How to Authenticate Entra ID Cloud Only Devices in NPS

January 3rd, 2026

Authenticate Entra ID Cloud-Only Devices in NPS

When using Network Policy Server (NPS) as your RADIUS server, authenticating Entra ID/Intune cloud-only devices does not work out of the box. NPS uses Active Directory for device authentication, and since Intune does not write back device objects to AD, this creates issues when devices exist only in the cloud without corresponding AD objects. This article guides you through how to fix this issue and enable authentication for cloud-only devices in RADIUS.

Note: If you’re not married to NPS, and are open to modernizing your RADIUS infrastructure, at the bottom of the article we use a cloud RADIUS service for Azure and Microsoft 365 to to simplify your RADIUS setup and allow you to turn off NPS forever.

Method 1: Using Ghost Accounts

One common workaround is creating “ghost” accounts in Active Directory that mirror your cloud-only devices. Here’s how this method works:

Create AD accounts with names matching your cloud-only devices.
Configure NPS to authenticate against these ghost accounts.
Run a script on a timer to synchronize Intune-enrolled devices and AD ghost accounts.

Intune Device Write-back Automation Options

Since AD write-back for cloud-only devices has been an issue for years, the community has developed automated scripts for Intune device write-back. These scripts automatically create ghost accounts based on devices enrolled in Intune, ensuring NPS can locate corresponding AD objects during authentication.

Considerations For Intune Device Write-back for NPS

Due to the KB 5014754 security update, you must add authentication certificates to the AD accounts for proper mapping.
Modern certificate authorities for Intune like EZCA automatically include SIDs in certificates for strong account mapping.

Method 2: Cloud RADIUS For Intune Cloud-Only Devices and Hybrid Devices

If you are tired of managing NPS and don’t want to add additional hacks just to get Microsoft products to work together, you can use a cloud-based RADIUS solutions and forget about managing your own RADIUS service in NPS. These services integrate directly with Entra ID, eliminating the complexity of ghost account management.

Key Advantages of Cloud RADIUS over NPS

Native Entra ID Integration: Direct authentication against cloud identities without AD dependencies. This allows support for both cloud-only and hybrid devices and once you fully move to cloud-only devices, you won’t have to worry about AD at all.
More Modern Security Standards: With the move to real time scanning in zero trust architectures, services like EZRADIUS by Keytos leverage Intune compliance policies to ensure only compliant devices access your network.
Reduced Administrative Overhead: Eliminate the need to maintain ghost accounts and synchronization scripts (and let’s not forget that you also no longer have to manage NPS 😄).

Getting Started with EZRADIUS for Cloud-Only Device Authentication

One of the best things about EZRADIUS is that unlike many cyber security tools, you don’t have to do 300 calls just to get a demo, you can actually get started without ever talking to a human, you just need to register for a free trial on the Keytos website and follow the steps to set up your RADIUS clients and policies.

The video below walks through the steps to set up EZRADIUS and Intune for authenticating Entra ID cloud-only devices in less than 30 minutes: