• Home
• App Integrations
• MFA Integrations
• Configure Microsoft Push Notification

How does Azure AD MFA work with miniOrange?

• The user attempts to log in or perform a self-service password reset or account unlock.
• The multi-factor authentication page is loaded, and the user initiates Azure AD MFA.
• The miniOrange server sends a RADIUS request to the Network Policy Server (NPS).
• The NPS extension for Azure MFA contacts the Azure cloud and triggers an MFA request.
• If Microsoft Authenticator push notification or phone call-based verification methods are enabled for Azure AD MFA, the verification request is triggered directly.
• If Microsoft Authenticator verification code, hardware token-based, or SMS-based verification code methods are enabled for Azure AD MFA, the NPS extension returns a RADIUS challenge response to the miniOrange server, and the user is prompted for the verification code.
• Once Azure AD MFA is successful, the NPS extension returns a RADIUS accept response to the miniOrange server, and the user is granted access.

Prerequisites

• Windows Server 2012 or later.
• .NET Framework 4.7.2 or later.
• PowerShell version 5.1 or later.
• Permanent URLs communication over TCP 443 (outbound) with Azure from NPS server -
  • https://login.microsoftonline.com
  • https://credentials.azure.com
  • https://strongauthenticationservice.auth.microsoft.com
  • https://adnotifications.windowsazure.com
• Temporary URLs communication over TCP 443 (outbound) with Azure from NPS server. This is just for the setup, we can remove these rules after the setup.
  • https://onegetcdn.azureedge.net
  • https://login.microsoftonline.com
  • https://graph.microsoft.com
  • https://provisioningapi.microsoftonline.com
  • https://aadcdn.msauth.net
  • https://www.powershellgallery.com
  • https://go.microsoft.com
  • https://aadcdn.msftauthimages.net
• Permanent UDP 1812 from miniOrange IDP server to NPS server for RADIUS communication. (This is used to send the Push Notification request from miniOrange to NPS)
• We would need this NPS Extension for Azure MFA downloaded and ready on the NPS server - NPS Extension for Azure MFA.
• We would need an Azure account with Global Administrator permissions.
• We would also need the Tenant ID from Microsoft Entra Admin Center.



• We would need Administrator access on the NPS server to install the NPS extension.
• The NPS extension by default uses the UserPrincipalName from the on-premises AD DS environment to identify the user on Azure AD. So the UPN should match or we should have another attribute which can be used to identify the user on the Azure AD side.

Step by step guide to configure Microsoft Push Notification

1. Install the nps service on the windows server

Installation via Server Manager

• Open the Server Manager via windows search.



• In Server Manager, click Manage, and then click Add Roles and Features. The Add Roles and Features Wizard opens.



• Click Next if Before You Begin page appears.
• In Select Installation Type, ensure that Role-based or feature-based installation is selected, and then click Next.



• In Select destination server, ensure that Select a server from the server pool is selected. In Server Pool, ensure that the local computer is selected. Click Next.



• Select Server Roles. Under Roles, select Network Policy and Access Services. A dialog box opens asking if it should add features that are required for Network Policy and Access Services. Click Add Features, and then click Next.





• Review the information and click Next.



• Then click Install. The Installation progress page displays status during the installation process. When the process completes, the message "Installation succeeded on ComputerName" is displayed, where ComputerName is the name of the computer upon which you installed Network Policy Server. Click Close.





• Wait until the installation is completed, once done click on Close.

Installation via Windows PowerShell

• Run Windows PowerShell as Administrator, type the following command, and then press ENTER.
  Install-WindowsFeature NPAS -IncludeManagementTools
• Now we have successfully installed NPS on Windows Server.

2. Installing the NPS extension for Microsoft Entra multifactor authentication

Prerequisites:

• Microsoft Entra ID: In order to enable MFA, the users must be in Microsoft Entra ID, which must be synced from either the on-premises environment, or the cloud environment.
• Ensure that the user account in Entra ID is not locked or disabled, as this will prevent successful authentication.
• To receive the Microsoft push notification , the user needs to sign in in the microsoft authenticator app via the above created credentials , follow this guide if you face any issues.
• Licenses : The NPS Extension for Microsoft Entra multifactor authentication is available to customers with licenses for Microsoft Entra multifactor authentication (included with Microsoft Entra ID P1 and Premium P2 or Enterprise Mobility + Security). Consumption-based licenses for Microsoft Entra multifactor authentication, such as per user or per authentication licenses, aren't compatible with the NPS extension.

Installing the NPS Extension:

• Open the windows server where NPS is installed. Open the browser and download the executables for nps extension from here.



