How can we improve Azure Active Directory?

Support NPS/RADIUS for Azure AD Domain Services

Add support for Microsoft NPS/RADIUS in Azure AD Domain Services

205 votes
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)

We’ll send you updates on this idea

Peter Selch Dahl shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

34 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    I was about to make the jump to Azure AD, but with no NPS/Radius, I cannot and I have no interest in running a dedicated AD server on prem or on a cloud VM

  • Gerry commented  ·   ·  Flag as inappropriate

    @Mark Lawton. Yes without any on prem AD. It was about 18 months ago this was set up but its still working. I'm trying to remember if there was an issue with the NPS registration, but, it still worked regardless. In any case, we have NPS running on a windows azure VM authenticating against AADDS using radius.

  • Ramoo commented  ·   ·  Flag as inappropriate

    As per Marks post I specifically asked MS if we could install NPS on a VM in Azure so it would integrate directly with AAD and they told me it is not possible.

    The concept is to have no on-prem AD domain controllers. Users and clients (Win10) all in AAD only. Then for wireless we need RADIUS authentication against AAD so a WLC can send RADIUS requests to NPS on VM in Azure (via ER or IPsec VPN connection). NPS will perform password checks & group membership lookup from AAD to be used for authentication & authorisation.

    Installing NPS on a VM in Azure then pointing back to an on-prem domain which is syncing with AAD does not meet the objective.

    Most of my RADIUS experience is with ISE but I had expected/hoped MS would have NPS solution for AAD ready on their side. Probably wishful thinking that at some stage soon we will have vWLC appliance & virtual ISE appliance supported in Azure and ISE be able to integrate into AAD domain!

  • Mark Lawton commented  ·   ·  Flag as inappropriate

    Gerry - without any on prem AD?
    If so, how? When trying to register NPS to the domain it fails to register.

    Microsoft told me the following:
    There are restrictions in Azure AD domain services which wont allow NPS extension to function correctly and the setup wont complete. In any case Azure AD domain services was not designed to be exactly same as on-prem Active Directory hence lacks many controls and capabilities as compared to on-prem AD .

  • Gerry commented  ·   ·  Flag as inappropriate

    We have this working. Currently have VM running NPS acting as a radius server authenticating users against AADDS.

  • JJ commented  ·   ·  Flag as inappropriate

    Please Ramoo, could you be more specific what is not compatible ? Why you cannot have on VM installed RAdius server connected to Azure AD Domain services ?

  • Ramoo commented  ·   ·  Flag as inappropriate

    Spoke with MS chat on this today & confirmed still not possible/supported (NPS integration directly with AAD with NPS installed on VM in Azure).

    This is a common enterprise requirement; RADIUS integration with AD for wireless and other service authentication. To be able to remove on-prem AD this would be very useful - is this on the MS roadmap?

    Possible alternative would be EAP-TLS with no policies referencing AD but preference would be have the ability/option to integrate directly with AAD too.

  • TroyH commented  ·   ·  Flag as inappropriate

    Yesterday, I recreated our Azure AD Domain Services and NPS in a new subscription. NPS was previously registered and working for nearly a year in the old subscription. Creating AADDS in the new subscription required me to delete the old AADDS resource as you can only have one. After I created AADDS again in the new one I wasn't able to register the new NPS server.

    Come on Microsoft, it was literally working in the old one yesterday! Get this working please!!!

    Now I'll try the FreeRadius mentioned by Hamish.

  • Daniel Buehlmann commented  ·   ·  Flag as inappropriate

    Hi Mark,

    I'm not sure about the workaround from Antonio Soares!? I don't see the step where I can connect (register) the NPS with the Azure Active Directory Domain Services to authenticate users against the AADDS (AAD users are synched automatically to AADDS).
    Do I miss something? Has anybody running this configuration successfully? Or a similar configuration together with a 3rd party Radius server (like ClearBox Enterprise)?

    Daniel

    @Microsoft: Any news?

  • Mark Lawton commented  ·   ·  Flag as inappropriate

    Am I correct in saying that a few people have managed to register NPS in AADDS which syncs with AAD? (Antonio Soares description)
    If so... I'm guessing that used to work but no longer does as I get a permissions issue when attempting to register NPS to AADDS?

  • Mauricio Valerio commented  ·   ·  Flag as inappropriate

    Incorporate RADIUS authentication to your Azure ADDS offering. We are a SAS only shop with no on-prem AD and in dire need of RADIUS feature

  • Daniel Buehlmann commented  ·   ·  Flag as inappropriate

    If I understand right:
    - The workaround from Antonio Soares is based on a local AD, right?
    - Azure AD only (no local AD), AADDS and NPS on a Azure VM is not working (supported) currently, right?
    - Azure AD only (no local AD), AADDS and 3rd Party Radius on a Azure VM is working (supported), right? If yes, which 3rd party Radius is the best choice?
    - We would like to authenticate WIFI users (802.1x) with there Azure AD account. Is this possible with the last Szenario (3rd Party Radius)?

    Thanks,
    Daniel

← Previous 1

Feedback and Knowledge Base