I'm working with an Entra-joined Windows server that has RDP configured for Entra ID web authentication with MFA. However, I want to completely eliminate the option for normal RDP logins using Entra accounts so that MFA is always mandatory. I've enabled the 'Enable MS Entra ID Authentication Enforcement' setting in Group Policy, yet I'm still able to log in using my Entra ID account without being prompted for MFA. Can anyone guide me on how to fully disable single-factor login for RDP?
4 Answers
Have you considered making the password for the Entra ID account really complex? Like, a random 127-character password? This way, the user account could essentially function as a passwordless login. If it’s a hybrid AD account, enabling SCRIL on the account might also help.
You might want to set up a Conditional Access policy targeted at the RDP application to enforce MFA. This could help ensure that MFA is required for those sessions.
If you're logging in with Entra and not getting an MFA prompt, it's likely because your Entra policies aren’t configured to require it. Can you check your Conditional Access policies? If you're just using security defaults, they might not be strict enough. You'll need to create a policy that mandates MFA for every login to this specific resource.
Yeah, this kind of issue pops up a lot. Even with 'Enable MS Entra ID Authentication Enforcement' on, legacy RDP authentication might still let you log in without MFA if the client doesn’t support the web/MFA flow. A common solution is to disable 'Network Level Authentication' for traditional AD logins, or you could apply Conditional Access policies to ensure MFA for RDP sessions.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures