I’m looking for an advice please. I asked Microsoft guys and depending who you get I get different answers. I have AOVPN with EAP-TLS user cert authentication (user tunnel only), this will be used on Entra AD joined devices that are configured to use Windows Hello for Business with Cloud Trust. The question I have is whether to implement NPS extension for Azure MFA or not? Is this necessary considering WHfB is a form of MFA? Is this going to work considering not username and password is being used? Considering that token will be satisfied already MFA auth might not even kick in.
The argument is that user can use either biometrics or 6 digit PIN to log in to those devices and 6 digit PIN is the weak point as once that is revealed anyone will be on our network as AOVPN automatically connects after user loggs in to the device.
Hi, to my knowledge Microsoft considers every authentication with Windows Hello as a form of strong authentication. So yes, I would except that the PIN would generate the required MFA token.
One option is to create a CA specifically for the VPN enterprise app and set a session sign-in frequency of “every time”. Though, this will be hated by your endusers, and it’s not 100% perfect.
You absolutely need MFA on your VPN enterprise app, but this is to avoid a scenario of an unknown device which got a hold of a user credentials and the connection details of the VPN. A malicious actor getting access to a corporate device is the actual issue you’re describing. The VPN is just part of the scope what they get. So, you should build protections around the scenario risky sign-ins. And that’s something available via Azure :)! Also, a good policy for stolen devices is vital so the device can be disabled. There are other things that you can do, like correct segmentation of the network, but that goes outside of the Azure scope.
thanks for that… I was just talking to Microsoft Identity expert and he said NPS extension to Azure MFA will not work with user cert auth. he recommended implementing of what you mentioned: https://learn.microsoft.com/en-us/windows-server/remote/remote-access/how-to-aovpn-conditional-access
does anyone have experience with this implementation, is it straight forward? I only have our internal CA with Intune connector (NDES/OCSP) and SCEP. Is there anything else I should get deployed prior to this?