NPS extension request specific authentication method from Azure MFA service RRS feed

  • Question

  • Hello,

    I have implemented successfully MFA solution for GlobalProtect VPN client users. Simplified workflow is following:

    1. Remote/HomeOffice users initiate VPN connection via GlobalProtect VPN client application and provide their AD credentials

    2. VPN gateway (Palo Alto firewall acting as RADIUS client) pass authentication request to local RADIUS server (Windows Server running NPS service with NPS extension installed) for each VPN user connection request.

    3. Local RADIUS server performs primary authentication with local AD server (synchronized to Azure AD via Azure AD Connect service) and upon successful primary authentication performs secondary authentication check by sending request Azure MFA)

    4. Azure MFA sends default authentication method challenge to user (authenticator app, SMS, phone call etc) and communicate RADIUS server about it which in turn communicate VPN gateway about it which in turn communicate VPN client application GlobalProtect about it. Thus if user have SMS configured as default MFA method, GlobalProtect app will prompt user to enter SMS OTP.

    5. After user confirm authenticator app push notification authentication process completes successfully as well as in case with SMS OTP.

    However, if user have trouble with authenticator app, which is mostly used as primary authentication method in my organisation, there is no prompt to user to try with alternative MFA authentication methods (such as provided in O365 MFA authentication). It seems that such alternative workflow is not supported in GlobalProtect VPN client application.

    Furthermore, Palo Alto firewall VPN gateway and GlobalProtect VPN client application can offer VPN users possibility to connect to multiple gateways (user can select connection point) and each VPN gateway point can be configured to use different RADIUS server i.e. each VPN gateway would have dedicated RADIUS server.

    Now, my question is: Is it possible to configure NPS extension to request specific authentication method from MFA Azure service? My idea is to have three RADIUS servers each running NPS extension but fist one would request specifically authenticator app MFA method, second one would specifically request SMS MFA method while third one would request phone call MFA method.

    Thanks in advance for people trying to help me.

    Haris Alatović

    Wednesday, April 1, 2020 10:09 AM


All replies

  • Hi ,

    Since your question is more related with Azure Multi-Factor Authentication, which our forum doesn't focus on. I would suggest you have this asked in Azure Multi-Factor Authentication forum for better answers.

    Here is the link:

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    Best Regards,


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact   

    Thursday, April 2, 2020 8:11 AM
  • OK thank you Candy
    Friday, April 3, 2020 10:53 AM
  • Hi ,

    Thanks for your understanding.

    You could mark the useful reply as answer to end this thread up.

    Best regards,


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact   

    Monday, April 6, 2020 1:38 AM
  • Thank you Candy, I have posted question in Azure MFA forum as you have advised. Here is link so one can follow up:

    Wednesday, April 8, 2020 9:39 AM