How to do MFA for RDP to Windows Servers joined to Entra Domain Services

Question

Hi there,

I have a cloud only setup in my infrastructure with 25 Windows VMs. I use Entra Domain Services to manage policies on all Windows Server VMs using GPOs. Authentication to RDP is through Entra IDs that flow down to the domain from Azure.

I have a need to have MFA on Production servers. Is there a way to do this?

Have tried many articles however nothing worked so far. I do not use any RD Gateway for RDP to these VMs.

Thanks

Answer 1

Entra Domain Services do not support native Multi-Factor Authentication (MFA) for RDP logins on domain-joined VMs because it follows traditional Windows authentication protocols. However, there are a few workarounds to enforce MFA on your production servers:

Workarounds for MFA on RDP Sessions

1. Use Conditional Access with Azure Bastion:
   • Deploy Azure Bastion as a secure gateway to access your VMs via RDP/SSH.
   • Enforce Conditional Access policies to require MFA whenever users connect to Bastion. Benefit: You get MFA-protected RDP without modifying the VMs directly.
2. Azure AD Authentication with Windows Hello for Business:
   • Configure Windows Hello for Business with certificate-based authentication on VMs.
   • This setup allows MFA through PIN, biometrics, or trusted devices. Note: This requires additional configuration to enable WHfB in your environment.
3. Enable MFA for RDP Using Duo or Third-Party Tools:
   • Integrate a third-party MFA solution, such as Duo Security, on your VMs.
   • These solutions add MFA layers during the RDP login process by prompting for verification after credentials are entered.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin