We've been trying to implement MFA on our VPN (currently using RRAS and the integrated Windows VPN client). Using the registry key to disable TOTP and force out-of-band MFA (Approve/Deny via MS Authenticator push notification, or phone call for those without MS Authenticator) works fine, but Microsoft's own documentation indicates that TOTP is more secure, and we wanted the flexibility of using being able to use TOTP codes and SMS auth, so we set up authentication via PAP to allow for TOTP.
This article gives detailed instructions on setting up NPS/MFA with an RRAS VPN server and Windows client, but doesn't seem to have been updated to reflect the fact that the NPS/MFA combination now supports TOTP when using PAP authentication... but the Windows VPN client doesn't.
Given that the page specifically discusses setting up RRAS to use NPS and Entra ID MFA, and how to configure the Windows 10 VPN client with it, can Microsoft please add something on this page to simply indicate that their own VPN client doesn't support the TOTP feature?
My ticket with Azure (the only way to get this actual answer) pointed me towards using OpenVPN, because apparently an open-source product can get updated to support Microsoft's RADIUS-based TOTP MFA implementation, but Microsoft makes it almost impossible to know that their own Windows VPN client does not support it.
It's OK to not support something, I suppose, but this one really should be mentioned explicitly by Microsoft, as one would expect their products to be at least a bit intercompatible.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.