Azure MFA integration using RADIUS NPS

In this example a local Active Directory server is used to manage the office network. This AD server will be used as a target system of the Bravura Security Fabric instance so that users can log into the Bravura Security Fabric instance using their AD credentials.

You will also need to sync users from the AD server to the Azure AD tenant, so that those users can be authenticated by Azure AD when performing MFA through RADIUS.

In the sample setup, an AD server running on a Windows 2016 environment (named "CorpAD") is used.

This example includes a Bravura Security Fabric instance for users to log on using Azure MFA through RADIUS.

In the sample setup, the Bravura Security Fabric instance runs on a Windows 2016 server (named "Corp1").

Once the Bravura Security Fabric instance is installed and ready, users are loaded from the local Active Directory server by adding the server as an Active Directory DN target system.

Azure MFA is a feature provided through Azure Active Directory. An Azure AD tenant is needed in order to use the Azure MFA.

If you don't have an Azure AD tenant with premium P1/P2 license to use, you can acquire a 30-day P2 trial license by creating a new free Azure account (credit card info required to register.) If you have an existing Azure account to use, then create an Azure AD tenant using the Azure account. See this link for details:

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant .

The Azure AD tenant can be accessed and managed through Azure AD portal: https://portal.azure.com .

Create a cloud-only global administrator account on the Azure AD tenant (see "Prerequisites" section in https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-single-forest ). Using an account that does not exist on our local AD target system ensures that you won't get locked out of the tenant. For details on how to create an account, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory .

In addition to managing and configuring the Azure AD, this global administrator account can also be used as a work or school account upon installation of the NPS extension for Azure MFA. You can see and verify the assigned roles of the user .

You should now be able to log into the Azure portal with the global administrator account, to manage and configure the Azure Active Directory.

Enabling MFA for Azure portal login allows users to register using the Microsoft Authenticator app on their mobile devices. Registered users can use the Microsoft Authenticator app to receive and approve push notifications sent during Azure portal login.

Azure MFA must be configured to send these push-mode notifications before users can authenticate using the Microsoft Authenticator app. To do this:

Log onto the Azure portal with the global administrator account to manage the Azure Active Directory.

After completion of MFA configuration, at the next Azure portal login, each user will be instructed to register on Microsoft Authenticator app using their mobile phone. The Microsoft Authenticator app can then receive push notifications from Azure AD for users to approve user authentication requests.

Enabling Azure AD Multi-Factor Authentication using Conditional Access policies is the recommended approach. Conditional Access is an Azure AD Premium P1 or P2 feature that lets you apply rules to require MFA as needed in certain scenarios. An activated Premium P1/P2 license may be needed for Conditional Access to work.

For details about using security defaults see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults .

If needed, you can manually enable each account for per-user Azure AD Multi-Factor Authentication. When users are enabled individually, they perform multi-factor authentication each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remember MFA on trusted devices feature is turned on). To do this:

Both per-user MFA and conditional access can enable/disable MFA for users, and the per-user MFA may take precedence over conditional access.

To learn about using per-user MFA and how to convert users from per-user MFA to Conditional Access based MFA, see:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

If a user wants to retry the Azure MFA registration process, or wants to switch to a new mobile phone, an admin can use the Require re-register multifactor authentication link to force a user to re-register MFA at the next Azure portal login.

Next, you need to sync user accounts on the local Active Directory server to the Azure AD tenant.

In this sample setup, a single domain is synced to the Azure AD tenant, so there is no need for the local domain to have a public domain name, and there is no need to create any custom domain name on the Azure Active Directory.

For details about syncing a single domain to the Azure AD see:

https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-single-fores .

Syncing your directory to Azure requires that the "Azure AD Connect" application be locally installed on a machine in your domain. It is recommended to install it on the server hosting your RADIUS NPS extension. There should not be any password change requirements on the domain administrator account used to sync the directory. If the domain administrator password expires or changes, you will need to re-configure the Azure AD connect sync agent with the new credential To download the Azure AD Connect application, navigate to: Azure portal > Directory Overview > Azure AD Connect > Download Azure AD Connect.

Once Azure AD connect sync has been successfully configured on the local AD server, and all users on the local AD server have been synced successfully to the Azure AD tenant, you will see those synced accounts added to the Azure ADThe "Directory Synced" column indicates which accounts originated from the local AD server.

Because the local AD server has no public domain name, a custom domain is not used when user accounts are synced to the Azure AD. All user accounts are synced to the Azure AD under the default domain name "workexample.onmicrosoft.com" of the Azure . For example, user1 on the local AD server will be synced to the Azure AD as user1@workexample.onmicrosoft.com. Users that were synced to the Azure AD can also log on the Azure AD portal. Once MFA is enabled for them, those users will be instructed to register MFA on the Microsoft Authenticator app at the next Azure portal login in order to receive MFA push notifications.

Once the Azure AD connect sync has been successfully configured, it should normally show "Healthy" status on the Azure AD connect cloud sync page. Sometimes it might show an error status like "Quarantined may appear" when the network connection is broken or has some other err. It should go back to "Healthy" automatically at the next sync. Error status can also be cleared manually by an admin.

Once Azure AD connect cloud sync is working well, any change to user accounts on the local AD server will be automatically synced to the Azure AD.

The Network Policy Server acts as a RADIUS bridge between the Bravura Security Fabric instance and the Azure AD, passing authentication requests from the Bravura Security Fabric instance to the Azure MFA for approval.

NPS is available to Windows servers with the "Network Policy and Access Services" role enabled. The NPS role can be added to the AD server, but it's better to add it to a different windows server computer.

Before adding the Network Policy and Access Services server role to a machine that is not your local AD host, ensure the Windows server has joined to the domain of the local AD server.

To add NPS server role, see "Install Network Policy Server" in this link for details:

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-nps .

After the NPS server role has been added, confirm that the NPS server is registered with the local AD server:

The installation of NPS extension for Azure MFA onto the NPS server asks for the following information:

Each Azure AD tenant has a tenant ID, so you can find and copy its tenant ID at Azure portal.

If you created a cloud-only global administrator account on the Azure AD tenant, that account can be used as a work/school account. If you created a new Azure account for a free trial license, that account is not a work or school account.

To Install the NPS extension, see the "Install the NPS extension" section here:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

After the NPS extension for Azure MFA has been installed, and before running the config script for NPS Extension in the folder "C:\Program Files\Microsoft\AzureMfa\Config", you may need to run the following powershell command to set security protocol first, otherwise the config script may not run successfully.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

To allow the NPS server to accept RADIUS requests from the Bravura Security Fabric instance, you also need to add a new RADIUS client to the NPS server:

To allow the new registry value to take effect, you can either restart the computer, or the NPS service by itself.

Next:

You can integrate Azure MFA with Bravura Security Fabric by adding a RADIUS target system and a custom authentication chain.

If you have Active Directory connect sync issues, see:

https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-troubleshoot#repairing-the-the-cloud-sync-service-account .

If you have NPS extension issues, you can download Azure MFA NPS extension health check script:

https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-nps-extension-health-check/azure-mfa-nps-extension-health-check/

The report of test errors on Azure URLs (i.e. https://login.microsoftonline.com or https://adnotifications.windowsazure.com) is inaccurate. It may still report those errors even when Azure MFA is actually working without issue.

The most useful application for troubleshooting of RADIUS request errors is the Event Viewer on the NPS server.

By looking into the events recorded in Event Viewer, you may be able to find the cause of common errors like request not received, incorrect attribute in the request, request timed out and , request rejected among others.