Improve Azure MFA NPS extension logging
We had an issue deploying the Azure MFA NPS extension recently as per this thread - https://social.msdn.microsoft.com/Forums/en-US/6fd88b14-8353-4eac-be42-501ce1986c11/troubleshooting-azure-mfa-extension-for-nps-issue?forum=windowsazureactiveauthentication.
After a number of weeks trying to solve it, we ultimately had to move NPS to new servers as we could not find a solution. This was mainly because the logging from the extension is great when it is functioning relatively normally (successful logons, simple failures like missing certificates, ACCESS-REJECT messages received etc.), but for less well defined failure modes there seems to be a complete lack of useful logging.
In the case of the above issue, we had verbose logging turned on, but MFA attempts would create nothing in NPS logfile and the only entry in the extension logs to hint that it was alive was the usual warning about the IP-whitelist registry entry not being populated.
So it would be great if, when verbose logging is enabled, the extension would log events like 'Got an ACCESS-ACCEPT message from NPS, going to AzureAD for MFA', 'Timed-out trying to connect to AzureAD' etc.
Once it's up and going though the extension is very handy and seems to be quite reliable!