NPS Extension for Azure MFA (IP Whitelist)
Can you also add in a feature whereby it allow us to add in a range of subnet instead of a single IP address in the IP Whitelist (NPS Extension for Azure MFA)?
Elliott Leighton-Woodruff commented
Agreed that this is definetly a requiment for Azure MFA on RDS to be a viable option in multisite enviroments.
I am using NPS extension for AzureMFA with Netscaler as RADIUS , Local AD (.local) , AzureAD (*.onmicrosoft.com).
Problem : User is getting authenticated with LDAP with local AD, but second factor is not served. I see an error on my Netscaler as "External server have denied access" . Any hint to troubleshoot it further ?
Does the NPS Extention for Azure MFA lack this feature or only the RDS Gateway (not passing Radius Attribute 66)?
We use Citrix Netscaler which is able to pass the attributes. It works great against on-premise MFA server but we are now trying to migrate to NPS server and ran into the issue that the trusted IP's are not working anymore
Agree with this too. Stuff like this is so frustrating when our spend with Microsoft continues to double almost every year and we rely on the Microsoft Azure security stack to provide the solutions we need to make our environment secure and efficient. Why wouldn't we have the ability to whitelist internal IPs for known internal subnets with MFA NPS Extension for RD Gateway? Unbelievable! Typical Microsoft these days...impractical, unreliable and inefficient. Microsoft's why is getting really hard to continue to justify.
Agreed with the comments here. NPS with MFA add-in needs greater flexibility.
Arsalan Moqeet commented
Need Trusted IP option in Azure portal to work with NPS Extension, rather creating IP exception in registry is kind old school plus only single IPs rather than a range.
Definitely need this feature as well. Using the NPS Extension for Azure MFA without having the ability to add internal trusted IPs severely limits the usefulness of this service and will probably cause us to drop back to deploying an MFA Server on-premises.
Desperately need this function so we can whitelist a few external facilities IP ranges when using the RADIUS/NPS extension. All or nothing approach is not very flexible thanks much