Help on adding Azure MFA Push

Alexander Noack alex at netpbx.de
Fri Mar 14 15:12:24 UTC 2025


For quite some time we are using Microsoft's Network Protection Services 
(aka Radius Server) with the Azure MFA extension 
(https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension).

Recently we had the requirement to run the same with FreeRadius. I 
therefore replicated the MFA push behavior in a shell script.
After reading that the rlm_exec module is a very bad place to run long 
running shell code, I re-implemented the code in perl for use with 
rlm_perl.

You can find my code here: 
https://github.com/adn77/freeradius-azuremfapush-perl

According to this 
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy#freeradius-configuration_virtual-server-configuration 
I was hoping to add a conditional in the authenticate section. That's 
why I only implemented that function in my main.pm. I also looked at 
this https://github.com/jimdigriz/freeradius-oauth2-perl for 
inspiration.

I am only starting with FreeRadius and was hoping to get some guidance 
on how to properly integrate this as an MFA option.
Hopefully I have already done 90% of the work and somebody here finds 
this useful as well.
Please reply here or on Github Issues of my project.

Looking forward to making this work :)

Alex


More information about the Freeradius-Devel mailing list