locked
Conditional Access RRS feed

  • Question

  • Hi,

    We are trying to setup cloud based Azure MFA using NPS infrastructure as described in the link https://blog.infrashare.net/2017/02/17/how-to-configure-azure-mfa-for-citrix-netscaler-gateway-radius-by-using-the-new-nps-extension/

    As mentioned in Step 12 – 18, We have installed NPS extension for Azure on on-premise NPS servers, We also configured NetScaler to issue Radius request.
    NPS servers perform the primary authentication with AD and for secondary authentication, It connects to Azure cloud AD via NPS extension for Azure.

    This WORKS well.

    However, we have enabled the users to use MFA at Azure AD level , which means whenever the user access any application, he/she is required for secondary authentication(applicable to all applications).
    My requirement is that the user(say jsmith) should be prompted for MFA only when it goes through NPS extension for Azure ( Radius authentication in this case), if the same user(jsmith) access other applications such as O365 apps then MFA should not be prompted.

    The license is Azure AD premium licence
    Tuesday, July 18, 2017 2:14 PM

Answers

  • You can achieve this by keeping the users' MFA state 'Disabled', and registering the users for MFA by one of the following methods:
    • Setting up CA policy to require MFA - configuring a CA policy to require MFA for one or more cloud apps, and applying the policy to a user or a group of users, which will prompt the user to register when the user attempts to access a cloud app, and prevent the user from accessing the cloud app without performing MFA. Note that this option requires an Azure AD Premium license. For more about Conditional Access policies, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 
    • MFA registration policy - using Identity Protection’s MFA Registration policy, which will prompt the user to register when the user attempts to access a cloud app, while still allowing the user to access the cloud-app without performing MFA (skip registration) until the grace period elapses. Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA. Note that this option requires an Azure AD Premium 2 license. For more about Identity Protection MFA Registration policy, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#multi-factor-authentication-registration-policy. 
    • Direct registration - sending the user to register for MFA directly through the user portal (for MFA Server), or https://aka.ms/mfasetup (for cloud-based MFA). Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA.

    Once the users are registered for MFA, they can successfully meet the MFA challenge using the NPS extension, and will not be required to perform MFA for other cloud apps including O365. 

    Finally, note that if you have enabled MFA per-user, and change their MFA state from 'Enforced' to 'Disabled', they may need to re-register for MFA as described above. 

    Tuesday, July 18, 2017 9:50 PM
  • When you send users to https://aka.ms.mfasetup, they will go through the MFA registration process. They will then have a default MFA method configured and will be ready to perform MFA whenever required. However, since MFA isn't enabled/enforced on the user's account in Azure AD, they don't have to perform MFA for all apps they access that are federated with Azure AD (e.g. O365, Salesforce, Concur, ServiceNow, etc.). When they sign into Netscaler, which is configured to authenticate via RADIUS to an NPS server with the NPS extension installed, they will have to perform MFA as you have seen. If there are other apps such as Exchange Online, SharePoint Online or SaaS applications that you determine should also require MFA when accessed, you can use conditional access policies to require MFA when those apps are accessed without impacting the other apps that don't require MFA.
    Wednesday, August 2, 2017 5:32 PM

All replies

  • You can achieve this by keeping the users' MFA state 'Disabled', and registering the users for MFA by one of the following methods:
    • Setting up CA policy to require MFA - configuring a CA policy to require MFA for one or more cloud apps, and applying the policy to a user or a group of users, which will prompt the user to register when the user attempts to access a cloud app, and prevent the user from accessing the cloud app without performing MFA. Note that this option requires an Azure AD Premium license. For more about Conditional Access policies, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal 
    • MFA registration policy - using Identity Protection’s MFA Registration policy, which will prompt the user to register when the user attempts to access a cloud app, while still allowing the user to access the cloud-app without performing MFA (skip registration) until the grace period elapses. Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA. Note that this option requires an Azure AD Premium 2 license. For more about Identity Protection MFA Registration policy, see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection#multi-factor-authentication-registration-policy. 
    • Direct registration - sending the user to register for MFA directly through the user portal (for MFA Server), or https://aka.ms/mfasetup (for cloud-based MFA). Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA.

    Once the users are registered for MFA, they can successfully meet the MFA challenge using the NPS extension, and will not be required to perform MFA for other cloud apps including O365. 

    Finally, note that if you have enabled MFA per-user, and change their MFA state from 'Enforced' to 'Disabled', they may need to re-register for MFA as described above. 

    Tuesday, July 18, 2017 9:50 PM
  • We are planning to get the users register with the below method.
    • Direct registration - sending the user to register for MFA directly through the user portal (for MFA Server), or https://aka.ms/mfasetup (for cloud-based MFA). Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA.

    Can you please expand the following note "Completing the registration does not result in MFA enforcement unless another method was used to enforce MFA. "  Once the user is synced to Azure AD we'll ask the user to register via https://aka.ms/mfasetup. How to enforce another method once registration is completed.

    Wednesday, July 19, 2017 7:20 AM
  • When you send users to https://aka.ms.mfasetup, they will go through the MFA registration process. They will then have a default MFA method configured and will be ready to perform MFA whenever required. However, since MFA isn't enabled/enforced on the user's account in Azure AD, they don't have to perform MFA for all apps they access that are federated with Azure AD (e.g. O365, Salesforce, Concur, ServiceNow, etc.). When they sign into Netscaler, which is configured to authenticate via RADIUS to an NPS server with the NPS extension installed, they will have to perform MFA as you have seen. If there are other apps such as Exchange Online, SharePoint Online or SaaS applications that you determine should also require MFA when accessed, you can use conditional access policies to require MFA when those apps are accessed without impacting the other apps that don't require MFA.
    Wednesday, August 2, 2017 5:32 PM
  • Hi Shawn,

    Where is this MFA status stored in AzureAD if it's not referenced on the user object?  Can we track users who have registered via this mechanism (http://aka.ms/mfasetup)? 


    http://blog.auth360.net


    • Edited by Mylo Wednesday, August 16, 2017 8:48 PM
    Wednesday, August 16, 2017 8:44 PM