- Newest
- Most votes
- Most comments
Hi Scullone -
Not related to your original question, just out of curiosity on your overall setup, are you using the NPS extension to use Azure MFA?
Thanks,
I'm also curious about how you set this up, not just the SMS, but MFA for WorkSpace. I would appreciate any time you could put into a summary and tools used.
Thanks!
-Dave
Hello!
We use architecture with on-premise active directory servers (AD connect).
I installed "Azure mfa server" (This application provided by Azure Subscription) on domain-joined server. No limitations on installation on DC.
User can be imported in Azure mfa server directly from Active Directory. I think, it can be used with Azure without on-premise servers by enabling in Azure LDAP(S)-service, but I am not sure for 100%.
Azure mfa server can provide RADIUS service itself - You don't need to deploy NPS servers.
But there is some trick. When you are turning on MFA on AWS side - it generates two fake RADIUS Access-request messages, and it is waiting for Access-Reject response for each of these request. I don't know why, but Azure mfa server send only one Access-Reject message to the first Access-request message, second Access-request stays without answer and AWS thinks that it is a failure.
So workaround is set up NPS service and turn it on while AWS check, then turn NPS off and turn on RADIUS service in Azure mfa server application.
After turning on MFA on AWS side - in the AWS Workspace client application You will see additional field "MFA". In this field You need enter password (see my first post). After this AWs will send RADIUS request to Azure mfa server.
Thanks for taking the time and providing insight Scullone! I'll try setting it up in my environment and see how it goes. Cheers!
Relevant content
- asked 2 months ago
- asked 7 months ago
- asked 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago