03-15-2018 01:18 PM - edited 03-12-2019 05:07 AM
I can find a bunch of documentation on how to install an on premise Azure MFA server however we are already setup for the cloud version of MFA and don't want to migrate on premise with that. I would like to integrate our Cisco ASA VPNs using Cisco AnyConnect Secure Mobility client to use the cloud based Azure MFA and Microsoft Authenticator. Is this possible? Anyone tried this or point me in the right direction on the minimum amount of work to configure this setup?
04-26-2018 01:53 PM
Are you married to using Azure MFA?
I'd look at a solution that can do what you're looking for via hybrid, one of which is DigitalPersona Authentication if you've heard of them.
04-27-2018 12:37 PM
I was actually able to get Cloud Azure MFA working perfectly with Cisco ASA VPN. It took a little bit but its an awesome combination and works in conjunction with our office 365.
05-03-2018 05:32 AM
HI There. can you share how you did that. very useful...
05-09-2018 05:28 AM
@skerkmann wrote:
HI There. can you share how you did that. very useful...
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
05-24-2018 09:01 AM
We are in the same boat looking for MFA for our Cisco AnyConnect VPN. We use Office 365 so Azure makes sense.
Did you install an MFA server on-prem or were you able to get it to work with the Azure MFA service?
The documentation is written in 2015 and says minimum requirements of a Windows 2003 server. Makes me wonder how legit this is.
05-24-2018 09:04 AM
@k.dixon wrote:
We are in the same boat looking for MFA for our Cisco AnyConnect VPN. We use Office 365 so Azure makes sense.
Did you install an MFA server on-prem or were you able to get it to work with the Azure MFA service?
The documentation is written in 2015 and says minimum requirements of a Windows 2003 server. Makes me wonder how legit this is.
We are using the cloud version of Azure MFA NOT on premise. It was literally 15 minutes to setup and get working.
These two documents where all I needed to configure a Windows (NPS)Radius server to support Azure MFA. Then you point your VPN profile to the windows radius server. We used Windows server 2016 for the NPS server.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
05-24-2018 09:06 AM
Also as a bonus I've included the scripts I wrote to automatically enable and configure MFA for users using SMS TXT option instead of making the users go through the annoying enrollment process. Hope this helps.
THIS SCRIPT SHOULD BE RUN ON ALL NEW USER ACCOUNTS THAT ARE ABLE TO AUTHENTICATOR WITH OFFICE365/AZURE RESOURCES
# CONNECT TO MSOLSERVICE
Import-Module MSOnline
Connect-MSOLService
# DEFINE VARIABLES
$strongAuthMethod = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$strongAuthMethod.MethodType = "OneWaySMS"
$strongAuthMethod.IsDefault = $true
$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
#SET SINGLE USER FOR MFA
Set-MsolUser -UserPrincipalName username@domain.com -StrongAuthenticationMethods $strongAuthMethod
----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A GROUP OF USERS----
# SET MFA FOR GROUP - DOES NOT AFFECT USERS IN GROUP THAT ALREADY HAVE MFA CONFIGURED
$group = Get-MsolGroup -all |Out-GridView -PassThru
$members = Get-MsolGroupMember -GroupObjectId $group.ObjectId
$users = $members | Where-Object {$_.GroupMemberType -eq "User"}
foreach($user in $users)
{
if((Get-MsolUser -UserPrincipalName $user.EmailAddress).StrongAuthenticationMethods.count -eq 0)
{
Set-MsolUser -UserPrincipalName $user.EmailAddress -StrongAuthenticationMethods $strongAuthMethod
}
}
----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A LIST OF USERS----
# SET MFA FOR LIST OF USERS
Get-Content "C:\support\list.txt" | foreach {Set-MsolUser -UserPrincipalName $_ -StrongAuthenticationMethods $strongAuthMethod}
03-20-2020 11:30 AM
Where does this script run and when? What type of file is it? Thanks.
@davidbnbf wrote:Also as a bonus I've included the scripts I wrote to automatically enable and configure MFA for users using SMS TXT option instead of making the users go through the annoying enrollment process. Hope this helps.
THIS SCRIPT SHOULD BE RUN ON ALL NEW USER ACCOUNTS THAT ARE ABLE TO AUTHENTICATOR WITH OFFICE365/AZURE RESOURCES
# CONNECT TO MSOLSERVICE
Import-Module MSOnline
Connect-MSOLService
# DEFINE VARIABLES
$strongAuthMethod = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$strongAuthMethod.MethodType = "OneWaySMS"
$strongAuthMethod.IsDefault = $true
$auth = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$auth.RelyingParty = "*"
#SET SINGLE USER FOR MFA
Set-MsolUser -UserPrincipalName username@domain.com -StrongAuthenticationMethods $strongAuthMethod
----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A GROUP OF USERS----
# SET MFA FOR GROUP - DOES NOT AFFECT USERS IN GROUP THAT ALREADY HAVE MFA CONFIGURED
$group = Get-MsolGroup -all |Out-GridView -PassThru
$members = Get-MsolGroupMember -GroupObjectId $group.ObjectId
$users = $members | Where-Object {$_.GroupMemberType -eq "User"}
foreach($user in $users)
{
if((Get-MsolUser -UserPrincipalName $user.EmailAddress).StrongAuthenticationMethods.count -eq 0)
{
Set-MsolUser -UserPrincipalName $user.EmailAddress -StrongAuthenticationMethods $strongAuthMethod
}
}
----ADDITIONAL SCRIPT THAT WOULD ALLOW TARGETING A LIST OF USERS----
# SET MFA FOR LIST OF USERS
Get-Content "C:\support\list.txt" | foreach {Set-MsolUser -UserPrincipalName $_ -StrongAuthenticationMethods $strongAuthMethod}
05-24-2018 11:22 AM
06-19-2018 01:57 PM
So with this setup all users that are MFA enabled can authenticate on a VPN session? Is there a way to filter MFA -enabled users via AD group. As we noticed, as soon as MFA is enabled, users can connect to VPN. Or am I missing something?
Thanks,
06-19-2018 03:03 PM
Hi -
I guess my question is there a way to configure group-lock for VPN users on the Microsoft RADIUS server
when MFA is enabled? Need to assign users to a group policy in ASA depending on their AD group.
06-20-2018 04:32 AM
@k.dixon wrote:
Hi -
I guess my question is there a way to configure group-lock for VPN users on the Microsoft RADIUS server
when MFA is enabled? Need to assign users to a group policy in ASA depending on their AD group.
Of course you can filter by AD group using the radius server. However if you want your radius server to use azure MFA it must be dedicated to azure MFA so you will need 2 radius servers if you need some people to not use azure mfa. One you enable the NPS extensions on the radius server they are enabled for all requests. Not that big of a deal but important to know.
We have AD groups specifying different vpn filters for access to different things as well as who has access.
06-20-2018 04:43 AM
06-20-2018 04:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide