Azure MFA NPS Extension not working

Question

I've recently installed the Azure MFA NPS Extension of Server 2022 with NPS role installed, I've tried testing sending RADIUS authentication requests to the server but they are failing.

In the AuthZ I'm seeing Event ID 1 saying (domain obfuscated for privacy)

NPS Extension for Azure MFA: CID: 32e83cbf-484d-49aa-9adb-71528f5eb94d : Challenge requested in Authentication Ext for User ******@domain.com with state 300c9d6c-7734-4165-83d3-212e73aee286

But nothing further to say it's succeeded or failed. There is an NPS event for the extension DLL having denied the request.

In the Azure sign in logs for the user I'm seeing sign in events that are very confusing as they initially seem to indicate success, but also say Succeeded False.

No authentication prompt is ever received on the Authenticator app on Android for this test user.

Can anyone shed any light on what might be wrong here please?

Answer 1

Hello @Phil Webb,

Thank you for posting your query on Microsoft Q&A.

Based on your description, it seems that after completing the RADIUS request on the NPS server, the user is failing the second factor authentication. As you mentioned, the user is not receiving any MFA prompt on their Microsoft Authenticator app. Upon reviewing the AuthZOptCh event log on the NPS Extension server, you found the following event: "NPS Extension for Azure MFA: CID: 32e83cbf-484d-49aa-9adb-71528f5eb94d : Challenge requested in Authentication Ext for User ******@domain.com with state 300c9d6c-7734-4165-83d3-212e73aee286."

To resolve this issue, we need to determine which RADIUS protocol your organization is using.

Please check the registry key on your NPS server at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa. Look for the string value "OVERRIDE_NUMBER_MATCHING_WITH_OTP" and verify if it’s set to TRUE or FALSE. If it’s set to TRUE, it indicates that TOTP (Time-Based One-Time Password) is enabled. If it’s set to FALSE, the legacy push notifications (Approve/Deny) are being used.

To adjust this setting:

1. On the NPS server, open the Registry Editor.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
3. Add a String Value called "OVERRIDE_NUMBER_MATCHING_WITH_OTP".
4. Set the value to either:
   • TRUE (to enable OTP) or
   • FALSE (to revert to legacy notifications like Approve/Deny).
5. Restart the NPS service.

Note: The NPS service must be restarted for the changes to take effect.

If the string value is set to TRUE but the user is not registered for TOTP authentication, this can cause the issue you're experiencing. Ensure that the user is registered with the OTP authentication method. Additionally, check which RADIUS protocol is being used. OTP only works with the PAP protocol, as CHAPv2 and EAP do not support the OTP method. If PAP is not an option, you can set OVERRIDE_NUMBER_MATCHING_WITH_OTP to FALSE to revert to the Approve/Deny push notification method.

Please refer the below documents for more information:

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-errors#troubleshooting-steps-for-common-errors

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match#nps-extension

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#determine-which-authentication-methods-your-users-can-use

If you're still stuck on this, you can feel free to send me an email at AzCommunity@microsoft.com referencing this issue with a subject line "ATTN:pothurajur" include a link to the current thread.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.