The Network Policy Server (NPS) extension for Azure MFA adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. With the NPS extension, you can add phone call, text message, or phone app verification to your existing authentication flow without having to install, configure, and maintain new servers.</p class>

This extension was created for organizations that want to protect VPN connections without deploying the Azure MFA Server. The NPS extension acts as an adapter between RADIUS and cloud-based Azure MFA to provide a second factor of authentication for federated or synced users.

The instructions for setting up this extension are well documented in this article: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Microsoft provides a script to create and use a self-signed certificate, but security conscious organizations may want to use their own PKI infrastructure to provide a cert. This is unfortunately not documented very well.

Solution:

  1. Get the tenant ID:

Get-MSOLCompanyInformation | select objectID

    1. On the NPS, open Certificate Manager for the local computer
    2.  Right-click on Personal | Certificates and choose All Tasks | Advanced Operations | Create Custom Request…
    3. Click Next on the ‘Before You Begin’ screen
    4. Select the ‘Proceed without enrollment policy’ option and choose Next
    5. Leave the default options and choose Next
    6. Click the Details chevron, then click Properties
    7. Provide a Friendly Name as well as a Description
    8. Click the Subject tab
    9. Under Subject Name, select Common Name for the Type and enter CN=<TenantID> (this is the Tenant ID gathered earlier)
    10. Click the Add button
    11. Under Subject Name, select Organizational Unit for the Type and enter ‘OU=Microsoft NPS Extension’
    12. Click Add
    13. Click Apply
    14. Select the Private Key tab
    15. Select the Key Options chevron
    16. Change the Key Size to ‘2048’, and select the Make Private Key Exportable checkbox
    17. Click the OK button
    18. Click the Next button20. Provide a path and a file name for the .REQ file and click Finish
      21. Navigate to your certificate provider and select Request a Certificate
      22. Choose Advanced Certificate Request23. Open the Certificate Request file that was created earlier using Notepad.24. Copy to the clipboard (Ctrl+C) all of the text between ‘Begin New Certificate Request’ and ‘End New Certificate Request’ (not including those lines themselves)25. Switch back to the Request A Certificate page in IE26. Paste that text in the Saved Request text box27. Choose the appropriate template type and click Submit.
      a. NOTE:

      • On this particular certificate authority, an NPS template was published after being created by duplicating the built-in ‘RAS and IAS Server’ template with the following settings modified:
        1. Validity Period: 3 years
        2. Publish Certificate in AD: checked
        3. Allow private key to be exported: checked
        4. ‘RAS and IAS Servers’ permissions: Allow Enroll and Autoenroll only
        5. ‘NETWORK SERVICE’ permissions: Allow Read
        6. Subject Name: Supply in the request.

      28. Click the Base 64 Encoded option and then click the Download Certificate link

      29. Provide a name and location to save the new certificate.
      30. Copy the new cert to the NPS.
      31. On the NPS right-click the new cert and choose Install Certificate.

      32. Change the option to Local Machine and click Next.

      33. Leave the default options and click Next.

      34. Click the Finish Button

      35. On the NPS, open Powershell.
      36. Connect to tenant and run the following commands:
      Import-Module MSOnline
      Connect-MsolService
      Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues 1

      37. You should get nothing back.


      38. If something is returned (from someone running the script or using a previous cert), it will need to be removed

a. First, get the Object ID of the service principal:
Get-MsolServicePrincipal | Where{$_.AppPrincipalID -eq "981f26a1-7f43-403b-a875-f8b09b8cd720"} | Select ObjectID

b. Next, remove the service principal credential:
Remove-MsolServicePrincipalCredential -KeyIds c1030b02-2c12-4ec9-b69d-f5f04baf9362 -ObjectId '92ffe6aa-7d42-43d3-b228-1071700e8265'


c. Running the same command from earlier should, this time, yield no results:
Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues 1


d. If so, proceed to the next steps.

39. Get the base 64 value of the new certificate in Powershell by performing the following:

$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cer.Import("path to new cert file")
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)

40. Add the cert to the tenant by entering the following (it will look like it didn’t do anything):

New-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -Type asymmetric -Usage verify -Value $base64value -Verbose

41. Confirm that the cert is there by running the following:
Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues 1

42. Ensure this is the same cert by opening the new cert with Notepad on the NPS and comparing the text to the Value data shown in the previous command

43. Next modify the following registry entries using Powershell:
$subject=$cer.subject
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AzureMfa\" -Name "CLIENT_CERT_IDENTIFIER" -VALUE $subject
$tennantId=((($subject -split('='))[1] -split(','))[0]).Trim()
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AzureMfa\" -Name "TENANT_ID" -VALUE $tenantId

44. Finally restart the NPS service on the NPS
Restart-Service -Force ias