question

jbeaven avatar image
1 Vote"
jbeaven asked ·

Azure MFA One-time Bypass

I have a question which I haven't been able to find an answer for. Hopefully someone can point me in the right direction…

We use the Microsoft Remote Desktop Gateway to provide remote workers with RDP access to our servers. The Remote Desktop Gateway is configured to use the Azure NPS Extension which forces users to provide a second factor of authentication. Users are enrolled in Azure MFA which is used to provide the second factor of authentication.

I’m interested to know if there exists a one-time Bypass option for Azure MFA? On first look, in Azure I can see there appears to be exactly this https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#one-time-bypass …but I believe this is limited to Azure MFA Server and not Azure cloud.

Thins link is to an old article but reinforces what I’ve found: https://social.msdn.microsoft.com/Forums/azure/en-US/c26d093b-8260-4219-83b6-2d986857f286/onetime-bypass-feature-mfa-on-cloud?forum=windowsazureactiveauthentication

My user story is…

A remote worker is enrolled in Azure MFA and uses the Microsoft authenticator app to authenticate RDP connections to the Remote Desktop Gateway.
The remote worker misplaces their mobile device, and therefore cannot provide the second factor to authenticate.
The remote worker cannot connect.
The remote worker requires immediate access.

On other remove access solutions that I have used there has been the option to provide a one time logon method which bypasses the second factor. Can this be done?

Thanks in advance!

azure-active-directoryazure-ad-connectazure-ad-multi-factor-authentication
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi there,
Would it be possible to make a group that does not require mfa ?
Also... is it only possible to use auth app? and not phone call or txt in this solution.
Sorry for bumping into your question..

0 Votes 0 ·
michev avatar image
0 Votes"
michev answered ·

One-time bypass only applies to MFA server installs, not Azure MFA. You can configure it here: https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/OneTimeBypass/fromProviders/

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanRockyAigens-8597 avatar image
0 Votes"
DanRockyAigens-8597 answered ·

this link describes how to activate one-time by pass specifically from Azure MFA

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Russell-4042 avatar image
0 Votes"
Russell-4042 answered ·

Just to make this extra clear the correct answer is No there is not, you cannot do this with Azure MFA and the Azure NPS Extension as bypass is only for MFA Server.

There does need to be some way of setting up the NPS extension to have a local AD group with Bypass users or something for this scenario as Cisco Duo makes this much easier...

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.