I’m new to using NPS server.
I’m trying to secure our RDS deployment with Azure MFA. It appears this requires a minimum of 2 NPS servers; the initial proxy NPS server is installed on the RD Gateway and is configured to point to a central store NPS which is where the NPS extension for Azure AD is installed.
I’ve got this part working now in a test environment, but I’d like to avoid forcing MFA on all users at once, and roll this out more gradually.
Per the documentation, it looks like all the RDS authentication that goes through the NPS server where the extension is installed must be MFA. I thought I could then use the proxy NPS server to direct some users to another backend NPS server for normal AD authentication. I haven’t been able to figure out how to point some users toward a different NPS server based on AD group membership.
How can I configure NPS/RD Gateway to direct users to different NPS servers based on AD group membership?
Or is this only solvable using conditional access policies?