I hope someone can help guide me here!
We have a RDS environment and introduced Azure MFA and built it successfully using the following guide here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
The issue I have, is we need to be able to have the chance to bypass users from having to supply MFA in the event of them not having their mobile device. My understanding is that any sort of request that hits the NPS server with the MFA extension installed is prompted for MFA regardless.
I did some across this page at Microsoft (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#control-radius-clients-that-require-mfa ) where it states, “If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them.”
Unfortunately, I’ve not seen any guide on how to achieve this.
Since then I have created another NPS server (without the extension, called Server A) and I have Server B (NPS with the MFA extension). I have managed to get our Remote Desktop Gateway to send it’s authentication request to Server A. There’s a network policy where it allows a user to login if they’re part of a ‘Bypass MFA’ AD security group. What I would like to happen is if someone is part of a different AD security group (e.g. MFA), for Server A to then forward the request to Server B for it to handle the authentication with MFA.
When creating a new Connection Request Policy on Sever A, I just cannot see a condition in the list available that would allow me to direct the request to Server B to handle MFA and this is where I am stuck.
Is it possible for a NPS server to effectively relay the authentication request to another NPS server based on a user’s security group membership? Or am I going the wrong way to achieve this?
Any help would be greatly appreciated! Happy to provide any screenshots if required. Thanks for reading :)
