Authenticate to RADIUS with Azure AD

Organizations can enable RADIUS access using Azure AD as the identity provider, which provides the advantage of an organization getting secure RADIUS access through JumpCloud without having to manage users and passwords outside of Azure AD.

This KB will provide a high level view of  what a new organization needs to do to get authentication with Azure AD working.


  • Organizations authenticating with Azure AD must use EAP-TTLS/PAP only.
  • Azure AD may flag the RADIUS authentication request from JumpCloud RADIUS servers as risky, due to Microsoft Identify Protection being turned on for the Azure AD account or a conditional policy based on the IP address. To suppress the false flag, add JumpCloud RADIUS servers IP server address to the trusted IP list, either by enhancing an existing Azure AD policy or adding a new policy.
  • OpenVPN is only supported with PAP and MSCHAPv2. It is not supported with EAP-PAP/TTLS, so authentication with Azure AD cannot be done with OpenVPN.

Import Users:


In order for RADIUS login with Azure AD credentials to be successful, Azure needs to be authoritative for the user's password. An Azure AD account which is federated with a third party Identity Provider, Microsoft Office, or AD will cause the RADIUS authentication to fail with a sign-in error code of 50126 even if the user or admin enters their username and password correctly. A workaround for this issue is to create an alias user in Azure AD.

  • For organizations planning to authenticate with the IdP of Azure AD, those users need to be imported into JumpCloud.
  • When authenticating with Azure AD, the UPN in Azure AD should match the company email address in JumpCloud and the user should be using this attribute for their Radius login.
  • Azure AD doesn’t pass the user’s password to JumpCloud, so the user remains in a Password Pending status. If an Azure AD organization is using JumpCloud exclusively for RADIUS, admins do not require users to create a password in JumpCloud, so the Password Pending status can be ignored.
  • Users come in as a staged state and need to be moved to an active state.

Create a User Group: 

  • After importing, your users need to be assigned to a User Group that will be granted access to the RADIUS server.

Set up a RADIUS server:

Configure a Wireless Access Point (WAP):

Set up Client Devices:

Troubleshooting RADIUS Connections:

  • Once the setup is tested, admins can leverage their existing MDM/UEM to deploy the certificates or profile to their managed devices.
  • The transactions will show as interrupted in the Azure AD sign-in log. If Azure AD MFA is enabled, the transaction may show as failed but the RADIUS connection will be successful if the user provides email and password correctly. Azure AD ignores the MFA requirement.

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case