Azure MFA NPS extension - Check that is using MFA

Kenneth Dalbjerg 1 Reputation point

Hi We have an issue, where the extension registry settings have been deleted (AuthorizationDLLs/ExtensionDLLs, under HKLM\SYSTEN\CurrentControSet\Services\AuthSrv\Parameters), and therefor users could logon without using MFA.

We will like NPS to be setup, so that if it not using MFA it will deny a request.
We have try to setup a Conditions in NPS, to check if Authentication Type is extension.
But then MFA request, will be denied aswell.

Do anyone knows a solution, where we can deny request, if NPS is not using MFA Extension ?

Regards Kenneh Dalbjerg

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,090 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,443 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,216 Reputation points

    Hello there,

    You can't possible deny the request.

    Everyone using the NPS extension must be synced to Azure AD using Azure AD Connect, and must be registered for MFA. When you install the extension, you need the Tenant ID and admin credentials for your Azure AD tenant.

    When a request comes in from an IP address that exists in the IP_WHITELIST, two-step verification is skipped. The IP list is compared to the IP address that is provided in the ratNASIPAddress attribute of the RADIUS request. If a RADIUS request comes in without the ratNASIPAddress attribute, a warning is logged: "IP_WHITE_LIST_WARNING::IP Whitelist is being ignored as the source IP is missing in the RADIUS request NasIpAddress attribute

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments