MFA on RDP (with AD, RDG, NPS)
Hi, everyone. In the company where I work we have an AD domain and RDP servers (MP) that some employees access from outside via RDG. We have already installed ADFS and NPS but I am still not clear which products and which license levels are necessary to enable 2FA on RDP via RDG. Does anyone have a clearer idea than me? Thanks
Report on MFA Status with Conditional Access
Is there any effective way to get a report of the actual MFA state of your users? I mean, the individual MFA state as well as MFA enabled via Conditional Access. It's easy to report on the individual MFA state. You get nice results: Enabled, Disabled, Enforced... However, if MFA is enabled via Conditional Access I can't seem to find an effective way to report on them. Below Powershell snippet is the closest I can get. It will check if MFA is enabled individually. If not, it will check the "StrongAuthenticationMethods.IsDefault" attribute and report on that. But this is not always accurate, because if the "Phone" or "Alternate Phone" are configured in the Azure user object, it will still report it here even if the user is not member of a Conditional Access policy. There is a built-in Azure report for this, but it is completely incorrect. It says that, for instance, I'm not enabled for MFA even though I'm enabled for the last 6 years. Report: https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthMethodsOverviewBlade Has anyone figured this out yet? $user = get-msoluser -UserPrincipalName yourUserName@contoso.com $StrongAuthenticationMethodsresult = $user.StrongAuthenticationMethods | Select-Object MethodType, IsDefault [PSCustomObject]@{ UserPrincipalName = $user.UserPrincipalName ObjectID = $user.objectid DisplayName = $user.DisplayName AuthEmail = $user.StrongAuthenticationUserDetails.Email AuthPhoneNumber = $user.StrongAuthenticationUserDetails.PhoneNumber PhoneDeviceName = $user.StrongAuthenticationPhoneAppDetails.DeviceName AuthAltPhone = $user.StrongAuthenticationUserDetails.AlternativePhoneNumber State = if ($user.StrongAuthenticationRequirements.State -ne $null) { $user.StrongAuthenticationRequirements.State } elseif ( $user.StrongAuthenticationMethods.IsDefault -eq $true) { "ConditionalAccess ($(($user.StrongAuthenticationMethods| Where IsDefault -eq $True).MethodType))" } else { "Disabled" } PhoneAppNotification = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }) { $true } else { $false } PhoneAppNotificationIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppNotification" }).isDefault -eq "True") { $true } Else { $false } PhoneAppOTP = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTP" }) { $true } else { $false } PhoneAppOTPIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "PhoneAppOTPIsDefault" }).isDefault -eq "True") { $true } Else { $false } TwoWayVoiceMobile = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobile" }) { $true } else { $false } TwoWayVoiceMobileIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "TwoWayVoiceMobileIsDefault" }).isDefault -eq "True") { $true } Else { $false } OneWaySMS = if ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMS" }) { $true } else { $false } OneWaySMSIsDefault = IF ( ($StrongAuthenticationMethodsresult | Where-Object { $_.MethodType -eq "OneWaySMSIsDefault" }).isDefault -eq "True") { $true } Else { $false } }
Remote Dekstop Connection using Azure MFA
Hello Everyone, I am facing a little problem now. We are thinking to implement MFA to login in to our servers on-prem from internal network. Obviously we can use some third party tools such us DUO or AD Professional Plus. However from what I can see there is a possibility to use RD Gateway with NPS that will have MFA plugin on it. I just need to understand something correctly - am I right saying that I can handle all RDP traffic to all the servers through RD Gateway that will be redirecting authentication through NPS to Azure MFA or it is no go? Regards, Wojciech
Windows Virtual Desktop Sign-in prompt
Hello all, We are getting ready to deploy Windows Virtual Desktops into our prod environment, but I have a few concerns with the authentication process. As of now I have a conditional access policy that will require a user to use MFA when subscribing to our host pool using the Remote Desktop client app. This is great, but the sign in prompts one time, then seems to cache the auth token. I am looking for a way to prompt for sign-in every time, or require the sign in to be available on a certain IP via conditional access. We are a hybrid AD configuration with well established policies to protect our resources requiring all external access to have MFA requirement. This bypasses this requirement. This seems like a potential issue if someone were gain access to a computer and just click right through into the hosted app that is readily available in the RD app. Is there something I might be missing to set this as an option that requires a user to auth every time? Thanks! -SammyFAzure VPN Gateway and MFA Timeout Issue for Point to Site Connections
Hi, I'm having trouble getting MFA working with an Azure P2S IKEv2 VPN using RADIUS auth. It seems that the auth response timeout on the gateway is set so low (looks like 5 sec) that I don't have enough time to authenticate using MFA. I've verified this both with DUO Auth and Azure MFA; both have the same result. I initiate the VPN connection, enter credentials, and before I can answer the phone call to verify MFA, another request is initiated and a second call comes through. If I successfully verify either or both calls, the connection fails. However, if I use a push notification to the cell phone for verification and I can verify in under 5 sec, the connection is completed. I've also pointed my Palo Alto VPN device (where I have a specified timeout of 60 sec) at my MFA server and was able to log in successfully to that VPN - this determines the issue is not with my MFA server setup. I've created a bug request with Microsoft on this as there doesn't seem to be a way to change the timeout. Has anyone else encountered this issue or found a workaround??
MFA and privacy protection
Ahoj, Mám zájem o konkrétní informace o MFA, ale bohužel jsem nenašel odpovědi na některé z mých otázek. Má-li uživatel doménu aktivní MFA, může správce domény změnit přístupová data domény uživatele nebo deaktivovat MFA na svém účtu? Pokud má administrátor tuto pravomoc, je uživatel informován o této změně? Může správce domény přidat nebo změnit MFA jiného uživatele? Může Microsoft (podle vlastní vůle nebo na základě příkazu někoho) procházet a číst mé e-maily nebo soubory bez mých znalostí? Děkuji předem za vaše odpověď.MFA and privacy protection
Ahoj, Mám zájem o konkrétní informace o MFA, ale bohužel jsem nenašel odpovědi na některé z mých otázek. Má-li uživatel domény aktivní MFA, může správce domény změnit přístupová data uživatele domény nebo deaktivovat MFA na svém účtu? Má-li administrátor tuto pravomoc, je uživatel domény o této změně informován? Může správce domény přidat nebo změnit MFA jiného uživatele? Může Microsoft (podle vlastní vůle nebo na základě příkazu někoho) procházet a číst mé e-maily nebo soubory bez mých znalostí? Děkuji předem za Vaši odpověď.MFA and Azure IKEv2 P2S VPN Failing - Timeout Issue?
Hi, I'm having trouble getting MFA working with an Azure P2S IKEv2 VPN using RADIUS auth. It seems that the auth response timeout on the gateway is set so low (looks like 5 sec) that I don't have enough time to authenticate using MFA. I've verified this both with DUO Auth and Azure MFA; both have the same result. I initiate the VPN connection, enter credentials, and before I can answer the phone call to verify MFA, another request is initiated and a second call comes through. If I successfully verify either or both calls, the connection fails. However, if I use a push notification to the cell phone for verification and I can verify in under 5 sec, the connection is completed. I've also pointed my Palo Alto VPN device (where I have a specified timeout of 60 sec) at my MFA server and was able to log in successfully to that VPN - this determines the issue is not with my MFA server setup. I've created a bug request with Microsoft on this as there doesn't seem to be a way to change the timeout. Has anyone else encountered this issue or found a workaround??
