locked
Azure MFA Request using authenticator app RRS feed

  • Question

  • Each application (Teams, Skype, OneNote etc) prompting for MFA instead of one prompt and other app using the same token.
    Friday, July 13, 2018 4:22 PM

Answers

  • Answers to MFA questions in general if it will help someone

    Questions:
    1.        Why will a user not in conditional access group be prompted for MFA?
     
    Answer: when they using vpn? Because it’s a different products. NPS extension is designed to protect your VPN solution.
    It does second factor auth just checking for the available auth methods of the user.


    2.        Why will a user not in conditional access not allowed to log into VPN until they configure MFA app/reconfigure app even though they are not getting prompted?

    Answer: See question 1

    3.        Why will a user get multiple trigger for MFA? (Very random)
            i.e if using app, request comes in, user accept request, and another request comes in again
            First request shows in log as accepted but second request shows failed.
           
            NPS Extension for Azure MFA:  CID: 3cd7bc72-1fb6-4d7d-a8ce-d2db8d462f29 : Access Accepted for user username@domain.com with Azure MFA response Success message  session 66e3ccff-25e3-4292-b07f-2f6860d92afa
           
            NPS Extension for Azure MFA: CID: 79b446bc-f56f-44ad-882e-233108fc1803 : Access Rejected for user username@domain.com with Azure MFA response PhoneAppNoResponse and message 畁桴湥楴慣楴湯洠瑥潨⁤慦汩摥㰮䴯獥慳敧㰾敒牴㹹慦獬㱥刯瑥祲,,,ca351a25-cc8b-4e2c-a080-37cbcf2d5a34
           
            NPS Extension for Azure MFA:  CID: 899fa30d-20a2-4404-b841-92c22fff1337 : Request Discard for user username@domain.com with Azure MFA response UserAuthFailedDuplicateRequest and message 畁桴湥楴慣楴湯洠瑥潨⁤慦汩摥㰮䴯獥慳敧㰾敒牴㹹慦獬㱥刯瑥祲,,,2f61e49b-3040-4099-a447-279514eec689
     
    Answer: It almost always connected with timeouts. VPN server should handle request and duplicate requests and have at least 60 sec timeout to allow user finish his MFA and NPS server send result to the VPN server.
     

           
    4.        What does this mean in the log?
            NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessReject, ignoring request.
           
    Answer: It means, that NPS extension was unable to perform primary auth for the user. Usually it happens when service or computer accounts send requests to the NPS server.
    You can restrict network connection methods in the NPS server policies and use the IP whitelist of your internal servers:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced#ip-exceptions

    5.        What does this mean in the log?
            NPS Extension for Azure MFA: NPS AuthN extension bypassed for User username@domain.com with response state AccessReject
           
    Answer: It means that this user not exists in Azure AD.

    6.        How to query the log? (For user or error message)
     
    Answer:
    You can use find feature in the event log to quickly find event.
    For deeper troubleshooting you should follow the steps described here:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors#next-steps
     


    7.        When user logs into computer, before getting on vpn/internal network, skype/teams/onedrive tries to connect and prompt multiple MFA since user not on IP added to location, how can we stop this?
     
    Answer: That happens because of your conditional access policy in the Azure for all cloud apps. Has nothing to do with NPS extension.


    8.        We have users that connect to VPN using hotspot, and they disconnect/connect often which trigger MFA each time, what is the best practice for these type of users?

    Answer: That question is for your networking team. They should check VPN Server/Client settings to see if they support some timeout to not get disconnected.

    9.        What other best practice should we be following? Is this the right setup or how can we maximize MFA?

    Answer: It depends on what you’re trying to achieve. Just to be clear – NPS extensions helps you do second auth for your VPN/Radius solution.

    10.        What permission is needed to clear MFA method?
            set-msoluser -UserPrincipalName "username@domain.com" -StrongAuthenticationMethods @()

    Answer: Unfortunately right now only global admin rights. I checked user voice on the O365 and Azure topics, that question among the top-5.

    • Marked as answer by Omo'ba Wednesday, September 5, 2018 4:20 PM
    Wednesday, September 5, 2018 4:19 PM

All replies

  • Have you enabled "remember Multi-Factor Authentication" option? If so, you will get a pop up to remember you authentication for "X" number of days. If you click on that checkbox you will not be prompted for MFA the next time. See the image below.


    -----------------------------------------------------------------------------------------------------------------------------------
    If this answer was helpful, click “Mark as Answer” and Up-Vote. To provide additional feedback on your forum experience, click here 


    Friday, July 13, 2018 8:14 PM
  • Yes, we have it set for 1 day. The problem I am seeing is multiple app trying to trigger MFA instead of using the token from the previous authenticated app.

    Example, I launch Skype and signed in successfully using MFA, now I launch Teams/OneDrive Client desktop app and still have to validate using MFA.

    Monday, July 16, 2018 1:40 PM
  • Did it ever worked as expected?

    When you say "we have it set for 1 day." How did you configure this for 1 day. Could you share the screenshot if possible?

