Using Azure Multi-Factor Authentication (MFA) to Secure Remote Connections to Azure Infrastructure


Welcome back to another exciting installment of Exigo Insights!

Recently, I was working in a secure environment that called for Secured Remote Access to the Azure Vnet from internet without the need for assigning public IPs to the Azure VMs and have Multi factor Authentication on top of AD Authentication only for authorized users and desktops. So with that in mind, we’re going to talk about it right now.

Let’s talk about the details of integrating your Remote Desktop Gateway infrastructure with Azure Multi-Factor Authentication (MFA) using the Network Policy Server (NPS) extension for Microsoft Azure. This of course assumes that you have an RDS Deployment in your environment. If you do not, then this article is not for you. If you are planning on it, then this article may be something you want to consider.

The Network Policy Server (NPS) extension for Azure allows customers to safeguard Remote Authentication using Azure’s cloud-based Multi-Factor Authentication (MFA). Organizations can integrate NPS with Azure MFA to enhance security and provide a high level of compliance. This helps ensure that users establish two-step verification to log on to the Remote Desktop Gateway. For users to be granted access, they must provide their username/password combination along with information that the user has in their control. This information must be trusted and not easily duplicated, such as a cell phone number, landline number, application on a mobile device, and so on.

Previously, this kind of setup would have called for the configuration of the on-premises version of Azure MFA, which is where you would would have sent your RADIUS client requests from the Remote Desktop Gateway to in order to perform the MFA functions. Details on how this used to work can be found here. I’m still partial to this setup as it can server more than just securing RDP, but can handle ADFS, IIS, and other services as well. However, with the availability of the NPS extension for Azure, this now gives organizations the choice to deploy either an on-premises based MFA solution or a cloud-based MFA solution to secure RADIUS client authentication.

Visual Overview of Architecture

Authentication Flow

For users to be granted access to network resources through a Remote Desktop (RD) Gateway, they must meet the conditions specified in one Remote Desktop Connection Authorization Policy (RD CAP) and one Remote Desktop Resource Authorization Policy (RD RAP). RD CAPs specify who is authorized to connect to RD Gateways. RD RAPs specify the network resources, such as remote desktops or remote apps, that the user is allowed to connect to through the RD Gateway.

An RD Gateway can be configured to use a central policy store for RD CAPs. RD RAPs cannot use a central policy, as they are processed on the RD Gateway. When the NPS extension for Azure is integrated with the NPS and Remote Desktop Gateway, the successful authentication flow is as follows:

  1. The Remote Desktop Gateway server receives an authentication request from a remote desktop user to connect to a resource, such as a Remote Desktop session. Acting as a RADIUS client, the Remote Desktop Gateway server converts the request to a RADIUS Access-Request message and sends the message to the RADIUS (NPS) server where the NPS extension is installed.
  2. The username and password combination is verified in Active Directory and the user is authenticated.
  3. If all the conditions as specified in the NPS Connection Request and the Network Policies are met (for example, time of day or group membership restrictions), the NPS extension triggers a request for secondary authentication with Azure MFA.
  4. Azure MFA communicates with Azure AD, retrieves the user’s details, and performs the secondary authentication using the method configured by the user (text message, mobile app, and so on).
  5. Upon success of the MFA challenge, Azure MFA communicates the result to the NPS extension.
  6. The NPS server, where the extension is installed, sends a RADIUS Access-Accept message for the RD CAP policy to the Remote Desktop Gateway server.
  7. The user is granted access to the requested network resource through the RD Gateway.


This section details the prerequisites necessary before integrating Azure MFA with the Remote Desktop Gateway. Before you begin, you must have the following prerequisites in place:

  • Remote Desktop Services (RDS) infrastructure – (Session Host, Licensing, Server, Connection Broker and RD Gateway)
  • Azure MFA License
  • Windows Server software
  • Network Policy and Access Services (NPS) role
  • Azure Active Directory synced with on-premises Active Directory
  • Azure Active Directory GUID ID

Well, that wraps it up for this session of Exigo Insights. Stayed tuned as  we will continue to explore the various Microsoft Solutions that can be done on-premises, in hybrid cloud, and fully public cloud.