Azure MFA Cloud with on premise RDS 2016 not for all users. RRS feed

  • Question

  • Hi

    I have deployed Azure MFA Cloud on my on premise 2016 domain. Without MFA server on premise.

    It all works fine but users that don't have MFA enabled cant login anymore.

    Not every user requires on premise a MFA.

    How do I solve this?

    • Edited by SWLABS Tuesday, September 25, 2018 11:19 AM
    Monday, September 24, 2018 11:47 AM

All replies

  • If this is AD FS Adapter, then you could use AD FS policy to only require MFA for users in a particular security group.
    If this is NPS Extension, then you could set up 2 groups of NPS servers, one with NPS Extension and the other without. You could then use realms to point users that require MFA to the correct NPS group and those that don't to the other.

    Refer to this documentation part on Prepare for users that aren't enrolled for MFA. You can choose to create this key and set it to FALSE while your users are onboarding, and may not all be enrolled for Azure MFA yet. However, since setting the key permits users that aren't enrolled for MFA to sign in, you should remove this key before going to production.


    If this answer was helpful, click “Mark as Answer” or “Up-Vote”. To provide additional feedback on your forum experience, click here

    • Proposed as answer by vijisankar Monday, September 24, 2018 8:23 PM
    Monday, September 24, 2018 8:23 PM
  • Thanks for this. Now I have set REQUIRE_USER_MATCH FALSE in registry on the server where the NPS extension is installed both type of users can login. Thing now is that MFA users can skip MFA enrollment when set to FALSE.

    Now I have NPS Extension installed on server1 and and server2 is the RDS GW with NPS also but without NPS extension. Can I work with this setup that counts as 2 NPS servers? If yes how do I route the non-mfa users to server2 thats the NPS server without the extension.

    How does the process know to send the auth user to NPS1 or NPS2?


    • Edited by SWLABS Tuesday, September 25, 2018 12:28 PM
    Tuesday, September 25, 2018 9:26 AM
  • Vijsankar you have time to lookin to my question?

    Thank you

    Thursday, September 27, 2018 12:37 PM
  •  Yes, having separate NPS servers (one with the NPS extension and the other without) is the way to go. Many RADIUS clients should allow configuration to send requests to different RADIUS servers, so that RDS GW would provide for this.
    Thursday, September 27, 2018 8:23 PM
  • Hope you don't mind me hijaking your thread, but I am really struggling getting the MFA plugin to work with RDS 2016.  I've build a new NPS server with the MFA plugin, but getting errors on the event logs when users try and connect

    NPS Extension for Azure MFA:  CID: 8bacef42-b3ac-49be-872b-99b3eca79302 :Exception in Authentication Ext for User DOMAIN\username :: ErrorCode:: CID :******** ESTS_TOKEN_ERROR Msg:: Verify the client certificate is property enrolled in Azure against your tenant and the server can access URL in Registry STS_URL.Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps. Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps.

    Monday, October 1, 2018 9:12 AM