Exclude users Azure MFA NPS integration

Copper Contributor

A client of ours have a RD environment configured with a RD Gateway that authenticates via a NPS server with the Azure MFA NPS extension configured. 

It all works perfectly for users with the authenticator app configured, but for various reasons they want the option to exclude users from having to use MFA when starting apps from RD. 

I have not found a way to achieve this, is it not possible?

6 Replies



Hey, did you ever get a solution to this?

@Adam Weldon-Ming 

I'm afraid not. Still an open question


I have it working if using the Azure MFA Portal. i.e. If a user is Disabled for MFA on the Azure MFA portal, then it does not ask them for MFA when connecting to the RDS to the Session or opening a remote app. 


However, on another client we've just got this setup in Conditional Access - and I cannot stop it from prompting the user (who doesn't require MFA) from getting MFA prompts. 

Will update if I make progress

@Adam Weldon-Ming - when we disable the user in MFA, consider there are other application should enabled for MFA, I think we need to think about RDS/NPS perspective to exclude users. In my case i have to exclude MFA who ever using RDS. Is that can you help on this too..


Hi! I've found solution to exclude specific users, but not a group. On your rdgw, make CRP policy with username condition, which will authenticate request locally. Be sure to put this policy before forwarding one.


the way i used to exempt accounts from MFA was to sync the account to Azure and remove the MFA login methods; so when the user account was authenticated against the RDG MFA checked the login methods because they were absent it did not use them and authenticated with NPS radius only. The accounts were 3rd party accounts for supporting internal applications so MFA was difficult to implement with shared accounts 3rd party accounts but we still needed MFA for normal AD accounts