Nov 06 2019 01:43 AM
A client of ours have a RD environment configured with a RD Gateway that authenticates via a NPS server with the Azure MFA NPS extension configured.
It all works perfectly for users with the authenticator app configured, but for various reasons they want the option to exclude users from having to use MFA when starting apps from RD.
I have not found a way to achieve this, is it not possible?
Jan 26 2020 04:10 PM
Jan 26 2020 11:03 PM
I'm afraid not. Still an open question
Jan 27 2020 03:09 AM
@PetterTech
I have it working if using the Azure MFA Portal. i.e. If a user is Disabled for MFA on the Azure MFA portal, then it does not ask them for MFA when connecting to the RDS to the Session or opening a remote app.
However, on another client we've just got this setup in Conditional Access - and I cannot stop it from prompting the user (who doesn't require MFA) from getting MFA prompts.
Will update if I make progress
Feb 10 2020 07:12 AM
@Adam Weldon-Ming - when we disable the user in MFA, consider there are other application should enabled for MFA, I think we need to think about RDS/NPS perspective to exclude users. In my case i have to exclude MFA who ever using RDS. Is that can you help on this too..
Feb 11 2021 11:46 PM
Hi! I've found solution to exclude specific users, but not a group. On your rdgw, make CRP policy with username condition, which will authenticate request locally. Be sure to put this policy before forwarding one.
Jul 28 2021 08:20 AM
the way i used to exempt accounts from MFA was to sync the account to Azure and remove the MFA login methods; so when the user account was authenticated against the RDG MFA checked the login methods because they were absent it did not use them and authenticated with NPS radius only. The accounts were 3rd party accounts for supporting internal applications so MFA was difficult to implement with shared accounts 3rd party accounts but we still needed MFA for normal AD accounts