Conditional Access ignored with Azure MFA NPS Extension

Bosland, Stefan 25 Reputation points
2023-04-04T08:23:32.2733333+00:00
  1. It seems like the Condtional Access policy is ignored when a user is authenticated by the Azure NPS extension with RD Gateway, the user is getting always a MFA prompt also when a policy is set bypass to some users.
  2. With the on premise MFA server it was possible to set "Caching rules" which can bypass multiple authentication requests in set time, how to do this with Azure MFA?

Thanks in advance for support

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,767 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 34,546 Reputation points Microsoft Employee
    2023-04-05T01:04:08.9266667+00:00

    Hi @Bosland, Stefan ,

    Thanks for your post! The NPS Extension doesn't look at or interact with Conditional Access policies. All the NPS Extension does is look to make sure the User has strong Authentication methods configured (Registered) and prompt the user. It doesn't check to see if you have a Conditional Access policy setup.

    The purpose of the NPS extension is to give the NPS server the ability to perform 2FA. Conditional Access policies will be triggered for authorization and if the user falls into a policy that requires MFA and has already logged into their vpn and performed MFA through the NPS extension, then MFA will be skipped in the Conditional Access policy and be marked as satisfied by the token (assuming MFA was passed). NPS is simply stating whether or not MFA was passed. Conditional Access policies trigger based on companies' setups and only then will the results of the 2FA from the NPS extension (if performed) be applicable.

    Because of this, Conditional Access does not apply in a traditional way for connections made through NPS, as NPS extension just checks to make sure the user is registered for MFA and then sends the prompt.

    There have been some feature requests raised to change this behavior, but this is how the NPS Extension is designed. It is not a cloud app but is an on-prem application that uses our APIs to use Azure MFA.

    If you want to bypass MFA for non-admins and those users are using VPNs, then this change will happen in the NPS network policy settings and if this is a requirement for admins, then this will also be determined by the network policies in place within the NPS.

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful