Share via

Do you need to have single sign on to setup MFA on Azure radius vpn?

Mital Lakhani 0 Reputation points
2024-05-02T11:05:33.2166667+00:00

Do you need to have single sign on to setup MFA on Azure radius vpn? If not, how can you enable MFA for Azure VPN?

Azure VPN Gateway
Azure VPN Gateway

An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator
    2024-05-06T15:24:37.0333333+00:00

    Hello @Mital Lakhani ,

    I understand that you would like to know if you need to have SSO to setup MFA on Azure Radius VPN and if not, how to enable MFA for Azure VPN.

    As mentioned in the below document,

    To enable MFA, the users must be in Microsoft Entra ID, which must be synced from either the on-premises or cloud environment. Also, the user must have already completed the auto-enrollment process for MFA. For more information, see Set up my account for two-step verification

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-radius-mfa-nsp#prerequisite

    And you need to configure the Radius server for Microsoft Entra multifactor authentication (MFA).

    NPS (Network Policy Server) is the Microsoft implementation of the RADIUS standard specified by the Internet Engineering Task Force (IETF) in RFCs 2865 and 2866.

    So, if you are using NPS as your Radius server, then you need to install the NPS extension for Microsoft Entra multifactor authentication on the NPS server.

    Before you deploy and use the NPS extension, users that are required to perform Microsoft Entra multifactor authentication need to be registered for MFA. To test the extension as you deploy it, you also need at least one test account that is fully registered for Microsoft Entra multifactor authentication.

    NOTE: The NPS Extension for Microsoft Entra multifactor authentication is available to customers with licenses for Microsoft Entra multifactor authentication (included with Microsoft Entra ID P1 and Premium P2 or Enterprise Mobility + Security). Consumption-based licenses for Microsoft Entra multifactor authentication, such as per user or per authentication licenses, aren't compatible with the NPS extension.

    You can refer the below document for the complete process:

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension

    Configuration limitations that you may need to consider:

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#configuration-limitations

    Additional documentation that you may refer for more information:

    https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Was this answer helpful?

    0 comments
  2. Deepanshu katara 18,150 Reputation points MVP Volunteer Moderator
    2024-05-02T11:23:27.6+00:00

    Hi Mital ,

    Ans to first question-->

    No, you don't necessarily need single sign-on (SSO) to set up Multi-Factor Authentication (MFA) for Azure VPN using RADIUS authentication. SSO and MFA serve different purposes, although they can complement each other in enhancing security.

    MFA adds an extra layer of security to the authentication process by requiring users to provide additional verification beyond just a username and password. This additional verification could be in the form of a code sent to a mobile device, a biometric scan, or another factor.

    Single sign-on, on the other hand, allows users to authenticate once and gain access to multiple resources without being prompted to log in again. While SSO can simplify the user experience and reduce the number of login prompts, it's not a requirement for implementing MFA with Azure VPN using RADIUS authentication.

    Ans to second question-->

    Here are the steps:

    1. Open the Azure VPN - Properties page and configure sign-in settings.
    2. Set “Enabled for users to sign-in?” to “Yes”.
    3. Set “User assignment required?” to “Yes” if you want to limit sign-in to only users that have permissions to the Azure VPN.
    4. Save your changes.

    Please check this MS doc for details and snap shots -->https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa

    Once you have enabled two-step verification, you will receive a security code to your email, phone, or authenticator app every time you sign in on a device that isn’t trusted T

    This will help increase the security of your VPN login.

    I hope this helps! Let me know if you have any other questions.

    Kindly accept if it helps

    Thanks

    Deepanshu

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.