Azure AD NPS Extension - License Confusion

Question

Hi,

I'm trying to implement the Azure MFA NPS extension to allow our on-prem VPN to use Azure AD MFA - using this guide: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

I am confused as to what license(s) I need for this to work. Our tenant currently uses Office 365 E3 subsciptions, and I can see in the Azure Portal that the license is "Azure AD Premium P1".

When going through the PowerShell portion of the setup, I was getting the following error: "New-MsolServicePrincipal -AppPrincipalId..."

Can I get some clarification?

Thanks

Answer 1

@Jake Bloomfield , Apologies for the delay on this. I checked on this and found that this can occur if you do not have "Azure Multi-Factor Auth Client" application registered within your tenant . This is a first party application provided from Microsoft but sometime due to transient issues it may not be present in a tenant . In order to check the same , you can use the following powershell cmdlet .
Connect-MsolService
Get-MsolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720

Or you can check the same from the portal as shown in the picture.

Go to https://aad.portal.azure.com > "Enterprise Applications" > Search for "Azure Multi-Factor Auth Client" > Check properties for this app > Confirm if the service principal is enabled or disabled > Click on the application entry > Go to Properties of the app > If the option "Enabled for users to sign-in? is set to No in Properties of this app , please set it to Yes.

If this app is not present , Please try to run the following cmdlet using a global admin credentials on the Azure AD powershell prompt .

Connect-MsolService
New-msolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -DisplayName "Azure Multi-Factor Auth Client"

Now run \AzureMfaNpsExtnConfigSetup.ps1 .

This should work.

Regards,
Shashi