This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 6%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I've set up our Remote Desktop server to allow access by using Multi Factor Authentication through the Microsoft Authenticator app by using this guide.
This works for all new connections through the rd web access site, users must authenticate with the app before it allows them remote into the server. But for people who have created their own RDP shortcuts, with the "Automatically detect RD Gateway server settings" option selected, can bypass MFA and connect with just their username and password.
Is there a way to restrict connection so that users must use MFA to connect?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
I would think that even if they have that setting enabled, you could use a conditional access policy to enforce the MFA anyway. I've reached out to the product team to confirm though.
I'm not aware that a setting in the RDP file will keep MFA from happening. I am wondering if there is already a MFA token and that is why they are not getting prompted? It is difficult to say since we don't have any diagnostic logging available to us.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 60%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
If a user creates a new remote desktop connection and specifies to automatically detect gateway settings, it will still let them connection without MFA. If they specify the gateway address, it prompts for MFA.
So far I've been working around the issue by blocking the non-MFA connection at the firewall level, but I figure there must be a setting to accomplish this as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 60%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPV%3C/text%3E%3C/svg%3E)
Are you sure? I think MFA does not work when you login to an existing (disconnected) session, it only works when you login to a computer where the user previously logged out. Can you try that?
How do you block the non-MFA connection at the firewall level?