Securing the RDP connection Using Azure MFA for windows 2012/ 2012R2/2016 with RD Gateway and NPS server.

Hello All,

Ahmad Yasin

In my previous articles, we explained a step by step how to secure the remote access (RDP connection) using Azure Multi-factor Authentication (MFA), at that time we mentioned that the same procedure can only applied to windows 2012 and earlier and it’s not supported to be applied to windows 2012 R2 and above.

You can review the previous articles using below links:

Part 1:

Part 2:

Part 3:

Today in this article we will walk through the steps in how to secure the RDP connection to windows 2012 R2 and above, I found many articles on the internet that describe the procedure, i followed a lot of them with no luck,

We found multiple public articles which described this deployment.Unfortunately, we followed these articles but it never works, i collaborated with my colleague “Lucian Busoi” in order to find what are the missing steps in these articles, Finally we found it and i will summarize all required steps in this article, Thanks Lucian for this help.

“Other Public Articles may Assumed that the missing steps something that the reader should know by default”

To simplify the scenario, let’s summarize what are the components required for this deployment:

1- Windows 2012 R2/2016 machine which will be used to setup the MFA stand alone server which will be used for MFA authentication with MS back-end service.

2- Windows 2012 R2/2016 machine which will be used to install and deploy the Gateway and NPS roles, to simplify the concept of this server let’s imagine that this server will be used as an intermediate between the target server and MFA server, when the user try to connect to the target server using RDP, the traffic actually will reach the gateway server first, after gateway server verify the domain credentials it will forward the traffic to the MFA server to do the second factor Authentication, if MFA challenge Passed then the user will be allowed to access the target server.

3- The target Server(s) which you require to access it thorough RDP, for example windows 2012 R2 or 2016 machines.

before start the Implementation, let’s first explain the concept, for the MFA server as we already know we need this machine n order to deploy the MFA server, deploying the MFA server is easy process, in order to be able to download the MFA setup package from Azure portal, you need to have a license that allow you to deploy the MFA stand alone server, you need to have one of the following licenses:

  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security

one important thing i noticed that many customers tried to follow MS article to deploy the MFA stand alone server as described in below article:

Some customers stuck in above article in the “Create a Multi-Factor Auth Provider” step as they don’t have this option in their Azure Tenant even they have a valid license for MFA, at this point they stop deploying the MFA and start complaining about this, HEADACHE !!

If you don’t see the option to create the MFA provider, Then a default MFA provider is already setup for Your tenant assuming that you have a valid license.

To access the MFA provider, you need to follow below steps:

login to with global administrator user, then from the left pane select “Azure Active Directory” as below:

Then Click on ” Users and Groups” option as below:

Now, Make sure to select “All Users” option, then click in “Multi-Factor Authentication” option as below:

The MFA page will appear as below, make sure to click on the “Service Settings” option, then in the bottom of the page click on “Go to Portal” option as below:


Note: if “Go to the portal” option doesn’t appear, then this means usually that you don’t have a valid license for MFA stand alone deployment or you didn’t assign any user for an MFA license.

Finally, you will find the option to download the MFA stand alone server as below:

In this article we will assume that the MFA server already deployed as we discussed this in details in my previous article as below:

For now, we have an MFA stand alone server already deployed but not configured yet.

Let’s move to the second component which is the Gateway/NPS server, let’s go a little deep from technical perspectives, the most important question why this component is required in this deployment, to answer this question let’s try to understand the flow in GW/NPS with MFA:

i draw above diagram (Not professional in drawing 🙂 ) to demonstrate the concept and the functionality of GW/NPS server, let’s summarize the flow as below using the numbers in the diagram:

1- User will trying to access on-premises resource using gateway, in this stage the user credential will be sent to the gateway server.

2- Gateway will forward the request to the MFA server, till this stage the provided credentials by the user not validated yet.

3- since the credentials still not validated, then the MFA server will forward the request to the NPS server asking it to verify the credentials before moving forward and start the MFA process.

Note: in our demo, Gateway and NPS is the same server.

