Configure Radius/NPS/VPN server with Azure MFA

See my blog post on Configure Radius/VPN server with NPS. There are some differences you need to make.

The blogpost was about Radius and RAS and NPS all on the same server. Well, the MFA extension for NPS which you have to install will cause your RAS service to crash. You have to install RAS on another server. Make sure that you set the secret and that you declare this new RAS server as a Radius client on the NPS server.

If your organization is going to use a VPN client that does not have an interface to enter text then you should select Phone Call as your default MFA authentication method rather than Text. Go back to the MFA setup and change it. Admins should take note of this. For this blog we will use the Windows 10 VPN client so we will use phone call.

Setup VPN

On a separate server from your NPS/Radius server install RAS/VPN. This Msft doc has steps for the RAS/VPN server setup.

Implement the Azure MFA NPS Extension

To implement the Azure MFA NPS Extension –

  1. Download the NPS Extension from the Microsoft Download Center
  2. Copy the binary to the Network Policy Server you want to configure
  3. Run setup.exe and follow the installation instructions

    If you encounter errors, double-check that the following two libraries are installed –

    Visual C++ Redistributable Packages for Visual Studio 2013 (X64)

    Microsoft Azure Active Directory Module for Windows PowerShell version

The installer creates a PowerShell script in this location: C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive)

  1. Open an elevated PowerShell prompt
  2. Execute

    cd “C:\Program Files\Microsoft\AzureMfa\Config”

  3. Execute


  4. When prompted, sign in as your Azure Active Directory tenant, global administrator
  5. When prompted, provide the tenant ID (Directory ID)
  6. Restart the NPS server


Go to your Windows 10 Client and Add a VPN connection to the Server using the credentials of the user that is the VPN group. You will get a call and once you verify, you will be connected.