So I was keen to move away from a dedicated MFA server and the new NPS Extension for Azure MFA looked like the perfect solution. However this was a journey that had many dragons and bad lands that I had to navigate to get it to work. The good news is if you’ve found this post because you’re getting the same error as me (below) then here is the solution.
First off, this Microsoft document is a good place to start for building out the NPS/MFA environment. There are some other blogs out there but by comparison this is a simple and clean solution. I’ve tested this with both RRAS VPN and RDP Gateway and it works perfectly.
So you built the environment and you are getting this error
NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User email@example.com with response state AccessChallenge, ignoring request.
Another error you might be seeing is the:
“NPS Extension for Azure MFA: Unknown Exception”
The issue that was causing my problem was that I was using an account that was also a member of another AAD, this other AAD also had MFA enabled on this account. What I mean by this is I had created a new AAD and Subscription to handle the users that would be consuming this service, the reason to do this was to separate this off from the corporate AAD. When I created the AAD I added my account from the corporate AAD as a “Guest” account. I then used this same account for setting up the NPS Extension for MFA.
I removed the current AAD MFA certificate from the NPS server, from Cert manager: “Local Machine” -> “Personal” -> “Certificates” and delete the certificate that has your tenant ID as the “Issued to” column.
So I created a new dedicated account within the AAD that I wanted to MFA extension to consume from, made that account a GA of the AAD and didn’t enable MFA on it. When configuring the MFA extension (via the NPA/MFA PowerShell script) I specified this new dedicated account, and it all just worked.