This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 51%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I have a question which I haven't been able to find an answer for. Hopefully someone can point me in the right direction…
We use the Microsoft Remote Desktop Gateway to provide remote workers with RDP access to our servers. The Remote Desktop Gateway is configured to use the Azure NPS Extension which forces users to provide a second factor of authentication. Users are enrolled in Azure MFA which is used to provide the second factor of authentication.
I’m interested to know if there exists a one-time Bypass option for Azure MFA? On first look, in Azure I can see there appears to be exactly this https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#one-time-bypass …but I believe this is limited to Azure MFA Server and not Azure cloud.
Thins link is to an old article but reinforces what I’ve found: https://social.msdn.microsoft.com/Forums/azure/en-US/c26d093b-8260-4219-83b6-2d986857f286/onetime-bypass-feature-mfa-on-cloud?forum=windowsazureactiveauthentication
My user story is…
A remote worker is enrolled in Azure MFA and uses the Microsoft authenticator app to authenticate RDP connections to the Remote Desktop Gateway.
The remote worker misplaces their mobile device, and therefore cannot provide the second factor to authenticate.
The remote worker cannot connect.
The remote worker requires immediate access.
On other remove access solutions that I have used there has been the option to provide a one time logon method which bypasses the second factor. Can this be done?
Thanks in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 30%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Hi there,
Would it be possible to make a group that does not require mfa ?
Also... is it only possible to use auth app? and not phone call or txt in this solution.
Sorry for bumping into your question..
One-time bypass only applies to MFA server installs, not Azure MFA. You can configure it here: https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/OneTimeBypass/fromProviders/
this link describes how to activate one-time by pass specifically from Azure MFA
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 50%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Just to make this extra clear the correct answer is No there is not, you cannot do this with Azure MFA and the Azure NPS Extension as bypass is only for MFA Server.
There does need to be some way of setting up the NPS extension to have a local AD group with Bypass users or something for this scenario as Cisco Duo makes this much easier...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 62%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
There is a newer feature called Temporary Access Pass (TAP) which is available as well: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass.
While it is not an exact 1-to-1 of one-time bypass it offers similar functionality but more secure as it requires that the user utilizes a temporary passcode to get past MFA.