Jump to content
Welcome to our new Citrix community!

Azure MFA Number Matching

Recommended Posts

I cannot find any information if ADC/Gateway (nFactor I guess) could support Azure MFA with Number Matching.

Could someone point me in some direction regarding this?


Microsoft will change default behaviour on February 27 to Number Matching.



Link to comment
Share on other sites

I'm a bit surprised, but it looks like its also supported for the NPS extensions.


"Make sure you run the latest version of the NPS extension. Until February 27, 2023, users are asked to enter a One-Time Passcode (OTP) for push notifications beginning with NPS extension 1.2.2131.2 only if number matching is enabled. After February 27, 2023, number matching will be enabled by default and all users with push notifications beginning with NPS extension 1.2.2131.2 will be asked to enter an OTP."

Source is https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match 


So I think you have to try and NetScaler should show the required Number after the LDAPS Authentication instead of the spinning wheel. Let me know if it's working. I just can recommend SAML for the best User-Experience and also all latest MFA features, but I know it's raising up the requirements (FAS, PKI,...)

Link to comment
Share on other sites

  • 3 weeks later...
On 12/27/2022 at 3:58 PM, Tonny Andersson1709158460 said:

Thanks for your quick reply!

Currently it's authentication is setup with  Radius to MS NPS server with Azure MFA Extension.

Is SAML a requirement for this to work? Is there any documentation outlining this setup? 

Hi @Tonny Andersson1709158460 - did you manage to test this with ADC gateway?
I have a customer using a very old version of the Azure NPS Extension (pre so i'm interested to know how this will materialise at the end of Feb

Link to comment
Share on other sites

  • 3 weeks later...

Thanx for the information.

I have update the NPS extension version to 1.2.2131.2 and seems to work with webmail,
but doesn’t seem to work when logging on through the Citrix StoreFront connector.
Logging on through the Citrix StoreFront connector with MFA push notification still works fine.

Our ADC is currently on version Build 13.1-21.50, so I checked the release notes until Citrix ADC 13.1-37.38 but could not find anything regarding MFA number matching.

Tried the registry key provided in the documentation (https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match) , settings it to TRUE of FALSE had no effect.

Or do I have to make any changes on the ADC or the NPS server so it know Number Matching is available ?

Any suggestions, documentation, etc where look.

Many thanx.

Link to comment
Share on other sites

Just by chance that I tested this as well, and made a blog for this: https://www.technicalfellow.com/2023/02/notes-from-the-field-microsoft-azure-mfa-number-matching-and-the-one-with-nps-extension


In summary the NPS extension will not give a number it can't do that. It can approve/deny and with the force OTP registry it will show a OTP input screen if you have an OTP registration active otherwise it will fallback to approve/deny again.


Options are enable OTP for the users and let them register that for a consistent look/feel or leave it as it is with approve/deny or lastly flip it over to a SAML/OAUTH like mentioned before.


Hope it helps.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...