nps azure

Can I Use Azure with NPS?

Sam Metzler Education

Can I Use Azure with NPS?

Many organizations are looking to implement RADIUS servers for their networks because it’s renowned for secure user authentication for Wi-Fi, VPN, and much more. RADIUS is considered an essential part of IT infrastructure for protecting sensitive data on the network.

Azure Directory was intended to be the next iteration of Active Directory (AD) utilizing cloud-based infrastructure instead of on-premise. However, because Azure is much younger than AD, there are many aspects of AD that are non-existent in Azure, specifically support for 802.1x.

This has led to a lot of confusion for IT admins when rolling out Azure Directory. Let us help clear it up for you:

Azure Directory is a flat directory structure: no Group Policy, no LDAP support, no system management, just user management.

Implementing RADIUS with NPS in Azure

nps azureA Network Policy Server (NPS) is Microsoft’s RADIUS server. NPS servers can be configured to perform authentication, authorization, and accounting. Historically, NPS has been used on-premise and works with AD environments.

To state the obvious: Azure Directory doesn’t natively support RADIUS, so admins will have to find their own solutions for implementing RADIUS. Admins won’t be able to use their existing NPS configuration because NPS used LDAP to communicate with AD, but Azure only supports SAML. Customers will either need to switch to EAP-TLS or find a RADIUS server that doesn’t rely on LDAP.

While this system works and many admins have enabled RADIUS this way, it’s a time-consuming and expensive process to build on-premise NPS servers. Plus, organizations looking to completely migrate to the cloud will end up still being stuck with on-prem hardware. Management and upkeep of the servers are dumped on the admins.

Implementing an on-prem NPS server requires an immense amount of time and resources. On-prem servers are so expensive because there are so many components when building a RADIUS server, and in this case, each come with their own price tag. Services that organizations need to pay for include, but are not limited to:

  • Software acquisition
  • Licensing fees
  • Scalability for user growth
  • Hardware infrastructure
  • Creation and management of group policies
  • Certificate Revocation Lists management
  • Certificate lifecycle management
  • Personnel training

When it’s all said and done, organizations will end up paying hundreds of thousands of dollars for an on-prem NPS server.

Along with the massive price tag for organizations, all this setup and maintenance is left to the IT department. IT admins will end up spending countless hours reading through forums and posts for implementation and maintenance issues. The implementation could take weeks or even months to set up, and that doesn’t include all the potential instances where the IT department is pulled away for other tasks.

Not to mention the use of on-prem NPS servers make it harder for organizations to transition their networks to the cloud, leaving them with legacy servers from the very start.

Can I Use NPS in Azure?

Yes, you can use NPS with and within Azure. There are two options to leverage Azure with 802.1x:

  1. You can host NPS in Azure, which may save you some money over an on-premise server.
    • With this option, NPS will not be able to communicate with Azure, so you will still need to have your on-premise AD.
  2. You can use Azure Active Directory (Azure AD), which you can do with Azure AD Connect, and register for MFA. Azure AD is a cloud solution that works on top of on-prem AD so customers can connect their AD with SAML-based applications.

NPS is frequently used in Microsoft environments looking to implement Multi-Factor Authentication (MFA) in Azure for secure authentication for web applications, Wi-Fi, VPNs, and others.

Microsoft admins that want to rollout MFA are able to do so using an NPS extension. This option is great for organizations that want secure VPN access for users but don’t want to go through the hassle of setting up an Azure MFA server.

Since Azure doesn’t have Group Policies (GPO), admins will need to install Azure Active Directory Domain Services (AAD DS) which allows machine access to users and to create custom group policies and Organizational Units (OU), which are subsets of users, devices, and groups in AD. Admins can administer group policies to specific OUs.

However, implementing and managing on-prem hardware is expensive for organizations and a major configuration project for admins. It requires vast technical know-how and the right extensions to get AD and Azure AD to efficiently communicate with each other. Plus, if your organization is not purely Windows, you will have difficulty setting up Azure MFA for IT tools that aren’t Microsoft.

Integrating Azure with Cloud RADIUS

azure radius

Instead of going the route of an on-prem NPS server, Azure admins can integrate SecureW2’s Cloud RADIUS into their environment with no forklift upgrades. In a matter of hours, organizations will be able to securely authenticate users with Cloud RADIUS, which uses certificate-based EAP-TLS, the most secure method of authentication.

Cloud RADIUS comes with SecureW2’s Managed Cloud PKI, a turnkey PKI solution that can integrate with Azure environments to deploy WPA2-Enterprise wireless security and certificate-based authentication. Our services eliminate the need for passwords to authenticate users, effectively eliminating over-the-air credential theft and password reset policies as well. Plus, Cloud RADIUS will fit right in with Azure since it’s on the cloud and not shackled to on-prem servers.

For a more in-depth look, check our guide on configuring Azure AD with Cloud RADIUS.

Cloud-based RADIUS Authentication in Azure

Azure clients don’t need to spend days or even weeks trying to build their own RADIUS server with on-prem NPS. The process is expensive for the organization and is time consuming for admins, even if they know what they’re doing.

Instead, Azure clients can easily integrate their networks with SecureW2’s Cloud RADIUS and Managed PKI, turnkey solutions that secure user authentication for Wi-Fi, VPN, web apps, and much more, all at an affordable price.


Learn About This Author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a Copywriter for SecureW2's marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas and his previous experience involved mortgage marketing and obituary writing.