none
Conditional access for NPS extension for Azure RRS feed

  • Question

  • We have configured NetScaler to use RADIUS authentication to authenticate with NPS server which acts as RADIUS server. We installed NPS extension for Azure for MFA with Azure cloud.

    Now, we intend to configure conditional access for requests coming from NPS extension for Azure? How to implement this? Does NPS extension for Azure gets registered as Applications with Azure AD?

    Any pointers here is greatly appreciated?

    Sunday, July 16, 2017 9:53 AM

Answers

  • It isn't currently possible to use conditional access with the NPS extension. All RADIUS requests sent to the NPS server will result in MFA being performed. The best alternative would be to configure Netscaler to federate to Azure AD via SAML. Then you could use conditional access for your Netscaler application. This also has the advantage of a better user experience since the UX will redirect them to Azure AD and they can choose other MFA methods if their default method isn't available. When using RADIUS, we don't have any control over the UX that Netscaler displays, other than returning a RADIUS Challenge response to prompt the user for their OTP when using SMS or the mobile app verification code, so it limits the options the user has.
    Monday, July 17, 2017 5:39 PM
    Moderator
  • Yes there is. You can achieve this by keeping the users' MFA state 'Disabled', and registering the users for MFA by one of the following methods:

    • Setting up CA policy to require MFA - configuring a CA policy to require MFA for one or more cloud apps, and applying the policy to a user or a group of users, which will prompt the user to register when the user attempts to access a cloud app, and prevent the user from accessing the cloud app without performing MFA. Note that this option requires an Azure AD Premium license. For more about Conditional Access policies, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 
    • MFA registration policy - using Identity Protection’s MFA Registration policy, which will prompt the user to register when the user attempts to access a cloud app, while still allowing the user to access the cloud-app without performing MFA (skip registration) until the grace period elapses. Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA. Note that this option requires an Azure AD Premium 2 license. For more about Identity Protection MFA Registration policy, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#multi-factor-authentication-registration-policy. 
    • Direct registration - sending the user to register for MFA directly through the user portal (for MFA Server), or https://aka.ms/mfasetup (for cloud-based MFA). Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA.

    Once the users are registered for MFA, they can successfully meet the MFA challenge using the NPS extension, and will not be required to perform MFA for other cloud apps including O365. 

    Finally, note that if you have enabled MFA per-user, and change their MFA state from 'Enforced' to 'Disabled', they may need to re-register for MFA as described above. 

    Tuesday, July 18, 2017 9:48 PM
  • Yes, this is expected, and is not related to the NPS extension. Once you set a second factor, you must use it to make any changes to your security info. 
    Wednesday, July 19, 2017 5:15 PM
  • Option 1 is talking about one way to get users *registered* for MFA, by using Conditional Access for another application that has a "Require MFA" policy on it. That way, when the user attempts to access the application, they'll have to go through MFA registration. As I mentioned in a previous reply above, it is not possible to use Conditional Access for the NPS extension itself. All RADIUS requests sent to the NPS server will require MFA to be performed.
    Monday, July 24, 2017 4:29 PM
    Moderator

All replies

  • You may refer to the articles below.
    https://blogs.technet.microsoft.com/enterprisemobility/2017/02/06/azure-ad-news-azure-mfa-cloud-based-protection-for-on-premises-vpns-is-now-in-public-preview/

    http://microsoftplatform.blogspot.in/2017/02/securing-rd-gateway-with-mfa-using-new.html

