CONFIRMED that NPS and Azure AD Domain Service can work with the Azure MFA NPS extension to enable MFA for RDP to virtual machines. That said, Azure Bastion Host (https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) provides the same value without the additional infrastructure of NPS. We have a doc bug created to add the nuance to our documentation, which is to 1) Skip registering the NPS server and 2) ensure your network policy has “Ignore user account dial-in properties” selected.
Leaving the topic open as we continue to investigate/validate other NPS use cases (e.g. VPN and 802.x scenarios)
Senior Program Manager
IAM Core | Domain Services
269 votesJeremy Dillingham commented
Any update on this feature request? I get quite a lot of push back internally on increasing the footprint of our Azure backup offering to customers, when compared to other more provider-friendly solutions (i.e., Veeam). Cross-tenant support/reporting and lack of comprehensive reporting/management integration, specifically with Microsoft Azure Backup Server (MABS), are the biggest challenges from our perspective and make it more difficult than it should be to centrally manage these solutions in an efficient manner.