Azure AD NPS Extension - License Confusion

Jake Bloomfield 31 Reputation points


I'm trying to implement the Azure MFA NPS extension to allow our on-prem VPN to use Azure AD MFA - using this guide:

I am confused as to what license(s) I need for this to work. Our tenant currently uses Office 365 E3 subsciptions, and I can see in the Azure Portal that the license is "Azure AD Premium P1".

When going through the PowerShell portion of the setup, I was getting the following error: "New-MsolServicePrincipal -AppPrincipalId..."

Can I get some clarification?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,442 questions
{count} vote

Accepted answer
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee

    @Jake Bloomfield , Apologies for the delay on this. I checked on this and found that this can occur if you do not have "Azure Multi-Factor Auth Client" application registered within your tenant . This is a first party application provided from Microsoft but sometime due to transient issues it may not be present in a tenant . In order to check the same , you can use the following powershell cmdlet .
    Get-MsolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720

    Or you can check the same from the portal as shown in the picture.


    Go to > "Enterprise Applications" > Search for "Azure Multi-Factor Auth Client" > Check properties for this app > Confirm if the service principal is enabled or disabled > Click on the application entry > Go to Properties of the app > If the option "Enabled for users to sign-in? is set to No in Properties of this app , please set it to Yes.


    If this app is not present , Please try to run the following cmdlet using a global admin credentials on the Azure AD powershell prompt .

    New-msolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -DisplayName "Azure Multi-Factor Auth Client"

    Now run \AzureMfaNpsExtnConfigSetup.ps1 .

    This should work.


    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful