Why use Azure AD / Entra ID MFA with RDS?

If you Current RDS is accessible from the internet with just a username and password it is using single factor authentication. This makes RDS prone to brute force and password spray attacks where the attacker can attempt username and password of any user in the authorized RDS group. Even if RDS connection security is placed behind an Azure firewall or an on-site firewall that only mitigates certain kinds of attacks, the ones that come from known malicious IP addresses or have been used for nefarious activities in the past. 

Azure MFA for Remote Desktop Services enhances security, reduces the risk of unauthorized access, and helps organizations meet compliance requirements while providing users with a flexible and user-friendly authentication experience.

Azure Multi-Factor Authentication (MFA) offers several benefits when used with Remote Desktop Services (RDS). Some of the key benefits include:

1. Enhanced Security: Azure MFA adds an extra layer of security by requiring users to provide additional authentication factors beyond just a username and password. This helps protect RDS resources from unauthorized access, especially in cases where usernames and passwords may be compromised.
2. Protection Against Credential Theft: By requiring a second factor of authentication, such as a mobile app notification, phone call, or text message, Azure MFA helps mitigate the risk of credential theft. Even if an attacker manages to obtain a user's password, they would still need access to the second factor to successfully authenticate.
3. Flexibility: Azure MFA supports multiple authentication methods, including phone calls, text messages, mobile app notifications, and hardware tokens. This flexibility allows users to choose the authentication method that best fits their preferences and ensures accessibility for users without smartphones or internet connectivity.
4. Conditional Access Policies: Azure MFA can be integrated with Azure Active Directory (AD) Conditional Access policies to enforce additional security requirements based on specific conditions such as user location, device compliance, or application sensitivity. This allows organizations to tailor access controls to their specific security requirements. For example, you can exclude MFA requirements when a user is connecting from the office location by its IP address.
5. Compliance Requirements: Many regulatory standards and compliance frameworks, such as PCI DSS and HIPAA, require the use of multi-factor authentication to protect sensitive data and systems. Implementing Azure MFA for RDS helps organizations meet these compliance requirements.
6. Centralized Management: Azure MFA can be centrally managed through the Azure portal and Network Connection Authorization Policy. This provides administrators with visibility and control over authentication policies, RDS access Active Directory groups, and security settings across the organization's RDS environment.

 The Azure Network Policy Server (NPS) extension enables customers to protect the authentication of Remote Authentication Dial-In User Service (RADIUS) clients by utilizing Azure's cloud-based multifactor authentication. This approach introduces a two-step verification process, adding an extra layer of security to user sign-ins and transactions initiated over RDP (Remote Desktop Protocol)

The following prerequisites must be in place to integrate Microsoft Entra ID (Azure AD) with RDS Gateway logon process: 

• Remote Desktop Services (RDS) infrastructure - if you have a working environment at the moment you probably have this. This deploys needed groups and some of the roles below.
• Remote Gateway Service - you should already have this.
• Remote Desktop Gateway web service - web service is usually optional, you will need this
• Microsoft Entra multifactor authentication License - you get this with your Microsoft 365 subscription
• Network Policy and Access Services (NPS) role - you will need to install this role on an additional server, could be a domain controller or the Azure AD ADSync server
• Microsoft Entra synched with on-premises Active Directory - this needs to be working with no issues, some new attributes must be synced to Azure AD
• Microsoft Entra GUID ID - this comes from your Azure AD subscription
• NPS (Network Policy Service) extension for Azure AD MFA - this extension can be downloaded
• RDS Licenses
• Central store authentication policy - you will need to configure this
• Need help setting up Azure AD / Entra ID for RDS? We can help you!