Exclude users Azure MFA NPS integration

%3CLINGO-SUB%20id%3D%22lingo-sub-987452%22%20slang%3D%22en-US%22%3EExclude%20users%20Azure%20MFA%20NPS%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-987452%22%20slang%3D%22en-US%22%3E%3CP%3EA%20client%20of%20ours%20have%20a%20RD%20environment%20configured%20with%20a%20RD%20Gateway%20that%20authenticates%20via%20a%20NPS%20server%20with%20the%20Azure%20MFA%20NPS%20extension%20configured.%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20all%20works%20perfectly%20for%20users%20with%20the%20authenticator%20app%20configured%2C%20but%20for%20various%20reasons%20they%20want%20the%20option%20to%20exclude%20users%20from%20having%20to%20use%20MFA%20when%20starting%20apps%20from%20RD.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20not%20found%20a%20way%20to%20achieve%20this%2C%20is%20it%20not%20possible%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-987452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20MFA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130718%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20users%20Azure%20MFA%20NPS%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364311%22%20target%3D%22_blank%22%3E%40Nerenther%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%2C%20did%20you%20ever%20get%20a%20solution%20to%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130775%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20users%20Azure%20MFA%20NPS%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130775%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20afraid%20not.%20Still%20an%20open%20question%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1130913%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20users%20Azure%20MFA%20NPS%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1130913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F364311%22%20target%3D%22_blank%22%3E%40Nerenther%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20it%20working%20if%20using%20the%20Azure%20MFA%20Portal.%20i.e.%20If%20a%20user%20is%20Disabled%20for%20MFA%20on%20the%20Azure%20MFA%20portal%2C%20then%20it%20does%20not%20ask%20them%20for%20MFA%20when%20connecting%20to%20the%20RDS%20to%20the%20Session%20or%20opening%20a%20remote%20app.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20on%20another%20client%20we've%20just%20got%20this%20setup%20in%20Conditional%20Access%20-%20and%20I%20cannot%20stop%20it%20from%20prompting%20the%20user%20(who%20doesn't%20require%20MFA)%20from%20getting%20MFA%20prompts.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWill%20update%20if%20I%20make%20progress%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164269%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20users%20Azure%20MFA%20NPS%20integration%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164269%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41521%22%20target%3D%22_blank%22%3E%40Adam%20Weldon-Ming%3C%2FA%3E%26nbsp%3B-%20when%20we%20disable%20the%20user%20in%20MFA%2C%20consider%20there%20are%20other%20application%20should%20enabled%20for%20MFA%2C%20I%20think%20we%20need%20to%20think%20about%20RDS%2FNPS%20perspective%20to%20exclude%20users.%20In%20my%20case%20i%20have%20to%20exclude%20MFA%20who%20ever%20using%20RDS.%20Is%20that%20can%20you%20help%20on%20this%20too..%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

A client of ours have a RD environment configured with a RD Gateway that authenticates via a NPS server with the Azure MFA NPS extension configured. 

It all works perfectly for users with the authenticator app configured, but for various reasons they want the option to exclude users from having to use MFA when starting apps from RD. 

I have not found a way to achieve this, is it not possible?

4 Replies
Highlighted

@Nerenther 

 

Hey, did you ever get a solution to this?

Highlighted

@Adam Weldon-Ming 

I'm afraid not. Still an open question

Highlighted

@Nerenther 

I have it working if using the Azure MFA Portal. i.e. If a user is Disabled for MFA on the Azure MFA portal, then it does not ask them for MFA when connecting to the RDS to the Session or opening a remote app. 

 

However, on another client we've just got this setup in Conditional Access - and I cannot stop it from prompting the user (who doesn't require MFA) from getting MFA prompts. 

Will update if I make progress

Highlighted

@Adam Weldon-Ming - when we disable the user in MFA, consider there are other application should enabled for MFA, I think we need to think about RDS/NPS perspective to exclude users. In my case i have to exclude MFA who ever using RDS. Is that can you help on this too..