Azure MFA enforcement appears to have limited the usability of this

[peter-dolkens]

More an FYI than anything else, as I realize this complicates things considerably

Azure has started enforcing MFA for certain types of accounts

Received Access-Reject Id 214 from 127.0.0.1:1812 to 127.0.0.1:60067 length 297
        Reply-Message = "Error: invalid_grant"
        Reply-Message = "AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '12345678-1234-1234-1234-123445677890'. Trace ID: 92226870-f8d5-444d-8d6d-3dcba0ef1600 Corr"
(0) -: Expected Access-Accept got Access-Reject

[AndreaCuneo]

@peter-dolkens yes, that's an important limitation. Please refer to the upstream project for details.

The suggested approach is to use Conditional Access Policies. see https://github.com/jimdigriz/freeradius-oauth2-perl/issues/12

This project only package the upstream to be used in a Azure Container Instance or similar environments.

The alternatives are the 'official' Azure VPN with Azure VPN Gateway but with no outgoing access to Internet. Outgoing internet access would require using Azure Virtual WAN P2S with Secure Hub Firewall which is ~1000$/month, at least in Azure-based networking.

In the end is a matter of Risk assessment as part of the Enterprise/Company networking security :)