CONFIRMED that NPS and Azure AD Domain Service can work with the Azure MFA NPS extension to enable MFA for RDP to virtual machines. That said, Azure Bastion Host (https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) provides the same value without the additional infrastructure of NPS. We have a doc bug created to add the nuance to our documentation, which is to 1) Skip registering the NPS server and 2) ensure your network policy has “Ignore user account dial-in properties” selected.
Leaving the topic open as we continue to investigate/validate other NPS use cases (e.g. VPN and 802.x scenarios)
Senior Program Manager
IAM Core | Domain Services
@Mark Lawton. Yes without any on prem AD. It was about 18 months ago this was set up but its still working. I'm trying to remember if there was an issue with the NPS registration, but, it still worked regardless. In any case, we have NPS running on a windows azure VM authenticating against AADDS using radius.
We have this working. Currently have VM running NPS acting as a radius server authenticating users against AADDS.
46 votes8 comments · Azure Active Directory » Self-Service Password Reset · Flag idea as inappropriate… · Admin →
13 votesneed-feedback · 1 comment · Azure Active Directory » Domain Services · Flag idea as inappropriate… · Admin →
Valid suggestion subject to upvoteGerry shared this idea ·
Also looking for this functionality. We have the same set up as Antonio Soares. This solution works, however, there is a catch 22 with password changes because AADDS is not a writeable directory. Also, as Azure portal users users do not get any notifications from Azure AD that the password is going to expire it makes things even worse.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.