I have found a solution. I changed NPS Network Policies setting "Type of network access server" from Remote Access Server to Unspecified.
Network Policy Server, the set Ignore user account dial-in properties not working
We have Azure AD Domain Services(cloud) in Azure. Our subscription is include Azure AD Premium P1, Enterprise Mobility + Security. I want to Integrate our VPN infrastructure with Azure AD MFA by using the Network Policy Server extension for Azure https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
I have configure new VM(Windows 2019 DataCenter) in Azure and joined Azure AD Domain. The NPS server is registered in Active Directory.
I configure Network Policy Server using the guide. All users is nessecary VPN group members.
But users not able to login to NPS server, all users have got the same error.
The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Screenshots NPS and User Dial-In properties setting below. Any ideas or recomendation to check? I have ask Google and ChatGPT, no results.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
2 answers
Sort by: Most helpful
-
Sergei Golov 0 Reputation points
2023-07-06T13:07:25.5666667+00:00 -
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
2023-07-10T05:36:00.35+00:00 I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: users not able to login to NPS server, all users have got the same error.
The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Solution:
You changed NPS Network Policies setting "Type of network access server" from Remote Access Server to Unspecified.
I changed NPS Network Policies setting "Type of network access server" from Remote Access Server to Unspecified.
If you have any other questions or are still running into more issues, please let me know.
Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.Thanks,
Akshay Kaushik