When running through the different pieces of Enterprise Mobility + Security with those who are focused on the cloud only components, it usually comes as a surprise to see how many different on-premises services can be extended with the different EMS components. The one that people know about is AADConnect, but Intune has connectors for Configuration Manager, Exchange and Simple Enrolment Protocol, AIP/RMS has the Azure RMS connector, and of course Advanced Threat Analytics is deployed by the customer. The MFA server is also available, and today’s announcement highlights some changes that are in the pipeline.
First of all it’s worth mentioning that the announcement focuses solely on potentially reducing or eliminating the requirement for MFA Server for some VPN scenarios, it doesn’t target the other scenarios that MFA Server addresses such as extending ADFS authentication methods, IIS app integration, RDS broker support and general purpose RADIUS and LDAP authentication. Remember that you need AAD Premium P1 or P2 licensing for Azure MFA server, so you can buy those standalone or as part of EMS E3 or E5.
So what does it do? Well, as the article suggests, this focuses on providing a cloud based MFA server for VPN without the on-premises MFA Server requirement. Instead it requires the installation of the NPS extension for Azure MFA, which supports the following operating systems. The list looks like it might need to be cleaned up a little, it references some previews and release candidates for versions of Windows Server that are no longer supported, but I think the final one listed sums it up.
Windows Server 2008 R2 SP1, Windows Server 2008 Service Pack 2, Windows Server 2012, Windows Server 2012 Beta Essentials, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials , Windows Server 2012 R2 Preview, Windows Server 2012 R2 Standard , Windows Server 2012 Release Candidate, Windows Server 2012 Standard, Windows Server 2016, Windows Server 2008 R2 SP1 or above with the NPS component enabled
The installation instructions provided, for those wanting to give it a try…
1. Run Setup.exe on your existing NPS Server
2. Run the PowerShell script from C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive)
For full details on the preview, head on over to Augment your existing authentication infrastructure with the NPS extension for Azure Multi-Factor Authentication – Public preview for more information, and keep an eye on the questions that are getting asked there in case anything relevant pops up.