CONFIRMED that NPS and Azure AD Domain Service can work with the Azure MFA NPS extension to enable MFA for RDP to virtual machines. That said, Azure Bastion Host (https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) provides the same value without the additional infrastructure of NPS. We have a doc bug created to add the nuance to our documentation, which is to 1) Skip registering the NPS server and 2) ensure your network policy has “Ignore user account dial-in properties” selected.
Leaving the topic open as we continue to investigate/validate other NPS use cases (e.g. VPN and 802.x scenarios)
Senior Program Manager
IAM Core | Domain Services
738 votesLuke Bixby commented
please add this. we need this to move to modern management.
260 votesplanned · AdminAzure IaaS Engineering Team (Azure IaaS Engineering Team, Microsoft, Microsoft Azure) responded
We are planning several improvements in this space that will enable better control over updates which are applied to VMs.