Azure MFA NPS extension - Check that is using MFA

Kenneth Dalbjerg 1 Reputation point
2023-04-26T09:20:51.8+00:00

Hi We have an issue, where the extension registry settings have been deleted (AuthorizationDLLs/ExtensionDLLs, under HKLM\SYSTEN\CurrentControSet\Services\AuthSrv\Parameters), and therefor users could logon without using MFA.

We will like NPS to be setup, so that if it not using MFA it will deny a request.
We have try to setup a Conditions in NPS, to check if Authentication Type is extension.
But then MFA request, will be denied aswell.

Do anyone knows a solution, where we can deny request, if NPS is not using MFA Extension ?

Regards Kenneh Dalbjerg

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,939 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,414 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,221 Reputation points
    2023-04-27T14:58:53.83+00:00

    Hello there,

    You can't possible deny the request.

    Everyone using the NPS extension must be synced to Azure AD using Azure AD Connect, and must be registered for MFA. When you install the extension, you need the Tenant ID and admin credentials for your Azure AD tenant.

    When a request comes in from an IP address that exists in the IP_WHITELIST, two-step verification is skipped. The IP list is compared to the IP address that is provided in the ratNASIPAddress attribute of the RADIUS request. If a RADIUS request comes in without the ratNASIPAddress attribute, a warning is logged: "IP_WHITE_LIST_WARNING::IP Whitelist is being ignored as the source IP is missing in the RADIUS request NasIpAddress attribute

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.