Support NPS/RADIUS for Azure AD Domain Services
Add support for Microsoft NPS/RADIUS in Azure AD Domain Services
Microsoft, is this on any roadmap. I feel as if these comments are going out into the wind!
I was about to make the jump to Azure AD, but with no NPS/Radius, I cannot and I have no interest in running a dedicated AD server on prem or on a cloud VM
Nathan Zaetta commented
+1. NPS/Radius auth for AADDS/ADDS is a must.
Certificates are not manageable at scale.
@Mark Lawton. Yes without any on prem AD. It was about 18 months ago this was set up but its still working. I'm trying to remember if there was an issue with the NPS registration, but, it still worked regardless. In any case, we have NPS running on a windows azure VM authenticating against AADDS using radius.
As per Marks post I specifically asked MS if we could install NPS on a VM in Azure so it would integrate directly with AAD and they told me it is not possible.
The concept is to have no on-prem AD domain controllers. Users and clients (Win10) all in AAD only. Then for wireless we need RADIUS authentication against AAD so a WLC can send RADIUS requests to NPS on VM in Azure (via ER or IPsec VPN connection). NPS will perform password checks & group membership lookup from AAD to be used for authentication & authorisation.
Installing NPS on a VM in Azure then pointing back to an on-prem domain which is syncing with AAD does not meet the objective.
Most of my RADIUS experience is with ISE but I had expected/hoped MS would have NPS solution for AAD ready on their side. Probably wishful thinking that at some stage soon we will have vWLC appliance & virtual ISE appliance supported in Azure and ISE be able to integrate into AAD domain!
Mark Lawton commented
Gerry - without any on prem AD?
If so, how? When trying to register NPS to the domain it fails to register.
Microsoft told me the following:
There are restrictions in Azure AD domain services which wont allow NPS extension to function correctly and the setup wont complete. In any case Azure AD domain services was not designed to be exactly same as on-prem Active Directory hence lacks many controls and capabilities as compared to on-prem AD .
We have this working. Currently have VM running NPS acting as a radius server authenticating users against AADDS.
Please Ramoo, could you be more specific what is not compatible ? Why you cannot have on VM installed RAdius server connected to Azure AD Domain services ?
Spoke with MS chat on this today & confirmed still not possible/supported (NPS integration directly with AAD with NPS installed on VM in Azure).
This is a common enterprise requirement; RADIUS integration with AD for wireless and other service authentication. To be able to remove on-prem AD this would be very useful - is this on the MS roadmap?
Possible alternative would be EAP-TLS with no policies referencing AD but preference would be have the ability/option to integrate directly with AAD too.
Really surprised that this is not suppoerted yet!
I need this as well. Have Azure VPN for clients via Azure Gateway, need Radius for AAD auth.
Yesterday, I recreated our Azure AD Domain Services and NPS in a new subscription. NPS was previously registered and working for nearly a year in the old subscription. Creating AADDS in the new subscription required me to delete the old AADDS resource as you can only have one. After I created AADDS again in the new one I wasn't able to register the new NPS server.
Come on Microsoft, it was literally working in the old one yesterday! Get this working please!!!
Now I'll try the FreeRadius mentioned by Hamish.
Hello Microsoft ? NPS with AADDS still does not work.
Hamish Anderson commented
I could not wait so I did a work-around of using freeRadius authenticating against AAD via LDAP. The details are here:
Daniel Buehlmann commented
I'm not sure about the workaround from Antonio Soares!? I don't see the step where I can connect (register) the NPS with the Azure Active Directory Domain Services to authenticate users against the AADDS (AAD users are synched automatically to AADDS).
Do I miss something? Has anybody running this configuration successfully? Or a similar configuration together with a 3rd party Radius server (like ClearBox Enterprise)?
@Microsoft: Any news?
Mark Lawton commented
Am I correct in saying that a few people have managed to register NPS in AADDS which syncs with AAD? (Antonio Soares description)
If so... I'm guessing that used to work but no longer does as I get a permissions issue when attempting to register NPS to AADDS?
Mauricio Valerio commented
Incorporate RADIUS authentication to your Azure ADDS offering. We are a SAS only shop with no on-prem AD and in dire need of RADIUS feature
Joseph Owen commented
Need this badly. No On-Prem AD.
Daniel Buehlmann commented
If I understand right:
- The workaround from Antonio Soares is based on a local AD, right?
- Azure AD only (no local AD), AADDS and NPS on a Azure VM is not working (supported) currently, right?
- Azure AD only (no local AD), AADDS and 3rd Party Radius on a Azure VM is working (supported), right? If yes, which 3rd party Radius is the best choice?
- We would like to authenticate WIFI users (802.1x) with there Azure AD account. Is this possible with the last Szenario (3rd Party Radius)?
Mike Stephens commented
FYI Still investigating..
Senior Program Manager
Azure Fabric | Domain Services