Securing the external access to Horizon with MFA is de facto a standard today. There are a lot of MFA solutions out there, but some of them are more popular than others. I see a lot of traction for Azure MFA, that’s why I decided to show you how to integrate this technology with VMware Horizon.

It’s important to note that we will do it without the Workspace ONE Access. We will use the RADIUS protocol which is available in Unified Access Gateways and Connection Servers.

Microsoft no longer allows deploying on-prem Azure MFA servers since 2019.

Meaning we will use the cloud Azure MFA and integrate with it using a Microsoft NPS (Network Policy Server), which will serve as an adapter between RADIUS talking Horizon and cloud Azure MFA.

Prepare your Azure environment

In my lab environment, I had to configure everything from scratch. In your production environment, some stuff might be already configured and working.

#1 Get your tenant ID

Nothing too hard, just log in to your Azure portal and grab the Tenant ID from the homepage.

#2 Disable the security defaults

In order to use the conditional access, you will need to disable the Security defaults first.

#3 Setup conditional access and enforce MFA for a user

Create a policy for a test user/group of users, which will enforce the Azure MFA for authentication.

#4 Setup Microsoft Authenticator app on a mobile device

Again nothing too complicated, download it from the store, and add a Work/School Account.

Prepare the NPS server

For the first part of the setup follow the official Microsoft documentation here:

Once you are finished with that we will need to configure it for Horizon.

#1 Register NPS server with Active Directory domain

Right-click on the “NPS (Local)” and click on the “Register server in Active Directory”.

#2 Create a RADIUS client

Right-click on the “RADIUS Clients” and click on the “New”.

With the following configuration. IP address/DNS will be the Connection Server / UAG. Make a note of the Shared secret as we will need it later.

#3 Create a network policy

Right-click on “Network policies” and click on the”New”.

With the following configuration:

Configure Horizon

On the Horizon side, we will need to configure the RADIUS advanced authentication on Connection Server / UAG. In my lab, I will do it on the Connection server.

Go to Horizon administration console in Server > Connection server and edit the configuration of your connection server. Go to the authentication tab and scroll down.

Create new authenticator which will point to the NPS server:

With following details:

A secondary server can be configured to the same machine or you can deploy another NPS server and point to that.

It works!

Let’s test it. If you open the Horizon client and try to connect:

Let’s type in AD password and click login.

And sure enough on the phone:

And I am in with Azure MFA.