Bypass MFA for specific users or groups - NPS Extension for Azure MFA

Question

We're utilizing NPS Extension for Azure MFA in our Highly available RDS Environment (Two RDGW Machines, Two NPS Machines (with extension installed), and Two connection broker machines))

We have a requirement to exclude service accounts from getting MFA prompts when they're utilized while establishing an RDP connection. Already Tried the conditional access policy approach, But that doesn't work with the RDP connection

Please suggest a solution that we can implement

Answer 1

Hello @Mohit Pathak,

Thank you for posting your query on Microsoft Q&A.

To exclude service accounts from getting MFA prompts when they're utilized while establishing an RDP connection, you can add the following registry setting under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa:

Value Name: REQUIRE_USER_MATCH Value Type: REG_SZ Value Data: FALSE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa | REQUIRE_USER_MATCH | REG_SZ | FALSE

Adding this value and setting it to FALSE allows the NPS extension to bypass secondary authentication failures for Non-MFA Enrolled users. Setting REQUIRE_USER_MATCH=FALSE skips the enrollment check which allows non-MFA Enrolled users to authenticate using Primary authentication only. This should allow service accounts to bypass MFA prompts when establishing an RDP connection.

Please refer below article for more information.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#prepare-for-users-that-arent-enrolled-for-mfa

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Thanks,
Raja Pothuraju.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.