Option 1: Duo MFA for RDP (fast, easy, proven)
Pros:
- Quick to deploy (literally <30 min).
- Protects both console and RDP logins.
- Works with your existing domain users.
- Simple rollback if needed.
High-level install steps:
- Create a Duo account (free trial or paid).
- Add a new “Windows Logon” application in Duo Admin Panel.
- Download and install Duo Authentication for Windows Logon on the server.
- During install, enter the integration key, secret key, and API hostname from Duo.
- (Optional) Set policies (e.g., allow offline logins if Duo is unreachable).
- Test RDP — it will now prompt for MFA after entering username/password.
▶ Link to official Duo guide:
Duo MFA for Windows RDP – Step-by-Step
Option 2: Azure MFA with NPS Extension (Microsoft “native” method)
Pros:
- Fully integrates with Azure AD / Conditional Access policies.
- No Duo or 3rd-party dependency.
- Centralizes MFA rules.
High-level install steps:
- Install NPS (Network Policy Server) role on a management server (can be a VM).
- Install the NPS Extension for Azure MFA.
- Register the server with Azure AD (tenant-level app registration).
- Configure RADIUS authentication on NPS.
- Point RDP servers to use NPS for auth (via RADIUS Client settings).
- Optional: Set conditional policies (e.g., MFA only from external IPs).
▶ Link to official Microsoft guide:
Configure NPS Extension for Azure MFA
Recommendation:
- If you already use Azure AD + Conditional Access, go with Option 2.
- If you want something faster, easier, and simple to manage, Duo is the better choice.
- Both are production-ready, supported, and widely used.
