Share via

How to enable multi-factor authentication for rdp connections

RsysMartem 41 Reputation points
2022-04-12T09:04:12.953+00:00

Hi, I need to set up a multi-factor authentication system for rdp connections to my windows server 2016. I have been looking at all the guides out there on this. I have it configured with microsoft authenticator for a group of users accessing the azure portal, but I do not know how to move this to the rdp connections as all the guides tell me that it is done with a multifactor authentication server that can no longer be downloaded or by nps, it would be nice to do it by nps but while I configure it I see that only has two methods, or password or smart card, I want to do it to ask for authentication by sms or microsoft authenticator.
Any solution for this?
Greetings and thanks in advance

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,356 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,274 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,481 Reputation points
    2022-04-12T09:54:55.137+00:00

    Hi @RsysMartem • Thank you for reaching out.

    You can achieve these requirements by using Azure AD MFA Service, which is different from Azure MFA Server. Now you don't need to install the MFA Server software on any of your servers and can directly use the Azure MFA Service to trigger MFA when RDPing to your Windows machines, with the help of NPS Extension. The purpose of the NPS extension is to translate the NPS RADIUS calls to REST (HTTPS) calls that Azure AD supports and directly leverage the Azure AD MFA, without needing to have on-prem MFA server.

    Below are the prerequisites:

    • Remote Desktop Gateway
    • Azure AD MFA License
    • NPS Server with NPS Extension installed
    • Azure Active Directory synched with on-premises Active Directory

    Once the above prerequisites are checked, you can follow Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD for step-by-step instructions.

    Note: The MFA method that you choose must not require users to input any type of code/OTP for 2nd factor of authentication as the Remote Desktop Connection doesn't provide you with an option to enter a code. So, you must choose Phone Call or Authenticator App notification (not Authenticator App with Code) and the SMS method won't work in this case.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 17,536 Reputation points MVP
    2022-04-12T10:06:52.423+00:00

    Hi @RsysMartem

    Thank you for asking this question on the **Microsoft Q&A Platform. **

    There is no direct way to activate MFA for RDP Connection.

    You should make some huge changes to your infrastructure to achieve that.

    Share two links that can help with that:

    **- Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS

    However,

    If what you are looking for is more security for your RDP Connections, you can implement the following solutions:

    **- Remote Desktop Service

    As you can see, you have some substitutive security controls that can help you secure your RDP connection.

    Hope this helps, Carlos Solís Salazar

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.

    1 person found this answer helpful.
    0 comments
  2. RsysMartem 41 Reputation points
    2022-04-12T10:18:51.227+00:00

    Hi, thanks for your quick reply.

    I suppose that remote dekstop gateway is installed with the remote desktop services deploying resource, I have a problem for this, when assigning VM sizes, it tells me that there is none available and therefore does not let me create it.
    Is this because of the type of subscription? Mine is level 1, should I upgrade to 2?

    0 comments
  3. RsysMartem 41 Reputation points
    2022-04-12T10:27:52.583+00:00

    Thanks @AmanpreetSingh-MSFT and @Carlos Solís Salazar , I'll have a look at these links to see if they give me a solution.

    0 comments
  4. Carlos Solís Salazar 17,536 Reputation points MVP
    2022-04-12T10:36:28.38+00:00

    @RsysMartem

    The availability of VM Size will depend on the region where you are deploying the VMs.

    Hope this helps,
    Carlos Solís Salazar

    ----------

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.

    NOTE: To answer you as quickly as possible, please mention me in your reply.