Bypass MFA for specific users or groups - NPS Extension for Azure MFA

Mohit Pathak 25 Reputation points
2024-06-02T12:48:46.94+00:00

We're utilizing NPS Extension for Azure MFA in our Highly available RDS Environment (Two RDGW Machines, Two NPS Machines (with extension installed), and Two connection broker machines))

We have a requirement to exclude service accounts from getting MFA prompts when they're utilized while establishing an RDP connection. Already Tried the conditional access policy approach, But that doesn't work with the RDP connection

Please suggest a solution that we can implement

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,341 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,187 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 795 Reputation points Microsoft Vendor
    2024-06-04T06:14:33.1633333+00:00

    Hello @Mohit Pathak,

    Thank you for posting your query on Microsoft Q&A.

    To exclude service accounts from getting MFA prompts when they're utilized while establishing an RDP connection, you can add the following registry setting under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa:

    Value Name: REQUIRE_USER_MATCH Value Type: REG_SZ Value Data: FALSE

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa | REQUIRE_USER_MATCH | REG_SZ | FALSE

    Adding this value and setting it to FALSE allows the NPS extension to bypass secondary authentication failures for Non-MFA Enrolled users. Setting REQUIRE_USER_MATCH=FALSE skips the enrollment check which allows non-MFA Enrolled users to authenticate using Primary authentication only. This should allow service accounts to bypass MFA prompts when establishing an RDP connection.

    Please refer below article for more information.
    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#prepare-for-users-that-arent-enrolled-for-mfa

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Thanks,
    Raja Pothuraju.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.