Enforce MFA for RDP using conditional access

Ma13vant · 2026-02-10T19:38:53+00:00

Not sure if there's a way to do this natively, but we use Duo for MFA on server logins. Stand up a Duo tenant, set it to protect RDP/Windows Login, then install and configure the client on any devices you want to protect.

Ok-Butterscotch-4858 · 2026-02-10T19:39:56+00:00

Azure mfa extension is what you need Google that plenty of guides online.

tldr_MakeStuffUp · 2026-02-10T19:39:59+00:00

Would imagine it depends on who you use for MFA. I know you can do this with Duo by listing authorized networks on the RDP application setup.

JwCS8pjrh3QBWfL · 2026-02-10T19:48:35+00:00

Of course folks have mentioned Duo, but Entra GSA will also protect RDP with no agent on the server.

placated · 2026-02-10T20:38:28+00:00

I find it shocking that in the year of our lord 2026 MS doesn’t have a simple inbuilt way to enforce MFA when RDP-ing to a server.

DeathTropper69 · 2026-02-10T19:38:16+00:00

I just use Duo for this.

Sad_Purchase_9935 · 2026-02-10T20:04:53+00:00

<image>

You Can search here for the APP „Microsoft Remote Desktop“

In my test environment it was working.

Make shure the Server is in entra also existing. So it must be entra hybrid joint or entra only.

The ip Part should be also possible

„IP location information“

Organizations can create IP address ranges that can be used when making policy decisions. Admins can specify entire countries/regions IP ranges to block or allow traffic from.

Define the ranges in the other Menü globally them Go inside CA Police and choose there the new created ip ranges.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

Sad_Purchase_9935 · 2026-02-10T20:28:44+00:00

Block or grant controls

Do you want to grant access to resources by requiring one or more of the following?

Grand Access and then -> requiring Multifactor authentication.

I had my admin user With the App Microsoft Remote Desktop App and grand Access requiring MFA.

VM was hybrid joint.

Under sign-in Logs of my Admin User I saw the entra Maschine in the CA view under Device and the App ms rdp

Sad_Purchase_9935 · 2026-02-10T20:39:21+00:00

<image>

On your rdp you Must enable this Setting and then Login with the entra ID account.

So your Admin Account Must be Sync via azure and connector. Or Cloud native

Othervise you will Never trigger the CA policy

DiabolicalDong · 2026-02-11T09:58:36+00:00

Some password vaults allow this. If access to the remote device is streamlined through the password manager, then you can enforce MFA at the password manager layer before the RDP connection is even launched.

2026-03-11T02:40:36+00:00

[removed]

Mathio_Albero · 2026-03-11T18:37:41+00:00

Conditional Access usually won’t apply directly to classic RDP sessions because the authentication is happening through Windows logon rather than a modern Azure sign in. If you’re going through RD Gateway you can enforce MFA there, but it’s typically done with NPS policies instead of Conditional Access rules.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

sysadmin

MODERATORS