Workspaces MFA by SMS


I set up Azure MFA for AWS Workspaces. I tested authentication process with Microsoft Authenticator App and it works fine:

  1. Open Workspaces client
  2. Enter credentials:
    2.a UserName -> my Azure account
    2.b Password -> my Azure pass
    2.c MFA Code -> my Azure pass
  3. Push is received on my Microsoft Authenticator App - I click "Approve"
  4. Logging into Workspace.

Now we need to move from Microsoft Authenticator App to One-way SMS.
And I cannot understand where I need to enter SMS code. If I enter code in "MFA Code" field - nothing happens.
All instructions on Internet say that first I enter login/password then MFA Code. But Workspaces client don't allow me to start login without "MFA code".

Does any bode set up mfa with one-way sms?


I think I figure it out.
In Application model, no "Challenge / Response" is used. AWS (I am using AD Connector) send Access-request RADIUS message. Then MFA server send push notification to App, receive it and answer to AWS with Accept\Denied RADIUS Message.

In one-way sms. AWS send Access-request RADIUS message. Then MFA server send sms AND Challenge RADIUS message back to AWS. But AWS Ignores it, because:
"AWS Directory Service does not support RADIUS Challenge/Response authentication"*

"That's all folks"

Edited by: Scullone on Feb 19, 2019 10:22 AM

asked 5 years ago237 views
4 Answers

Hi Scullone -

Not related to your original question, just out of curiosity on your overall setup, are you using the NPS extension to use Azure MFA?


answered 5 years ago

I'm also curious about how you set this up, not just the SMS, but MFA for WorkSpace. I would appreciate any time you could put into a summary and tools used.


answered 5 years ago


We use architecture with on-premise active directory servers (AD connect).
I installed "Azure mfa server" (This application provided by Azure Subscription) on domain-joined server. No limitations on installation on DC.

User can be imported in Azure mfa server directly from Active Directory. I think, it can be used with Azure without on-premise servers by enabling in Azure LDAP(S)-service, but I am not sure for 100%.

Azure mfa server can provide RADIUS service itself - You don't need to deploy NPS servers.

But there is some trick. When you are turning on MFA on AWS side - it generates two fake RADIUS Access-request messages, and it is waiting for Access-Reject response for each of these request. I don't know why, but Azure mfa server send only one Access-Reject message to the first Access-request message, second Access-request stays without answer and AWS thinks that it is a failure.
So workaround is set up NPS service and turn it on while AWS check, then turn NPS off and turn on RADIUS service in Azure mfa server application.

After turning on MFA on AWS side - in the AWS Workspace client application You will see additional field "MFA". In this field You need enter password (see my first post). After this AWs will send RADIUS request to Azure mfa server.

answered 5 years ago

Thanks for taking the time and providing insight Scullone! I'll try setting it up in my environment and see how it goes. Cheers!

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions