This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 42%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello, I am having trouble determining the best route for this, or if it is possible at this time.
I have a Windows Server 2019 Data Center VM in Azure and a local WORKGROUP lab of 2 Windows 10 PCs. Both PCs are Registered to Azure AD with AAD users assigned AAD MFA licenses. The 2019 Server VM is Azure AD joined to the same Azure tenant as the AAD users.
In this lab I am looking to configure the AAD Users to connect to the Windows Server 2019 VM via Remote Desktop from the PCs. The requirements would be that the AAD user utilize their AAD/Azure credentials to authenticate to the Azure server. Sign-on should also require MFA/2FA via Azure AD, MS Authenticator, PIN, or text message verification.
The basic flow would be:
User log into AAD Registered PC -> RDP Connect to 2019 Server -> Enter AAD User credential -> Complete MFA/2FA -> Log onto Server
Additional info:
PCs are workgroup machines - no Active Directory (besides AAD Registration)
No local account's will be allowed RDP login on the server - only granted AAD users via IAM membership.
Is this possible with today with Microsoft's offerings? If so, is there a clear path for deploying this? I'm happy to keep on digging to figure this out, but I don't want to be reinventing the wheel if this is already a documented practice.
Thank you in advance!!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 69%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Hi ChrisEstrada-0817,
Windows login or RDP can't be done with Azure MFA.
There are options like Windows Hello for Business or NPS extension for RDP but they require you to have an on prem infrastructure.
One solution to protect the Windows Server would be to have it behind a VPN that require MFA.
Hope this helps!
I appreciate your input and feared your answer would be what I received. 3rd party route it is!
Hello @Cache Moneyz
You can achieve these requirements by using Azure AD MFA Service, you can directly use the Azure MFA Service to trigger MFA when doing RDP to your Windows machines, with the help of NPS Extension. The purpose of the NPS extension is to translate the NPS RADIUS calls to REST (HTTPS) calls that Azure AD supports and directly leverage the Azure AD MFA, without needing to have on-prem MFA server.
Below are the prerequisites:
Once the above prerequisites are checked, you can follow *Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD* for step-by-step instructions.
Note: The MFA method that you choose must not require users to input any type of code/OTP for 2nd factor of authentication as the Remote Desktop Connection doesn't provide you with an option to enter a code. So, you must choose Phone Call or Authenticator App notification (not Authenticator App with Code) and the SMS method won't work in this case.
Please do let me know if you have any queries in the comments section.
Thanks,
Akshay Kaushik
Please "Accept the answer" if the information helped you. This will help us and others in the community as well
Thank you @Akshay-MSFT for your response! An RD Gateway with NPS makes sense to me, but there is no On-Prem AD.
Would you be able to explain why on-prem AD sync is required? The remote server (Azure VM) would be joined to Azure AD in the same tenant as the users. I would think that would be sufficient, but if not, I am clearly misunderstanding and happy to be enlightened.
Again, MFA would only be required for the Azure AD user's RDP connection the Azure VM, not the user's login on the laptop.
With the huge shift to cloud it seems like an antiquated arrangement to require a local Windows domain to take advantage of "cloud" technologies and features.
Thanks again!
Hello @Cache Moneyz ,
Thanks for your time and patience on this. You could try the following:
Within Cloud Apps select Azure Windows VM sign in:
Then within access control you could enable access control.
Thanks,
Akshay Kaushik
I appreciate the reply, but I am afraid I will need a bit more context. What are the requirements to get an Azure AD user on a workgroup laptop logged into an Azure VM (Server 2019) using MFA with your recommendation? Again, there is no on prem Domain or AD as we're attempting to leverage cloud only infrastructure.