Azure MFA NPS Extension Health Check Script

You can use this script to run it over MFA NPS Extension servers to perform some basic checks, it will help sometimes to detect some issues. The output will be in HTML format.

5 Star
5,153 times
Add to favorites
Windows Azure
E-mail Twitter Digg Facebook
  • MFA NPS healtch errors
    2 Posts | Last post March 06, 2020
    • Hi Ahmad,
      We just implemented MFA NPS and it worked for a week and we just realized that it's not actually sending the MFA authentication to users now when they connect to RD gateway. Got a couple of errors when running the script.  One of them is from "checking if auth/extension registries have the correct values" and the recommended solution is to re-register MFA extension again.  How do we actually re-register it?  I've checked all the configuration that my Boss made and it's still there.
    • This should be resolved. All along I though there was only one registry key for MFA which is under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa until I read from another forum to try disabling the MFA for testing by removing the values under the reg key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\parameters.  When I looked at the key, surprisingly the values were all empty so I had re-enter the values and restart the NPS service and it worked.  We just do not know how it just got deleted somehow and it wasn't doing secondary authentication for a couple of weeks until we noticed it.  Has anyone experienced it where those values got deleted?  
  • Licence check should be a match not eq.
    2 Posts | Last post October 22, 2019
    • The licences are returned with the tenantname:licence ie COMPANY1:AAD_Premium, therefore the -eq lines do not detect a valid licence.
      Replace if ($Global:UserAssignedLicense -eq 'AAD_PREMIUM' -or $Global:UserAssignedLicense -eq 'MFA_PREMIUM' -or $Global:UserAssignedLicense -eq 'AAD_PREMIUM_P2' -or $Global:UserAssignedLicense -eq 'EMSPREMIUM' -or $Global:UserAssignedLicense -eq 'EMS') {
      if ($Global:UserAssignedLicense -match 'AAD_PREMIUM' -or $Global:UserAssignedLicense -match 'MFA_PREMIUM' -or $Global:UserAssignedLicense -match 'EMSPREMIUM' -or $Global:UserAssignedLicense -match 'EMS') {
      The Time check website has also been removed and access to the site generates a 404 or access denied with do not use this webpage anymore.
    • Thanks for the feedback, great Notes, I am uploading now new version including these fixes.
  • Check Server time Sync
    3 Posts | Last post October 06, 2019
    • interestingly the time is correct, unsure why this showed up.  We are trying something maybe unique and the issue, all tests pass, except time which is reporting incorrectly wrong.  I checked time zone and time, it is on point.
      We are trying to use this NPS server which is a Azure AD Domain Services endpoint and replicating from Azure active directory.  the AADDS is whereas the Azure Active Directory is sync for other functions.  
      Do you know if implementing MFA against AADDS syncd to a AAD based (non on-premise real DC or domain) will work?
    • I think the time issue may be to do with the URL used to pull the source time; in the script it calls 
      $request = Invoke-WebRequest -Uri '' -UseBasicParsing;
      However the URL issues a redirect to HTTPS which I suspect is our issue try the same URL but with HTTPS directly (shown below) it seems to fix this issue for me
      $request = Invoke-WebRequest -Uri '' -UseBasicParsing;
    • Thanks for the feedback, I will look to the Time side, maybe incorrect commands leads to the issue.
      answering your question, it's  will not work with ADDS
  • Why are you using a tcp443 connection at step 2 (and not a webrequest as step 1?)
    2 Posts | Last post April 26, 2019
    • Is it because you are doing exactly what the application is doing ?
      I'm asking because we are behind a proxy and this step is not working behind that proxy as you are opening a tcp connection to port 443 ...
      Thank you Ahmad !
    • thanks Carl, sorry for late reply, I didn't get your point, can you explain more? 
      btw we are working in newer version that will include more accurate tests for connectivity.