Windows Remote Dial-in VPN with RADIUS to Azure AD

Question

Hi,

We are fully 365 with devices connected to AAD. We have some hosted Server 2019 servers that are not currently AAD joined but I am looking to stand up a remote dial in VPN on them, as the firewall in the hosted environment has many site-to-site VPNs to our customer sites.

So the process would be: staff connect to this VPN, and from there they can get directly to customer devices.

If I AAD join these hosted servers, can I install NPS for RADIUS on one, and then Remote Access on another, and have the VPN use the RADIUS server, which is backed by AAD? Do I need a special subscription for AAD to be used like this?

I've done some googling but this specific setup doesn't yield many examples.

Thanks

Answer 1

There is an NPS extension for Azure AD, you must install it on a domain joined server and the server must have access to a few Microsoft endpoints, but those are the only requirements.
Some references for you:

1. RADIUS authentication with Azure AD
2. VPN reference setup guide with RADIUS and Azure AD MFA

One thing to note: Microsoft recommend you upgrade your VPN’s to SAML and directly federate your VPN with Azure AD. This gives your VPN the full breadth of Azure AD protection, including Conditional Access, Multi-Factor Authentication, device compliance, and Identity Protection..