4- Now, NPS will verify the user credential using the local Active directory, depends on the response from local AD the NPS will respond to the MFA server, if the user credentials are correct then the NPS will receive and accept response from local AD, otherwise NPS will receive rject request from local AD which will deny the user to access the resource, noting that if the NPS got a reject message from local AD then the MFA will not be processed and this make sense as no need to apply second factor Auth if the credentials (first Factor Auth) are wrong.

Note: when we are saying “Accept” or ” Reject” message this is not actually mean that AD send Accept or Reject message literally, we are trying to simplify the process only.

5- in case of Accept response from AD, NPS will send the request back to the MFA with Accept Message.

6- MFA will perform the second factor authentication, it will challenge the use by MFA challenge, for example it may call user phone or send notification in Microsoft Auth App.

7- MFA will send the result of MFA challenge to the RD Gateway again.

8- In case the MFA challenge passed, then RD Gateway will evaluate the request against Resource Authorization Policies (RAP) and check if the user is allowed to access the resource or not.

9- if the user is allowed to access the target resource, then RD Gateway will allow the user, otherwise the user will be rejected.


To summarize above, in order to the user to successfully access the resource, three major conditions should be met:

1- The Users credentials should be correct and accepted by local active directory.

2- User should pass the MFA Challenge.

3- User should be allowed to access the resource based on the RAP policies.

As we now understand the purposes of each components, let’s start the implementation, to do that i have below servers:

1- Windows 2016 machine for MFA deployment, IP:

2- Windows 2016 for gateway and NPS deployment, IP:

3- Target resource, it may be windows 2016, 2012 R2, 2012.

Theoretically, earlier versions of target resource such as windows 2008 R2 should work using the procedure in this article, but i didn’t test this, no guarantee.

As mentioned before, the installation of MFA server is an easy process, and i already discussed it in my previous posts, if you are not familiar in how to install the MFA server please follow my previous article:

Now, let’s go to the implementation of gateway/NPS server, first of all, the RD gateway is a windows Role whick means you can deploy it without the need of any external package, You can deploy it using server manager, to do deploy these services, open the “Add Roles and features Wizard” from server manager then click Next in the first page as below:

Now, Choose “Role-based or feature-based installation” option and click Next:

Choose the right server and click Next:

Choose “Remote Desktop Services” option only and click next, Don’t choose the NPS from here as it will be added automatically by the wizard later on:

Now, once you reach the Role Services tab, choose “Remote Desktop Gateway” option, new dialog box will appear asking you to install other related roles/features including the NPS as below:

Click Add features to add all required features including the NPS:

Now, keep clicking Next till you reach the Role Services tab again, make sure that the “Network Policy Server” option selected then click Next:

Finish the wizard by click Install and wait till the installation finish:

The Installation of Gateway and NPS services finished as below:

Till this step, we have two server, the first one is the MFA server and the Second one is the Gateway/NPS server, now let’s go through the Configurations Part.

First of all, let’s configure the GW/NPS server, to do that, from server manager, launch the remote desktop gateway manager as below:

From RD Gateway console, right click on the Server name and choose Properties as below:

Now, click on the “RD CAP Store” tab, then select “Central Server running NPS” option, enter the IP (or the name) of MFA server then click Add button as below:

a new windows will appear asking you to enter a shared secret key, enter any key you want and click OK:

Note: this shared secret key will be used later on on the MFA configuration, let’s call this in our minds GATEWAY SECRET KEY.

after adding the MFA server successfully, click OK:

Now, Open the NPS console from server manager as below:

Choose the “Remote Radius Server Groups”, then right click on the “TS GATEWAY SERVER GROUP” and choose properties, or double click as below:

Make Sure that the IP of MFA server appears under the General Tab, select it and click on the Edit button as below:

Click on load balancing tab, increase the highlighted values to avoid any time out issues, i prefer to set these values to 60 seconds or more:

Now, let’s create a Radius client, to do that from the NPS console, right click on the RADIUS Clients option and choose New as below:

Make Sure to check the “Enable this RADIUS client”, enter any friendly name you want, keep in mind that this name should be used exactly in another next step, choose any name and write it down for later on usage, Also you need to fill the IP (or name) of the MFA server and finally choose a a new shared secret, Remember that this secret key will be used also in MFA configuration later on, for that let’s call this in our minds NPS SECRET KEY, once finish click OK button as below:

