Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

NPS with Azure MFA - Unable to sign in with code, only push works

I know this is not a Fortigate issue, but I'm posting here in hopes that someone has experienced the same problem.


I already made a post about this on the Technet forum over here:


Since it's not possible to describe my issue with multiple screenshots here, I'm just going to refer you to my Technet post.

Can anyone tell me why this is happening? Why would the NPS not send the group attribute (and apparently other attributes as well) when using code from authenticator?

New Contributor

looking at your other post, does your setup have any full radius appliance involved or is it only NPS?

Are you getting the code input notification? it may well worth be trying to disable/enable the policy post changing the method from push to code in MFA before getting the user to test again.


[One of the client implementations had issues with NPS limitations being detected on how attributes could/were used for connection checks. Personally, i do not consider NPS as a proper radius but just a low-cost add on with usual MS package.Post issues/limitations with NPS, the client finally agreed to using a proper radius appliance which is now helping a lot.Troubleshooting with NPS was a nightmare.]


I am not contributing much to your issue, but just thought of sharing my experience.


Hi, it's only NPS I'm afraid. It works fine with code and app notification. The problem I have is when the user in Office/Azure is configured for code from app or SMS. Then the group attribute is not sent to the Fortigate and the authentication fails as the Fortigate doesn't know which group the user belongs to.


This may, as you say, be caused by RADIUS being poorly implemented. It could also be that the problem is how the Azure MFA plugin handles groups when using code authentication. 

Esteemed Contributor III

NPS can be challenging but have you looked at the logs and ran the   "diag test authserver radius"  from cli?


Ken Felix





PCNSE NSE StrongSwan
Top Kudoed Authors