Implement on premise sign in to computers and servers to use MFA with Azure AD License

Cochran, Adam 1 Reputation point
2021-12-29T19:32:52.08+00:00

We have several clients all using DUO for on-premise MFA. Now many are buying Microsoft 365 Business Premium which includes the license for MFA with office 365 and asking if they can get rid of DUO. So I'm looking for related documentation or how-to on setting up all on-premise computers and servers to require MFA at sign on to azure AD with conditional access. I believe this is possible with a NPS\Radius server but I'm not seeing any good reference articles.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,562 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2021-12-30T07:58:55.613+00:00

    Hi @Cochran, Adam • Thank you for reaching out.

    As of now, MFA is not supported at the time of login to Windows locally.

    You can however require MFA when you are RDP'ing to a Windows device. For this purpose, you need to have a Remote Desktop Gateway server, NPS Server, Users synced from local AD to Azure AD, and NPS Extension installed. You can require users to perform MFA when they establish an RDP connection via RD Gateway.

    Read more: Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD

    If you want MFA at the time of login to Windows locally, I would suggest you to keep using DUO as of now.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.