Azure MFA NPS Extension Service Principal Name (SPN) – How to deal with it.

Hello Azure MFA customers,

Recently, we see some cases where Azure MFA stopped working suddenly, checking Azure side we found that the Service Principal Name (SPN) for the MFA got disabled or removed which mainly cause the MFA to failed,  we figured out two main reasons for that:

1- There is no any active license covering MFA in the tenant, in this scenario the MFA SPN will got disabled Automatically.

2- Admin remove the SPN by mistake.

3- For some other reasons, the SPN got also Disabled.


In order to figure out what’s going on, start by checking if the SPN is exist or not, easiest way to do this from Azure portal following below steps:


1- Open Azure Active Directory, then Enterprise Applications, Choose All APplications from Application type drop down list, finally in the search box type this ID: 981f26a1-7f43-403b-a875-f8b09b8cd720


if you found the APP like appearing in above snapshot, then the SPN is exist( Display name may be different specially if it was created manually before, so always look to the ID), since SPN is exist we need to check if it’s enabled or not, to do that click on the APP now, then properties



if “Enabled for users to sign in” option set to Yes, then the SPN is enabled and this is what we need, if the it’s set to NO, this means that the SPN is disabled, you need to enable it to allow MFA to work.


Always make sure before enable the SPN or re-create it (will described later in this article) to have a valid license cover MFA, even you can always enable it without license but from legal perspective you always should have a valid license cover your users.


Now, if you didn’t find the SPN at all, you still can create it per below steps:

In order to complete this step you need to connect to your instance of Azure AD with PowerShell using Connect-MsolService. These steps assume you have already connected via PowerShell. For information see Connect-MsolService.

once you connected to your Azure AD through PowerShell, run below command:

New-MsolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -DisplayName “MFA SPN”


AppPrincipalId value is always the same since this is the ID for the MFA client SPN, you can change the display name to anything you want


Now, go back to your Azure tenant, follow above steps to check if the SPN now is exist and enabled.


Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)


Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.



  1. I’m trying to get this to work for OWA on an Exchange 2019 on-prem. server.

    I followed the steps here:

    And got stopped when I needed to set the MFA tenant & found this blog, did this action & got past it, but now when I try to log in I get a SAS error:

    Relying party: Mail – OWA
    Error details: Exception calling SAS.

    Any idea why? I gave the user access to the app.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.