The InfoSec Maven

Vaibhav’s learnings from the field, for the field! Tweet @vaibhavdgupta

Securing remote connection to Azure infrastructure using Azure Multi-Factor Authentication (MFA)

Howdy Folks! I was working on a proposed Architecture for Secured Remote Access to the Azure Vnet from internet without the need for assigning public IPs to the Azure VMs and have Multi factor Authentication on top of AD Authentication only for authorized users and desktops. Hence, thought of writing a quick blog about it.

Let’s discuss the details of integrating your Remote Desktop Gateway infrastructure with Azure Multi-Factor Authentication (MFA) using the Network Policy Server (NPS) extension for Microsoft Azure. The Network Policy Server (NPS) extension for Azure allows customers to safeguard Remote Authentication using Azure’s cloud-based Multi-Factor Authentication (MFA). Organizations can integrate NPS with Azure MFA to enhance security and provide a high level of compliance. This helps ensure that users establish two-step verification to log on to the Remote Desktop Gateway. For users to be granted access, they must provide their username/password combination along with information that the user has in their control. This information must be trusted and not easily duplicated, such as a cell phone number, landline number, application on a mobile device, and so on.

The availability of the NPS extension for Azure now gives organizations the choice to deploy either an on-premises based MFA solution or a cloud-based MFA solution to secure RADIUS client authentication.

Architecture Diagram:

Authentication Flow:
For users to be granted access to network resources through a Remote Desktop (RD) Gateway, they must meet the conditions specified in one Remote Desktop Connection Authorization Policy (RD CAP) and one Remote Desktop Resource Authorization Policy (RD RAP). RD CAPs specify who is authorized to connect to RD Gateways. RD RAPs specify the network resources, such as remote desktops or remote apps, that the user is allowed to connect to through the RD Gateway.

An RD Gateway can be configured to use a central policy store for RD CAPs. RD RAPs cannot use a central policy, as they are processed on the RD Gateway. When the NPS extension for Azure is integrated with the NPS and Remote Desktop Gateway, the successful authentication flow is as follows:
1. The Remote Desktop Gateway server receives an authentication request from a remote desktop user to connect to a resource, such as a Remote Desktop session. Acting as a RADIUS client, the Remote Desktop Gateway server converts the request to a RADIUS Access-Request message and sends the message to the RADIUS (NPS) server where the NPS extension is installed.
2. The username and password combination is verified in Active Directory and the user is authenticated.
3. If all the conditions as specified in the NPS Connection Request and the Network Policies are met (for example, time of day or group membership restrictions), the NPS extension triggers a request for secondary authentication with Azure MFA.
4. Azure MFA communicates with Azure AD, retrieves the user’s details, and performs the secondary authentication using the method configured by the user (text message, mobile app, and so on).
5. Upon success of the MFA challenge, Azure MFA communicates the result to the NPS extension.
6. The NPS server, where the extension is installed, sends a RADIUS Access-Accept message for the RD CAP policy to the Remote Desktop Gateway server.
7. The user is granted access to the requested network resource through the RD Gateway.

This section details the prerequisites necessary before integrating Azure MFA with the Remote Desktop Gateway. Before you begin, you must have the following prerequisites in place.
• Remote Desktop Services (RDS) infrastructure – (Session Host, Licensing Server, Connection Broker and RD Gateway)
• Azure MFA License
• Windows Server software
• Network Policy and Access Services (NPS) role
• Azure Active Directory synched with on-premises Active Directory
• Azure Active Directory GUID ID

Further Reading:
• Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD

• Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication