Share via

How to enable MFA when using RDP to VM in Azure

Zuuber 145 Reputation points
2024-11-14T09:43:39.37+00:00

Hi

We have an Azure environment and we use multiple Azure services such as AVD, SQL Managed Instance, storage accounts, VPN Gateway and Entra Domain Services which all work fine.

We also have a VM which is connected to the domain hosted by Entra Domain Services, the VM does not have a public IP and is only accessible from within the VNET via the VPN.

Our question is how do we enable MFA login into the VM when using RDP? There doesn’t seem to be a simple or straight forward way of achieving this because the VM is connected to our domain via Entra Domain Services, or am i wrong? What are the options to enable MFA via RDP login?

At the moment we're leaning towards a 3rd party solution like Duo, which we have used elsewhere, as the setup and config is straight forward and will achieve what we need.

Would appreciate any ideas thanks.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,056 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Srinud 2,720 Reputation points Microsoft Vendor
    2024-11-14T12:55:48.1366667+00:00

    Hello @Zuuber,

    Thank you for reaching out to us on the Microsoft Q&A forum.

    Based on your description, I understand that you are looking to enable MFA for RDP sign-ins to a VM. To enable MFA for RDP sessions, you can create a conditional access policy targeting "All cloud apps" or, alternatively, include only "Azure Windows VM Sign-In (AppID: 372140e0-b3b7-4226-8ef9-d57986796201)." Under the Grant control, you can require Multi-Factor Authentication. This will enforce MFA for RDP logins.

    However, there is a limitation: if a user attempts to connect to RDP while the conditional access policy is in place, they will need to complete the second-factor authentication using a strong authentication method, such as Windows Hello for Business. You can refer to the following document for more details:

    How to enable MFA for Azure AD-based VM sign-ins

    User's image

    Important Notes:

    • Users with per-user enabled/enforced Azure AD Multi-Factor Authentication are not supported for VM sign-ins.
    • If a user is subject to a conditional access policy that requires MFA and the Windows Hello for Business certificate trust model has not been deployed, the sign-in will be blocked until the "Azure Windows VM Sign-In" application is excluded from the list of cloud apps that require MFA.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks, Srinu.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.