New Number matching Azure MFA feature impact Microsoft RDGW & NPS extension
Background
Are you using Microsoft Native Remote Desktop Gateway (RDGW) in combination with the NPS extension to secure your RDGW with MFA? Prepare for this change which will be enforced tenant-wide for all users starting February 27, 2023!
Number matching is a security upgrade to traditional second factor notifications in Microsoft Authenticator. Microsoft will remove the admin controls and enforce the number match experience.
This is what Microsoft recommends
“We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don’t. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.”
While this adds and unlocks security capabilities and options, there is a downside if you currently use RD Gateway with the NPS Extension for Azure MFA. If you need more background information on how this works, check out this article I published back in 2017, which is still relevant: The Microsoft Platform: Securing RD Gateway with MFA using the new NPS Extension for Azure MFA!
The impact on RD Gateway + NPS Extension
The reason of the impact is that NPS does not support number matching. However, the latest NPS extension does work with One-Time Password (OTP) methods like e.g. the OTP available in Microsoft Authenticator. Generally, you need to make sure that you run the latest version of the NPS extension. For more information on supported versions and what (registry) workaround you can use and other requirements that apply, follow this guide
If your organization uses Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won’t be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail.
Release notes on this change
Below is a snippet of the release notes of the NPS extension version 1.2.2131.2 that address the change that Microsoft made.
“…Changed the default value of OVERRIDE_NUMBER_MATCHING_WITH_OTP from False to a Microsoft managed value. There is no change to the current authentication experience for users. Microsoft will begin enabling number matching for all users of the Microsoft Authenticator app starting 27th of February 2023.
After this date, if your organization has not set the OVERRIDE_NUMBER_MATCHING_WITH_OTP value to False, your Microsoft Authenticator users will be required to enter an OTP code instead of the Approve/Deny push notification experience…”
Solution (more of a workaround)
What you can do to prevent failed sign-ins after February 27, 2023 is the following. Set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE.
To create the registry key that overrides push notifications on your NPS Server:
1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
2. Key: OVERRIDE_NUMBER_MATCHING_WITH_OTP, Value = TRUE
4. Restart the NPS Service.
What this does is fall back to Approve/Deny push notifications when using Microsoft Authenticator.