Now let’s create two policies which will be user to forward and receive the requests from the MFA server, the easiest way to do that is to duplicate the Default policy “TS GATEWAY AUTHORIZATION POLICY” as below:

Now, Rename Both Policies exactly as appear below, make sure that both policies are enabled, the “Processing order” is very important here:

Righ click on the first Policy which is called “From MFA”, go to condition tab and click Add button as below:

Choose Client Friendly name option, then click Add button as below:

This is will ask you about the name of the Radius client, you SHOULD use the same name you used when you create the radius client in one of the previous steps, if you remember we used MFA as the name of the radius client, so we should use the same name here as this will specify from which radius client the NPS will receive the requests: 

Now in the same policy, go to the settings Tab, under Authentication request make sure to select the “Authenticate Requests on this server” option as below:

Under Accounting tab, make sure to remove the check from “Forward accounting requests ….” option as below:

Now, in the other policy which is called ” To MFA”, under the setting tab , verify the the Authentication have the option to forward the request to the TS GATEWAY SERVER GROUP as below:

Under Accounting, make sure that the ” Forward accounting requests …. ” is selected as below:

Under Conditions tab, you should have only “NAS Port Type” as a condition as below:

Just to verify above settings, both policies SHOULD have below configurations, click in the first one and see below configurations:

Now click on the second Policy and check the configurations:

Now, we still have three steps to do before finalize the configurations of GATEWAY/NPS, these two steps as per my search i didn’t find it in any public article which are related to this topic, so we need to make sure to do below steps.

The first one, as we mentioned in the flow diagram of GW,NPS,AD and the MFA server in Step No. 8, we mentioned that if the user respond to the  MFA challenge successfully, then MFA server will send the request back to the Gateway, Now Gateway will validate if the user is allowed to access the Target resource based on RAP policies, DO YOU REMEMBER THAT 🙂

if we open the RD Gateway console, under Resource Authorization Policies (RAP) tab we will not see any policy, this is by default, as the installation of gateway role only will not create any default RAP, so if you missed this step no user will be allowed to access any internal resource even if the user respond to MFA challenge successfully:

So we need to create a new policy, the policy will define who is allowed to access and what to access, to do that right click and choose “create New Policy using the wizard for simplicity as below:

Choose “Create only a RD RAP” then click Next as below:

Give the policy and friendly name and click Next:

Here, you need to decide which group will have an access, i created a group in my AD called it “Home Users”, add the groups you need to grant it an access then click Next:

Here, you have an option to decide which Resource(s) can be accessed by the groups you selected in previous step, for simplicityi will allow the group to acc

Also you can decide to allow the connection in specific ports, in this demo i will allow any port for simplicity as below:

Note: In production environments, you need to select the options based on your company requirements, choose above options as i did may be a security concerns for others, BE CAREFUL !

Finally, click Finish as below:

The Policy should be completed successfully as below:

The new Policy will appear in the Gateway Console:

The second important thing, by default the NPS will have a network policy to deny all requests as below, this policy is enabled by default:

Double click on the policy, you can see that the policy deny all connections and ignore user account dial in properties:

Each user in AD have a user account dial in property, this option by default will keep the NPS to take the decision to allow user to access or not as below snapshot from my AD:

Even if you try to change the option from AD to Allow Access, this is will not effect as the default NPS policy is to ignore this value from AD.

Now we need to change the option to be Grant Access as below, again if you missed this option no users will be able to access any resource through the gateway:

Now, you should see that the policy have a Grant Access as an access type as below:

The third important step, that we need to configure the RD Gateway certificate, I am using public certificate and i think you can use a private certificate from your internal CA but you need to make sure that the client machine trust the CA certificate, based on my testing if you don’t configure the gateway certificate the connection to gateway externally will not work, also if you decide to use the IP of GW instead of the name it will not work also as we will see this in the teasing part.

to configure the certificate, open the gateway console, choose the properties of the server name as below:

Under the certificate Tab, select the option to import the certificate and continue the process, from below snapshot you can notice that i am using a Public certificate issued by DigiCert, also you can see that my certificate is a wild card so i can access the Gateway using any name end with my domain name in the format of:, if you don’t use a wild card certificate, then make sure that the name which will be used to publish the Gateway externally is included in the certificate SAN:

Now, the last thing we need to do is to configure the MFA server, to do that launch the MFA console and Go to “Radius Authentication” tab as below, make sure that “Enable RADIUS Authentication” is checked, then click in Add button:

As you can see from below snapshot, the Auth and Accounting have specific ports, if there is any network device that prevent these ports you need to allow them.

