locked
Need Clarification on Nps Extension RRS feed

  • Question

  • Hello Experts,

    Recently I was deploying Nps Extentsion, after deployment where the users is having issues to get MFA by using Nps Extension, Microsoft said the the issue is that the cloud domain is not added under Domains and Trust. I don't know whether that is a prerequisite as I could not able to find any doc which says that is a requirement. The doc says just to have ADConnect to sync the users back to the cloud, Our users are synced but we see BecAccessDenied error which basically means it could not able to map AAD to AD user (correct me if I am wrong). 

    If I don't want to add cloud domain to my AD trust, Is there any workaround to use Nps Extension (Maybe by using AlternateLoginId Attribute in Nps extension registry)? or doing some configuration in ADConnect Maybe?

    Looking forward for clarification

    Thank you,

    Best Regards

                                                                                   "Clarity=Success"


    CreedHameed

    Wednesday, August 15, 2018 4:29 PM

All replies

  • Check the link to resolve error messages from the NPS extension for Azure Multi-Factor Authentication

    https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory/authentication/howto-mfa-nps-extension-errors.md#resolve-error-messages-from-the-nps-extension-for-azure-multi-factor-authentication

    • Proposed as answer by samyyysam Wednesday, August 15, 2018 6:53 PM
    • Marked as answer by CreedHameed Thursday, August 16, 2018 4:04 AM
    • Unmarked as answer by CreedHameed Thursday, August 16, 2018 4:05 AM
    • Unproposed as answer by CreedHameed Tuesday, August 28, 2018 9:42 PM
    Wednesday, August 15, 2018 6:53 PM
  • Hello Samyyysam,

    That didn't answer my question, I have read that doc already and I know what that error mean. Just wanted to know if there is anyway workaround to use Nps Extension without adding the cloud domain under domians and trust in AD.

    Looking forward to hear from you.

    Thank you,

    Best Regards, 


    CreedHameed

    Thursday, August 16, 2018 4:07 AM

  • The NPS extension uses the UPN from the on-premises Active directory to identify the user on Azure MFA for performing the Secondary Auth. The extension can be configured to use a different identifier like alternate login ID or custom Active Directory field other than UPN.  checkout the article, Advanced configuration options for the NPS extension for Multi-Factor Authentication.

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced

    check the doc and see the prerequisites. when you are configuring NPS extension for two factor authentication challenge to use Azure MFA for the users in your organization. In the NPS extension server you need to register the active directory server. 

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#plan-your-deployment



    • Proposed as answer by samyyysam Tuesday, August 21, 2018 7:23 PM
    • Edited by samyyysam Tuesday, August 21, 2018 7:24 PM
    • Unproposed as answer by CreedHameed Tuesday, August 28, 2018 9:42 PM
    Tuesday, August 21, 2018 7:23 PM
  • Hello Samyyysam,

    I appreciate your input and none of your replies on my post answers any of the question I actually asked. You are just provide vague and already know answers. If you are not confident about your input please do not post and make the whole point of this forum waste. And also you have proposed those vague replies as answers. 

    If you just want to gain some real points then please do post the definite answer. 

    Thank you,



    CreedHameed

    Tuesday, August 28, 2018 9:53 PM