News

Azure Active Directory Policy Server Extension Previewed

• By Kurt Mackie
• 02/07/2017

A new Azure Active Directory aimed at identifying access networking issues became available in preview mode on Monday.

The new preview, called "Network Policy Server (NPS) Extension for Azure multifactor authentication (MFA)," adds Remote Authentication Dial-In User Service (RADIUS) authentication support for clients when using the Azure MFA service. The extension offers organizations an alternative to running an Azure Multi-Factor Authentication Server in their datacenters in order to tap the Azure MFA service.

Azure AD is Microsoft's "cloud"-based identity and access management service. It's hosted from Microsoft's datacenters, but the service has lacked support for the RADIUS protocol that's typical used to authenticate clients for organizations using virtual private networks (VPNs). However, the new NPS Extension for Azure MFA preview has "closed this gap," according to Microsoft's announcement.

"With today's release of the NPS Extension for Azure MFA, I'm excited to announce that we have closed this gap, and added the ability to secure RADIUS clients using cloud-based MFA!" Microsoft's announcement stated.

MFA is an authentication scheme that adds secondary verification of a user's identity when they try to access network resources. Typically, end users will get a pushed-out message (via SMS) or an automated phone call to their smartphone to confirm their identities. However, organizations with VPNs that have wanted to use MFA with the Azure AD service typically have needed to set up Azure Multifactor Authentication Server in their datacenters because that was the only way to get RADIUS support, Microsoft's announcement explained. The NPS Extension for Azure MFA possibly simplifies those matters. However, it has some licensing requirements, and organizations still need a Network Policy Server.

The extension can be used if an organization is licensed to use Azure MFA, which comes with Azure AD Premium subscriptions and Enterprise Mobility + Security (EMS) licensing. Organizations also need to be using Windows Server 2008 R2 Service Pack 1 or greater to use the NPS Extension for Azure MFA. Another requirement is to use the Azure AD Connect synchronization service.

The extension gets installed via a PowerShell script. IT pros next will have to "configure your RADIUS client to authenticate through your NPS Server," according to Microsoft's description.

The new extension apparently is just for "greenfield" or new deployments. There aren't any "tools to migrate users and settings from MFA Server to the cloud," Microsoft's announcement warned. In addition, it's an all-or-nothing kind of service. Organizations wanting MFA for just some users, rather than all users, have to set up two Network Policy Servers and put the extension on just one of them.

The preview can be accessed through the Azure portal, according to a Microsoft spokesperson. Of course, organizations need the requisite access and licensing privileges to use it.