Add the IP of the Gateway Server, give any friendly name beside the Application Name field, then enter the shared secret key, the key that SHOULD be used here should match the one we configured in the gateway console (We called GATEWAY SECRET KEY if you Remember), finally click OK:

Now, from the target TAB, choose RADIUS Server(s) option and click Add as below:

You can see that there is a Server timeout option, i recommend to increase it to 45 seconds to avoid any time out in the MFA process, i forgot to do this in my lab.

Again, Add the IP of the NPS server (in our case the same IP of GW), enter the sahred Secret Key, again this should match the secret key we used in the NPS configurations, if you remember we called it NPS SECRET KEY:

Now to test this, we need to configure a test user, to do that we need to add the user to the MFA console, there are multiple ways to do that, i prefer the easiest one, Just go to the users Tab, then click Import from Active Directory:

Find the user and add it as below, in my example i will add a user called “Mohamad” then click Import as below:

Now, choose the user from the MFA console and Click Edit, make sure that the user have a valid phone number, if the value is incorrect or empty you can fill it from MFA directly as usually it’s supposed to import these info from local AD, fill the country code, Phone number and the MFA Method and finally make sure to enable the user, Click Apply as below:

From MFA console and under Users tab, verify that the user exist and configured as below:

Now the final part is the testing one, to test this i will access a target server using RDP connection, the Private IP of target server is, from my machine which is located externally from servers network, i will launch MSTSC /Admin, in the computer field i will enter the Private IP of the detestation server as below:

Now, from Advance Tab, click on the Settings button as below:

Choose “Use These RD Gateway Server Settings” option, enter the Name of the of the RD Gateway server that is accessible externally as below then click OK:

Here there is a very important note, based on my testing you cannot enter the public IP of the gateway because the connection will failed with certificate error as we discussed earlier in this article and as appears below, maybe there is another way to configure it, but at least this is what i find in my lab:

You can see that in my connection i used which is point to the public IP of my Gateway server, as we mentioned before since i have a wild card certificate then this name is covered by my certificate.

Now enter the Credentials then click OK as below:

Based on the Policy that we created in previous steps, only the users who are member of HOME Users group will be allowed to access the gateway, the User Mohamad already member of this group as below:

Now the connection started:

Finally, i got the MFA challenge in my mobile as below snapshot, it ask me to press the # key to continue:

once i responded to the MFA challenge successfully the connection was allowed as below:

For example if i didn’t respond to the MFA challenge then the connection will be denied as below:

As a conclusion, in this article we covered the implementation of securing the RDP connection with Azure MFA using gateway/NPS server, in Next article we will discuss a very common issues, Also we will discuss how to troubleshoot the issues related to this deployment starting by reading the gateway and NPS logs ends with understanding the MFA logs.

Stay Tuned 🙂

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.



  1. hi Ahmad,

    thanks for your amazing article and steps, but i have multiple questions if you can help

    1. when you configure RDG with MFA Server, SMS Verification not work- you receive the message on the phone but there are no pop up appear to enter the Code
    if you use Mobile verification its work

    2. there are a delay when you are connection to Server using RDG and this delay very strange, i see some links so pleas Check the below

    3. if you have experience on NPS Role- as you know if any customer has MFA Server he will try to use with all his applications – as example having VPN and RDG together
    VPN need to use windows domain in primary authentication and RDG need Radisu target as MFA will work as Radius Proxy
    do you know how i use NPS for VPN as well. without changing VPN to LDAP

    Appreciate your feedback

    • Hello Alaa,

      Thanks dude for ur feedback, for sms yes its not supported, only phone call and notifications by app.

