Available article translations:

Azure MFA Server (Radius) Configuration.

  • Parallels Remote Application Server 16.5

To configure Azure MFA server (RADIUS) properties:

  1. In the Parallels RAS Console, navigate to Connection / Second Level Authentication.

  1. In the Provider drop-down list, select Azure MFA server (RADIUS)
  2. Click the Settings button. In the dialog that opens, select the Connections tab page and specify the following options:
  •  Type Name: Specify the name of the OTP connection type that will be displayed on the Logon screen on the client side. This should be the name that your users will clearly understand.
  • Server: Enter the hostname or IP address of your RADIUS server.
  • Port: Enter the port number for the RADIUS Server. Click the Default button to use the default value.
  • Timeout: Specify the packet timeout in seconds.
  • Retries: Specify the number of retries when attempting to establish a connection.
  • Secret Key: Type the secret key.
  • Password Encoding: Choose from PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol), according to the setting specified in your RADIUS server. 


  1. Click the Check connection button to validate the connection. If the connection is configured correctly, you will see a confirmation message.
  2. Select the Forward username only to RADIUS server as required.
  3. Select the Forward the first password to Windows authentication provider option to avoid a prompt to enter the password twice (RADIUS and Windows AD). Note that for Azure MFA server, this option is always enabled and cannot be changed.
  4. Please also read a note at the bottom of the dialog (if available) suggesting specific settings for your RADIUS solution.
  5. If your RADIUS solution requires configuring attributes, click the Attribute tab and then click Add. In the dialog that opens, specify the following:
  • In the Vendor drop-down list, select a vendor.
  • In the Attribute list, select a vendor attribute.
  • In the Value field, enter a value for the selected attribute type (numeric, string, IP address, date, etc).
  1. Click OK and then click OK again to close all dialogs.


Configuring Azure MFA

User Location

MFA in the cloud

M FA Server

Azure Active Directory



Azure AD and on-premises AD using federation with AD FS (is required for SSO)



Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - no password sync



Azure AD and on-premises AD using DirSync, Azure AD Sync, Azure AD Connect - with password sync



On-premises Active Directory



Depending on the user location there are four scenarios for the cloud MFA service:

  • Users need to be imported into MFA Server and be configured for MFA authentication. An Azure account with Global Administrator role is required to download and activate MFA Server. Syncing with Azure AD (via AD Connect) or a custom DNS domain aren't required to setup an MFA Server which runs exclusively on-premises.
  • Parallels RAS authenticates users with MFA Server using the RADIUS second level authentication provider. MFA Server thus needs to be configured to allow RADIUS client connections from the RAS server.


1d70d1f9c41d01c5f7202a4290e434e1 ede48a144be425de4bf9a9d265a8dd3e

Was this article helpful?
Tell us how we may improve it.
Yes No