Support NPS/RADIUS for Azure AD Domain Services
Add support for Microsoft NPS/RADIUS in Azure AD Domain Services
Multiple scenarios are still being investigated.
(We changed the status to because Started implied we were working on the feature and we did not want to represent it inaccurately. We are investigating and therefore, we are marking it under review.
Kai Girke commented
This would really help us to create MFA VPN scenarios.
@sam @Robert Russell
For the NPS/AADDS Radius authentication on wireless network, do we have to build a P2S VPN between the NPS and the on-prem?
Any update, we need this because we have only AAD computer now ! and need an NPS capable swith AAD computer certificate
Has there been any progress on NPS server support with Azure ADDS?
Hannes Lagler-Gruener commented
Hi Mike Stephens.
the implementation of ADDS in combination with NPS is supportet, when you ensure that:
1) Skip registering the NPS server and
2) ensure your network policy has “Ignore user account dial-in properties” selected.
The reason why I ask, I want to implement ADDS with Radius for P2S VPN.
I know, the Azure AD auth for P2S is also in preview but only for windows clients...
Alex Cher commented
Hi all, this sounds very promising. Can anyone provide additional info/quick how to on what's required to setup Azure Bastion to do RADIUS with 802.1x for wireless AP connections? I saw someone on this thread got it to work successfully. Did you have to also setup any kind of Certificate Authority service in Azure? This is specifically for Meraki WAPs.
We have a client with a single Windows Server 2016 DC on-prem, but have some infrastructure in Azure (no VMs). Users in Azure have EMS E3, so full Azure AD Premium P1. Originally, we considered rolling out a full VM just to to CA and RADIUS in Azure for 802.1x Meraki WiFi auth, but this sounds like it might be a better option?
Thanks in advance!
Daniel Wiser commented
Previously I was told that it is impossible to use RADIUS to authenticate with the Azure VPN when Azure AD:DS is in use. Has this changed?
Other use cases are 802.11X via Radius
Thanks for the update Steve! We are really looking for a PaaS service for Radius (VPN). We currently use NPS server in Azure with MFA extension joined to Domain Services. It works.
Has anyone successfully set this up (is it possible) for VPN access authenticating against AAD? We have an NPS server hosted in Azure and a VPN endpoint hosted in Azure. Is it possible to have VPN authentication handled via AAD:DS passing through the NPS server?
Please ignore my earlier comment. I now have dot1x functional as well.
Have seen everything work including Azure MFA server/NPS on the same machine joined to AADDS.
dot1x wired/wireless does not work. It seems to stop at EAPOL.
@mike Stephens. First of it's great that you are actively commenting on and reviewing the user voice forums.
The set up you have confirmed below we have had working for about 18 months. The main issue we have with this configuration relates to password changes.
i.e. user changes password in azure AD. There is then a period where the synchronisation process runs to update the password in AADDS. Due to this 'sync lag' which seems to vary in time and we have very little visibility over as per the user voice I raised below, means that users cannot use WiFi through the NPS\AADDS solution until this process completes (Its particularly bad with new users).
If Radius authentication could be done directly against Azure AD it would remove these challenges.
Mike Stephens commented
CONFIRMED that NPS and Azure AD Domain Service can work with the Azure MFA NPS extension to enable MFA for RDP to virtual machines. That said, Azure Bastion Host (https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) provides the same value without the additional infrastructure of NPS. We have a doc bug created to add the nuance to our documentation, which is to 1) Skip registering the NPS server and 2) ensure your network policy has "Ignore user account dial-in properties" selected.
Leaving the topic open as we continue to investigate/validate other NPS use cases (e.g. VPN and 802.x scenarios)
Senior Program Manager
IAM Core | Domain Services
@Hamish Anderson does Azure MFA work with your AADDS+FreeRADIUS setup? I have no NPS server, but rather a pfSense box with freeradius that I'd like to use for VPN and WPA2 Enterprise authentication.
@Daniel Buehlmann, @Chris Chambers:
Just a quick update, I have this working now with AADDS and an NPS server as an Azure VM.
The solution is NOT to try and register the NPS server in the directory (which is impossible with AADDS at the moment). But instead just to join the NPS server to AADDS and start using the NPS server as normal. As long as it is joined to AADDS, it will work. I tested with RADIUS authentication and it is working.
Robert Russell commented
This is possible if you're using AADDS in Azure. Make an NPS server, join it to AADDS, send your RADIUS requests to it and set the network policy to allow Domain Users from your domain. It will work. You do not need to register the server.
For anyone else out there who's doing this - I achieved an "SSO" VPN with MFA using these pieces:
Azure Active Directory Domain Services domain
NPS Server, Windows 2016
Meraki Security Appliance (which forwards requests to a RADIUS server)
Intune (Pushes the VPN profile)
MFA Extension for NPS servers (You must use push notification or phone call for MFA if you do this)
If you want to load balance this as well, I was able to, but you need to put both an external and an internal load balancer between the two NPS servers. This allows the MFA extension to make outbound connections to the web. You only allow RADIUS requests on the internal.
I'm going to be testing to see if this works with our Wi-Fi APs but I honestly don't see why it wouldn't.
Jerry Chow commented
I can confirm the following configuration works, there are some non-documented or poorly documented requirements that gave us some problems initially:
AADDS (no on-prem or in-VM AD DS)
NPS Server with NPS Extension for Azure MFA
Azure VPN Gateway (Point-to-Site)
The *MOST* important takeaways that gave us trouble are that CHAPv2 does not support PIN-based MFA, so you *MUST* use either phone call or PUSH notification (notification from mobile app).
The second issue that was not well-documented was that you MUST enable the following enterprise app services in Azure AD and add the corresponding users or groups to them:
Azure Multi-Factor Auth Client
Azure Multi-Factor Auth Connector
I found reference to these two app services on some guy's blog and it was the missing link and last piece to get Azure MFA/NPS/VPN working with AADDS.
Microsoft, is this on any roadmap. I feel as if these comments are going out into the wind!