    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Monday, July 17, 2017 4:47 AM
    Moderator
  • I have gone through those links. I need specific help in configuring conditional access and that too for NPS extension for Azure.
    Monday, July 17, 2017 11:55 AM
  • It isn't currently possible to use conditional access with the NPS extension. All RADIUS requests sent to the NPS server will result in MFA being performed. The best alternative would be to configure Netscaler to federate to Azure AD via SAML. Then you could use conditional access for your Netscaler application. This also has the advantage of a better user experience since the UX will redirect them to Azure AD and they can choose other MFA methods if their default method isn't available. When using RADIUS, we don't have any control over the UX that Netscaler displays, other than returning a RADIUS Challenge response to prompt the user for their OTP when using SMS or the mobile app verification code, so it limits the options the user has.
    Monday, July 17, 2017 5:39 PM
    Moderator
  • Thanks for the reply. We also need all the RADIUS request sent to the NPS server to result in MFA, however when the same user access other applications such as O365 then MFA shouldn't get triggered. Is there any way to set this?
    Tuesday, July 18, 2017 2:07 PM
  • Yes there is. You can achieve this by keeping the users' MFA state 'Disabled', and registering the users for MFA by one of the following methods:

    • Setting up CA policy to require MFA - configuring a CA policy to require MFA for one or more cloud apps, and applying the policy to a user or a group of users, which will prompt the user to register when the user attempts to access a cloud app, and prevent the user from accessing the cloud app without performing MFA. Note that this option requires an Azure AD Premium license. For more about Conditional Access policies, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 
    • MFA registration policy - using Identity Protection’s MFA Registration policy, which will prompt the user to register when the user attempts to access a cloud app, while still allowing the user to access the cloud-app without performing MFA (skip registration) until the grace period elapses. Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA. Note that this option requires an Azure AD Premium 2 license. For more about Identity Protection MFA Registration policy, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#multi-factor-authentication-registration-policy. 
    • Direct registration - sending the user to register for MFA directly through the user portal (for MFA Server), or https://aka.ms/mfasetup (for cloud-based MFA). Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA.

    Once the users are registered for MFA, they can successfully meet the MFA challenge using the NPS extension, and will not be required to perform MFA for other cloud apps including O365. 

    Finally, note that if you have enabled MFA per-user, and change their MFA state from 'Enforced' to 'Disabled', they may need to re-register for MFA as described above. 

    Tuesday, July 18, 2017 9:48 PM
  • Thanks a lot Yossi for the reply Tried option-3 (Direct registration)

    1. Accessed https://aka.ms/mfasetup  and completed the registration 
    2. Accessed NetScaler URL (which uses NPS extension). MFA was applied (My Phone rang)
    3. Accessed step-1 again. Even here, it MFA got applied and my phone rang. Is this OK?

    Wednesday, July 19, 2017 10:50 AM
  • Yes, this is expected, and is not related to the NPS extension. Once you set a second factor, you must use it to make any changes to your security info. 
    Wednesday, July 19, 2017 5:15 PM
  • Thanks a lot Yossi for your clarification.

    Actually, I wanted to achieve the conditional access as per option#1 which you mentioned in your previous reply.

    We are unable to see any application for "NPS extension for Azure", We intend to configure the conditional access for that application(NPS extension for Azure)  BUT we couldn't search for that application at all.

    We have Azure AD premium license. Am I missing anything obvious?

    >>>

    • Setting up CA policy to require MFA - configuring a CA policy to require MFA for one or more cloud apps, and applying the policy to a user or a group of users, which will prompt the user to register when the user attempts to access a cloud app, and prevent the user from accessing the cloud app without performing MFA. Note that this option requires an Azure AD Premium license. For more about Conditional Access policies, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 

    -Sajid

    Thursday, July 20, 2017 10:48 AM
  • Option 1 is talking about one way to get users *registered* for MFA, by using Conditional Access for another application that has a "Require MFA" policy on it. That way, when the user attempts to access the application, they'll have to go through MFA registration. As I mentioned in a previous reply above, it is not possible to use Conditional Access for the NPS extension itself. All RADIUS requests sent to the NPS server will require MFA to be performed.
    Monday, July 24, 2017 4:29 PM
    Moderator
  • Hi, Shawnb. You're accepting two different opinions as correct? Which is it -- yes you can, or no you cannot?

    I have the same issue and the only way I can get it to work is by manually selecting 'Enforce MFA' for the user account. If I go through a CA that is attached to an enterprise app, the requesting client fails to authenticate all together.

    Wednesday, July 4, 2018 4:03 AM