      Regarding point 2 and 3, will check it tomorrow as i am replying from my mobile now 😉

  2. Hello, can you elaborate more on (example i am trying to connect to machine A)
    how A is configured to get rdp requests through rdp gateway?
    how the users allowed to rdp A are managed?
    i dont want to add all the users to home users OU and import it. i would like to set up as below

    user 1&2 have rdp access to server A and user 3&4 have access to server B.

    not i would like user 1&2 and 3&4 to have access on respective servers. and rdp requests to server A and B should go through RDP gateway automatically. if there is user 5 who has not been allowed on server A or B should not be able to access any server even he has been imported in users tab on MFA.

    any help?

  3. Hello Ahmed,

    Thanks for great article. I did all steps mentioned in the article but when test to connect, I receive message : Remote desktop can’t connect to the remote computer for one of these reasons (same message you showed before

    for the certificate: I used internal CA and cert name is the same RDP server name. For example if domain name is abc.local and RDP server name is “RDP” so the cert name is “”

    Any ideas?

  4. Hello Ahmed,

    now I am able to using MFA for RDP as per steps above. But after Authentication, it asks me for user and password again. Do you have any idea how to allow adding user and password only once.

  5. Great work Ahmad, much appreciated! I was just thinking, Microsoft needs to change the way they write documentation, most of their “Help” is quite useless (i.e. not intuitive it seems), their documentation team needs to adopt the walk-through approach.

  6. Thanks for this – really helpful in closing the gaps with the official documentation, and I agree fully with other comments about Microsoft documentation not being helpful (or complete) in many places.

    I have a specific question about the users. If the user is not imported into the MFA Server, can they authenticate without MFA, or are they denied access entirely?

  7. I am getting event ID 201

    Unable to connect

    I have configured it in 2016 Server

    The user “Clab\test.user-v”, on client computer “”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.

    Please let me know how to fix it

  8. Hi Ahmad,
    Everything worked perfectly using your guide.
    But now I have a question – How do connect in this system one more machine?
    I’m pretty new in this kind of things, so this is really hard.
    But guide is perfect, thank you!

    • if i understood your question, then you need to force this maybe using group policy and block all direct connection to servers from client side, only allow it through gateway

    • Hello Ruslan/Ahmad,
      I am facing the same issue like you, can you please share the resolution steps performed at your end. It will help me to fix my issue.

  9. hi all
    as long as you are not able to force end users to connect only through MFA, the entire solution is useless,
    now i have finished and tested all, i am trying to config a GPO to inject the RDGW server in all users RD client, it is simple but there is that check box that is driving me crazy!
    “Bypass RD Gateway server for local addresses”
    this must be removed to assure all connections – even lan – gets through MFA
    i am not able to find anyway possible to uncheck this box as it is enabled by default

  10. As far as I can tell this option is no longer supported by Microsoft. When I go to ‘Download MFA Server’ I am taken to where at the bottom it says ‘As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. ‘. Please advise…

    • That’s true, we still support this for our existing customers who already using MFA on-premises server, our recommendations for new deployment to use the MFA NPS Extension instead

  11. Hi Ahmed,

    Thanks for this article. But is it possible that we can use just 1 server for all components below?

    1- Windows 2016 machine for MFA deployment

    2- Windows 2016 for gateway and NPS deployment

    3- Target resource, it may be windows 2016, 2012 R2, 2012.

  12. Hi Ahmed
    Ramadan Moubarak Sais
    we cannot download MFA Stand alone server from MS. we kann install NPS MFA extension.
    My question.
    – we have a hybrid deployment. I want to use some Users from on premise AD rather from Azure AD
    – we have already NPS Server with MFA NPS Extension for VPN user. can we configure another Azure MFA MFA NPS Extension for RDP
    Thanky very much for your advise
    B. Outiti

    • For NPS Extension, users must be synced to Azure AD, if you need to enable MFA for Un-Synced users then MFA server is a must to use, you can contact MS Support to allow you to download the MFA server, if you need any specific help reach me at:

  13. Hello,

    Great article. Thanks for this. Trying to implement it with Azure NPS extension. So 1 RD Gateway and 1 NPS Server (extension). Is the procedure remains the same except the part regarding the MFA server in your article ?

    Thanks in adv

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.