• If you already installed the NPS extension, uninstall it first and install it again to update the libraries.
• Run setup.exe and follow the installation instructions.
• Restart the Network Policy Server (IAS) service from Windows services.
• Open the windows powershell with administrative privileges and type in below commands:
  cd "C:\Program Files\Microsoft\AzureMfa\Config"
ls



• Run the PowerShell script created by the installer.
  .\AzureMfaNpsExtnConfigSetup.ps1
  Note : This might take quite some time because some binaries are installed here so be patient.
• Once the necessary binaries are installed you will be prompted to sign in to Microsoft Account. Note that you need Global Administrator credentials of Entra Id to sign in.
• Once the Sign In is successful the powershell script prompts you to enter Tenant Id from Microsoft Entra Admin Centre. Enter the tenant Id and hit enter.



• Once done you will see NPS service is being restarted and you will be asked to hit Enter to close the powershell.
• Now the MFA via microsoft push notification is enabled.

3. How to Integrate miniOrange IDP server with NPS

• Login to miniOrange IDP with Administrator Account. Go to External Directories section on the Left panel and click on the Add Directory button.



• Search the Radius in the list of Directories and click on the Radius Directory.



• Fill in the details here:
  • Server Host refers to the IP address of the NPS (Network Policy Server).
  • If you are using the miniOrange On-Premise Identity Provider (IDP) Server, and both the NPS server and the miniOrange IDP server are located within the same network, then the Server Host should be set to the private IP address of the NPS server.
  • If you are using the miniOrange Cloud Identity Provider (IDP) Server, then the public IP address of the NPS (Network Policy Server) is required to be specified as the Server Host.
  • You are required to enter a secret key, which facilitates secure communication between the NPS server and the miniOrange IDP.

  Note: This key must also be configured on the NPS server, as outlined in the subsequent steps.

  • Click on Save to add the NPS server as a RADIUS Directory.
  
  
  
• Open the Network Policy Server (NPS) service on the Windows Server.



• Right-click on RADIUS Clients, then select New to add the IP address of the miniOrange IDP as a new RADIUS client.



• Fill in the required details:
  • The New RADIUS Client, including the Friendly Name, IP address (of the miniOrange IDP), and the Shared Secret (previously configured). Ensure all fields are completed accurately before proceeding.

  Note: Ensure that the "Enable this RADIUS client" checkbox is selected to activate the client configuration.

  • If you are using the miniOrange On-Premise IDP Server, enter the private IP address of the IDP server in the IP Address field.
  • If you are using the miniOrange Cloud IDP Server, enter 52.55.147.107 of the miniOrange Cloud IDP in the IP Address field.
  
  
  
• Next, add a Connection Request Policy by right-clicking on Connection Request Policies under the Policies section in the NPS (Network Policy Server) service, and selecting New.
• Fill in the policy details:
  • Enter the policy name, click on Next.
  
  
  
  • Click on Add and search for the Client IPV4 address and click on add.
  
  
  
  • You will be prompted to enter an IP address. Provide the same IP address of the miniOrange IDP that was specified earlier while adding the RADIUS client. Click Ok and proceed to click Next.
  • You should see the following prompt. Ensure that you select the option "Authenticate requests on this server" to allow the NPS server to handle authentication locally.
  
  
  
• Continue by clicking Next through the configuration steps until the Finish button becomes available. Then, click Finish to complete the setup.



• Now, add a New Network Policy by right-clicking on Network Policies under the Policies section, and selecting New.
• Fill in the details to create network policy:
  • Enter the Policy name.
  
  
  
  • Click on Add and search for the Client IPV4 address and click on add.
  
  
  
  • You will be prompted to enter an IP address. Provide the same IP address of the miniOrange IDP that was specified earlier while adding the RADIUS client and Creating Connection Request Policy. Click Ok and proceed to click Next.
  
  
  
• Select Access granted to specify the access permission, then click Next to continue with the configuration.



• In the Configure Authentication Methods section, uncheck all previously selected options. Then, check the option labeled Allow clients to authenticate without negotiating an authentication method.



• Continue by clicking Next through the configuration steps until the Finish button becomes available. Then, click Finish to complete the setup.



• To enable Microsoft Push Notifications in place of entering a Microsoft Authenticator code, you must add a specific key to the system.
  • Search for Registry Editor in windows search where NPS service is running.
  • Go to HKEY_LOCAL_MACHINE > SOFTWARE > MICROSOFT > AzureMFA.
  
  
  
  • Right click on the space right side where registry keys are listed and add new String Value.
  
  
  
  • OVERRIDE_NUMBER_MATCHING_WITH_OTP add this key and right click again on this key after this key has been added to registry and click on modify and Add the FALSE as value.
  
  
  
  
  
  • Restart the NPS service and now you should receive microsoft push notifications after testing.
  • Now we have successfully integrated the miniOrange IDP server with NPS.

Troubleshooting

Frequently Asked Questions (FAQs)