Workspace ONE Access with Azure MFA using the NPS Extension.

In an earlier blog I walked through various options on how to use Microsoft Authenticator with Workspace ONE Access (formerly known as VMware Identity Manager). In the final option, we talked about using the Microsoft Azure MFA Server.  However, as of July 1st, 2019, Microsoft is no longer offering the MFA Server for new deployments.

Microsoft does however provide another option to leverage Azure MFA by using the Network Policy Server extension for Azure.

In the blog I will walk through the process of configuring a Network Policy Server along with the NPS Extension.

Install and Configure the Network Policy Server

  1. Using the Server Manager -> Add Role and Features
  1. Click Next
  2. Select Role-Based or feature-based Installation
  3. Select the Server from the Server Pool and click next
  4. Add the Network Policy and Access Services
  1. Add the dependency features.
  2. Add the Network Policy Server
  1. Complete the rest of the wizard to install the Network Policy Server.

Download and Install the NPS Extension

  1. Go to Download NPS Extension for Azure MFA from Official Microsoft Download Center
  2. Download the NPS Extension for Azure MFA Installer.
  3. Run the installer
  1. Click Install

Configure the NPS Extension

  1. Run Windows Powershell as an Administrator
  2. At the powershell prompt, cd to “c:\Program Files\Microsoft\AzureMfa\Config”
  3. Run “.\AzureMfaNpsExtnConfigSetup.ps1”
  4. You will be prompted to authenticate with Azure.
  5. After successful authentication, you will be prompted to enter your tenant id. This is your Directory ID which can be copied from your Azure Console:
  1. This script will create a self signed certificate for you.

Configure your NPS Server

  1. Access your NPS Server (via Admin Tools)
  2. Under standard configuration, select “Radius server for Dial-up or VPN Connections”
  1. Click Configure VPN or Dial-up
  2. Select “Virtual Private Network (VPN) Connections”
  3. Provide a friendly name ie. Workspace ONE
  1. Click Next
  2. Under Radius Clients -> Click Add
  3. Provide a friendly Name, IP Address and a Shared Secret
  1. Click OK and Next
  2. Select Microsoft Encrypted Authentication version 2 (MS-CHAPv2)
  1. Click Next
  2. Under Groups, – Select a group that includes your MFA Users.
  3. Click Next for IP Filters
  4. Click Next for Encryption Settings
  5. Click Next for Realm Name (leave blank)
  6. Click Finish
  7. Click on Policies -> Connection Request Policies
  8. Double Click on the new “Workspace ONE Policy”
  9. Change the type to Unspecified
  1. Click on the Condition Tab
  2. Delete the NAS Port Type and Click Add
  3. Select “Access Client IPv4Address”
  1. Enter the IP Address of the Connector Server
  2. Click OK
  3. Click on Policies -> Network Policies
  4. Double Click on the new “Workspace ONE Policy”
  5. Change the Type to Unspecified
  6. Under Conditions, you should just have the group condition
  1. Under Constraints, select “Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)”
  1. Click OK.

Configure Workspace ONE Access

  1. Log into your Workspace ONE Access Admin Console
  2. Go to Identity & Access Manager -> Setup
  3. Click on your Connector Worker -> Auth Adapters
  1. Click on Radius Adapter
  2. Enter your Radius Host, Ports and Secret
    Note: Do not enter an accounting port.  I was not able to get this to work with the NPS Server.

  1. Select MSChapv2 as the encryption type.
  2. Click Save
  3. In the Workspace ONE Access Console, go to Identity Providers and edit the Built-In provider.
  4. Enable the Cloud Based Radius Adapter
  1. Click Save.
  2. You can now use the Cloud Radius Adapter in your Access Policies.

3 thoughts on “Workspace ONE Access with Azure MFA using the NPS Extension.

  1. Thanks for the article.. How can I increase the Azure MFA timeout? Users are only given about 15 seconds to approve on the MS authenticator.. Are there any setting to increase this timeout value?


  2. We used this tutorial to migrate from VMware Verify to MS Authenticator. After implementing this we are confronted with a second login for the VDI desktops. First login is email/password/MS authenticator, second login is for the desktop with username (already filled in) and password. How can we return to a single signon to our desktops?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s