Recommended Solution for Azure MFA in VPN Connections

C.

To provide Azure Multi-Factor Authentication (MFA) for VPN connections, the recommended solution is to use Network Policy Server (NPS).

Network Policy Server (NPS) is a Microsoft Windows Server role that enables network access control through policies and connection request authentication. NPS can be used to provide a centralized authentication and authorization service for remote VPN connections, allowing you to require additional authentication factors such as Azure MFA.

To enable Azure MFA for VPN connections using NPS, you can integrate NPS with Azure AD using the Azure Multi-Factor Authentication Server. The Azure Multi-Factor Authentication Server acts as a RADIUS server that NPS can use to authenticate remote VPN connections. When a user attempts to connect to the VPN, NPS sends a request to the Azure Multi-Factor Authentication Server to perform an Azure MFA challenge. The user must then provide a valid authentication factor, such as a code from the Azure Authenticator mobile app, to complete the authentication process.

Azure AD Application Proxy, Azure AD Password Protection proxy, and pass-through authentication proxy are not suitable solutions for providing Azure MFA for VPN connections.

Azure AD Application Proxy is used to provide secure remote access to on-premises web applications that are published through Azure AD. It is not designed to provide Azure MFA for VPN connections.

Azure AD Password Protection proxy is used to enforce password policies for cloud-only user accounts in Azure AD. It is not designed to provide Azure MFA for VPN connections.

Pass-through authentication proxy is used to authenticate on-premises users against Azure AD without the need for a password hash sync or Active Directory Federation Services (AD FS) infrastructure. It is not designed to provide Azure MFA for VPN connections.