    Wednesday, July 18, 2018 8:41 PM
  • @Omo'ba, Were you able to locate an answer to your question? If so, we would be glad if you could share the answer with the community. If need further assistance regarding this issue, reply with the information asked in the previous post.
    Saturday, July 21, 2018 3:37 PM
  • Working with Microsoft on this, will post answer when we are able to resolve. It is a weird case because it works for majority of users. And it doesnt work for some randomly (at least we think for now). It might work this week for me and next week give issues. User might not be in MFA security group and still get prompted.
    Monday, August 6, 2018 2:02 PM
  • Thanks for the update. Could you share the support request # with us?
    Tuesday, August 7, 2018 2:48 PM
  • 118073118691545

    Can you tell me what the two log below mean? and a good way to search MFA log for specific error message?


    Tuesday, August 7, 2018 3:09 PM
  • It is not an easy task to tell what are those errors based on the ID's mentioned in the error log. Because it requires deep investigation using different tools to find the root cause of the error and forum is not a right place to discuss these issues.

    Regarding NPS extensions errors, you can refer to this link - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors and there is a specific section to collect logs that would help support professionals.


    Tuesday, August 7, 2018 5:30 PM
  • @Omo'ba:

    Just checking in if you have had a chance to see the previous response

    Thursday, August 9, 2018 9:22 PM
  • I found the answers to my MFA questions. I opened a case and all the question got answered. Seems like no way to stop application from auto connecting when outside the network before VPN connection.
    Wednesday, September 5, 2018 4:13 PM
  • Answers to MFA questions in general if it will help someone

    Questions:
    1.        Why will a user not in conditional access group be prompted for MFA?
     
    Answer: when they using vpn? Because it’s a different products. NPS extension is designed to protect your VPN solution.
    It does second factor auth just checking for the available auth methods of the user.


    2.        Why will a user not in conditional access not allowed to log into VPN until they configure MFA app/reconfigure app even though they are not getting prompted?

    Answer: See question 1

    3.        Why will a user get multiple trigger for MFA? (Very random)
            i.e if using app, request comes in, user accept request, and another request comes in again
            First request shows in log as accepted but second request shows failed.
           
            NPS Extension for Azure MFA:  CID: 3cd7bc72-1fb6-4d7d-a8ce-d2db8d462f29 : Access Accepted for user username@domain.com with Azure MFA response Success message  session 66e3ccff-25e3-4292-b07f-2f6860d92afa
           
            NPS Extension for Azure MFA: CID: 79b446bc-f56f-44ad-882e-233108fc1803 : Access Rejected for user username@domain.com with Azure MFA response PhoneAppNoResponse and message 畁桴湥楴慣楴湯洠瑥潨⁤慦汩摥㰮䴯獥慳敧㰾敒牴㹹慦獬㱥刯瑥祲,,,ca351a25-cc8b-4e2c-a080-37cbcf2d5a34
           
            NPS Extension for Azure MFA:  CID: 899fa30d-20a2-4404-b841-92c22fff1337 : Request Discard for user username@domain.com with Azure MFA response UserAuthFailedDuplicateRequest and message 畁桴湥楴慣楴湯洠瑥潨⁤慦汩摥㰮䴯獥慳敧㰾敒牴㹹慦獬㱥刯瑥祲,,,2f61e49b-3040-4099-a447-279514eec689
     
    Answer: It almost always connected with timeouts. VPN server should handle request and duplicate requests and have at least 60 sec timeout to allow user finish his MFA and NPS server send result to the VPN server.
     

           
    4.        What does this mean in the log?
            NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User username with response state AccessReject, ignoring request.
           
    Answer: It means, that NPS extension was unable to perform primary auth for the user. Usually it happens when service or computer accounts send requests to the NPS server.
    You can restrict network connection methods in the NPS server policies and use the IP whitelist of your internal servers:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced#ip-exceptions

    5.        What does this mean in the log?
            NPS Extension for Azure MFA: NPS AuthN extension bypassed for User username@domain.com with response state AccessReject
           
    Answer: It means that this user not exists in Azure AD.

    6.        How to query the log? (For user or error message)
     
    Answer:
    You can use find feature in the event log to quickly find event.
    For deeper troubleshooting you should follow the steps described here:
    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors#next-steps
     


    7.        When user logs into computer, before getting on vpn/internal network, skype/teams/onedrive tries to connect and prompt multiple MFA since user not on IP added to location, how can we stop this?
     
    Answer: That happens because of your conditional access policy in the Azure for all cloud apps. Has nothing to do with NPS extension.


    8.        We have users that connect to VPN using hotspot, and they disconnect/connect often which trigger MFA each time, what is the best practice for these type of users?

    Answer: That question is for your networking team. They should check VPN Server/Client settings to see if they support some timeout to not get disconnected.

    9.        What other best practice should we be following? Is this the right setup or how can we maximize MFA?

    Answer: It depends on what you’re trying to achieve. Just to be clear – NPS extensions helps you do second auth for your VPN/Radius solution.

    10.        What permission is needed to clear MFA method?
            set-msoluser -UserPrincipalName "username@domain.com" -StrongAuthenticationMethods @()

    Answer: Unfortunately right now only global admin rights. I checked user voice on the O365 and Azure topics, that question among the top-5.

    • Marked as answer by Omo'ba Wednesday, September 5, 2018 4:20 PM
    Wednesday, September 5, 2018 4:19 PM
  • Thanks for sharing the answers. 
    Thursday, September 6, 2018 4:10 PM