3 questions
Issue when attempting to setup MFA for RDS
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 32%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Mr_Biscuitz
6
Reputation points
Hi
I'm attempting to setup MFA for our RDS farm using the Azure MFA extension for NPS. After installing the extension I run the powerschll script AzureMfaNpsExtnconfigsetup.ps1 as per the instructions - https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-rdg
It creates the certificate but then crashes with the following erro message
VERBOSE: Performing the operation "Update-MgServicePrincipal_UpdateExpanded" on target "Call remote 'PATCH
/servicePrincipals/{servicePrincipal-id}' operation".
Update-MgServicePrincipal : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-02-24T14:10:23
Headers:
Transfer-Encoding : chunked
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 1a6e386a-f3e1-4ece-af65-82bb76096c03
client-request-id : 9aab4c7c-18df-4b2f-858f-615b57547851
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"UK
South","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"LN2PEPF000114B9"}}
x-ms-resource-unit : 1
Cache-Control : no-cache
Date : Mon, 24 Feb 2025 14:10:22 GMT
At C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1:80 char:1
- Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -Ke ...
-
+ CategoryInfo : InvalidOperation: ({ ServicePrinci...vicePrincipal }:<>f__AnonymousType2`3) [Update-MgSe rvicePrincipal_UpdateExpanded], Exception + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgServicePrincipal_ UpdateExpanded
cleanUpAndErrorOut : Configuration Script exiting with error:
At C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1:81 char:1
- cleanUpAndErrorOut $errorMsg $certX509[0].Thumbprint
-
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,cleanUpAndErrorOut
The NPS extension for Azure MFA is available to customers with licenses for Azure Multi-Factor Authentication which are included in Azure AD Premium, Enterprise Management Suite (EMS), or an MFA subscription. The consumption-based licenses for Azure MFA, such as Per User or Per Authentication licenses, are not compatible with the NPS Extension.
It seems to suggest I don't have the relevant permissions to the Azure tenancy but I do and I have set this up elsewhere previously without any issue so I'm wondering if something in Azure has deprecated. Can anyone help?
Thanks
Sign in to answer