify/remove/recreate it because it says it's a Microsoft first party application.  I'm kind of stuck as to how to get this script to work correctly, any ideas?  

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vigneshwar Duvva 2,300 Reputation points Microsoft External Staff Moderator
    2025-03-26T06:07:10.0766667+00:00

    Hello John Emanuel

    From your description, I understand that you’re experiencing issues while renewing the certificate between NPS server and an Azure Enterprise app using PowerShell.

    Below are the steps to Renew the certificate between NPS server and an Azure Enterprise app using PowerShell.
    Correctly encode the certificate.

    Properly convert it into a KeyCredential object.

    Pass it correctly to the Update-MgServicePrincipal command.

    Step 1: Read the Certificate as a Byte Array Since you’ve already exported the certificate as a .cer file, let's make sure it's correctly encoded and converted to a Byte[].

    Run the following commands:

    First, define the certificate path: $certPath = "C:\Program Files\Microsoft\AzureMfa\Config\AzureMFACert.cer"

    Read the certificate bytes: $certBytes = [System.IO.File]::ReadAllBytes($certPath)

    This converts the certificate to a byte array, which is required for the KeyCredential object.

    Step 2: Convert the Certificate into a KeyCredential Object You need to create a KeyCredential object using the Microsoft.Graph.PowerShell.Models.MicrosoftGraphKeyCredential class.

    Create the key credential object:

    $keyCredential = New-Object Microsoft.Graph.PowerShell.Models.MicrosoftGraphKeyCredential $keyCredential.Type = "AsymmetricX509Cert" $keyCredential.Usage = "Verify" $keyCredential.Key = $certBytes $keyCredential.DisplayName = "Azure MFA Cert" 

    This ensures that the certificate is being processed as an object and not a string or hashtable.

     Step 3: Add the Certificate to the Existing Service Principal Now update the existing service principal with the correct Object ID:

     Use the Id from your earlier Get-MgServicePrincipal output (8c5b878b-e177-4645-ba14-f2a3809275da): or <ObjectId>

     Update-MgServicePrincipal -ServicePrincipalId "<ObjectId>" -KeyCredentials @($keyCredential) If successful, the command will complete without any output — this is normal behavior for the Update-MgServicePrincipal command.

     Step 4: Verify the Certificate Binding Confirm that the certificate is correctly attached to the service principal:

    Get-MgServicePrincipal -ServicePrincipalId "<ObjectId>" | Select-Object DisplayName, KeyCredentials You should see the new key listed under KeyCredentials. 

    Step 5: Restart NPS to Apply the Changes Finally, restart the NPS service:

    Restart-Service -Name "NPS"

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-rdg

    after performing the above steps, you are able to see the certificate was Current with expiry date in azure portal.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment"

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.