|
| 1 | +--- |
| 2 | +title: Network Policy Server (NPS) for Azure AD Domain Services | Microsoft Docs |
| 3 | +description: Learn how to configure and use Network Policy Server (NPS) and Azure Multi-Factor Authentication with a Remote Desktop Services deployment in an Azure Active Directory Domain Services managed domain. |
| 4 | +services: active-directory-ds |
| 5 | +author: iainfoulds |
| 6 | +manager: daveba |
| 7 | + |
| 8 | +ms.service: active-directory |
| 9 | +ms.subservice: domain-services |
| 10 | +ms.workload: identity |
| 11 | +ms.topic: conceptual |
| 12 | +ms.date: 03/17/2020 |
| 13 | +ms.author: iainfou |
| 14 | + |
| 15 | +--- |
| 16 | +# Configure and use Remote Desktop Services and Network Policy Server (NPS) with Azure Multi-Factor Authentication in Azure Active Directory Domain Services |
| 17 | + |
| 18 | +To provide connectivity for users, you can use Remote Desktop Services (RDS) to access applications and desktops from the cloud. Azure Active Directory Domain Services (Azure AD DS) can authenticate users as they request access to the RDS environment. For enhanced security, you can integrate Azure Multi-Factor Authentication to provide an additional authentication prompt during sign-in events. Azure Multi-Factor Authentication uses an extension for the Network Policy Server (NPS) to provide this feature. |
| 19 | + |
| 20 | +This article shows you how to configure RDS in Azure AD DS and optionally use the Azure Multi-Factor Authentication NPS extension. |
| 21 | + |
| 22 | + |
| 23 | + |
| 24 | +## Prerequisites |
| 25 | + |
| 26 | +To complete this article, you need the following resources: |
| 27 | + |
| 28 | +* An active Azure subscription. |
| 29 | + * If you don't have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 30 | +* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. |
| 31 | + * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. |
| 32 | +* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant. |
| 33 | + * If needed, [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance]. |
| 34 | +* A *workloads* subnet created in your Azure Active Directory Domain Services virtual network. |
| 35 | + * If needed, [Configure virtual networking for an Azure Active Directory Domain Services managed domain][configure-azureadds-vnet]. |
| 36 | +* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant. |
| 37 | + |
| 38 | +## Deploy and configure the Remote Desktop environment |
| 39 | + |
| 40 | +To get started, create a minimum of two Azure VMs that run Windows Server 2016 or Windows Server 2019. For redundancy and high availability of your Remote Desktop (RD) environment, you can add and load balance additional hosts later. |
| 41 | + |
| 42 | +A suggested RDS deployment includes the following two VMs: |
| 43 | + |
| 44 | +* *RDGVM01* - Runs the RD Connection Broker server, RD Web Access server, and RD Gateway server. |
| 45 | +* *RDSHVM01* - Runs the RD Session Host server. |
| 46 | + |
| 47 | +Make sure that VMs are deployed into a *workloads* subnet of your Azure AD DS virtual network, then join the VMs to Azure AD DS managed domain. For more information, see how to [create and join a Windows Server VM to an Azure AD DS managed domain][tutorial-create-join-vm]. |
| 48 | + |
| 49 | +The RD environment deployment contains a number of steps. The existing RD deployment guide can be used without any specific changes to use in an Azure AD DS managed domain: |
| 50 | + |
| 51 | +1. Sign in to VMs created for the RD environment with an account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*. |
| 52 | +1. To create and configure RDS, use the existing [Remote Desktop environment deployment guide][deploy-remote-desktop]. Distribute the RD server components across your Azure VMs as desired. |
| 53 | +1. If you want to provide access using a web browser, [set up the Remote Desktop web client for your users][rd-web-client]. |
| 54 | + |
| 55 | +With RD deployed into the Azure AD DS managed domain, you can manage and use the service as you would with an on-premises AD DS domain. |
| 56 | + |
| 57 | +## Deploy and configure NPS and the Azure MFA NPS extension |
| 58 | + |
| 59 | +If you want to increase the security of the user sign-in experience, you can optionally integrate the RD environment with Azure Multi-Factor Authentication. With this configuration, users receive an additional prompt during sign-in to confirm their identity. |
| 60 | + |
| 61 | +To provide this capability, an additional Network Policy Server (NPS) is installed in your environment along with the Azure Multi-Factor Authentication NPS extension. This extension integrates with Azure AD to request and return the status of multi-factor authentication prompts. |
| 62 | + |
| 63 | +Users must be [registered to use Azure Multi-Factor Authentication][user-mfa-registration], which may require additional Azure AD licenses. |
| 64 | + |
| 65 | +To integrate Azure Multi-Factor Authentication in to your Azure AD DS Remote Desktop environment, create an NPS Server and install the extension: |
| 66 | + |
| 67 | +1. Create an additional Windows Server 2016 or 2019 VM, such as *NPSVM01*, that's connected to a *workloads* subnet in your Azure AD DS virtual network. Join the VM to the Azure AD DS managed domain. |
| 68 | +1. Sign in to NPS VM as account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*. |
| 69 | +1. From **Server Manager**, select **Add Roles and Features**, then install the *Network Policy and Access Services* role. |
| 70 | +1. Use the existing how-to article to [install and configure the Azure MFA NPS extension][nps-extension]. |
| 71 | + |
| 72 | +With the NPS server and Azure Multi-Factor Authentication NPS extension installed, complete the next section to configure it for use with the RD environment. |
| 73 | + |
| 74 | +## Integrate Remote Desktop Gateway and Azure Multi-Factor Authentication |
| 75 | + |
| 76 | +To integrate the Azure Multi-Factor Authentication NPS extension, use the existing how-to article to [integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD][azure-mfa-nps-integration]. |
| 77 | + |
| 78 | +The following additional configuration options are needed to integrate with an Azure AD DS managed domain: |
| 79 | + |
| 80 | +1. Don't [register the NPS server in Active Directory][register-nps-ad]. This step fails in an Azure AD DS managed domain. |
| 81 | +1. In [step 4 to configure network policy][create-nps-policy], also check the box to **Ignore user account dial-in properties**. |
| 82 | +1. If you use Windows Server 2019 for the NPS server and Azure Multi-Factor Authentication NPS extension, run the following command to update the secure channel to allow the NPS server to communicate correctly: |
| 83 | + |
| 84 | + ```powershell |
| 85 | + sc sidtype IAS unrestricted |
| 86 | + ``` |
| 87 | +
|
| 88 | +Users are now prompted for an additional authentication factor when they sign in, such as a text message or prompt in the Microsoft Authenticator app. |
| 89 | +
|
| 90 | +## Next steps |
| 91 | +
|
| 92 | +For more information on improving resiliency of your deployment, see [Remote Desktop Services - High availability][rds-high-availability]. |
| 93 | +
|
| 94 | +For more information about securing user sign-in, see [How it works: Azure Multi-Factor Authentication][concepts-mfa]. |
| 95 | +
|
| 96 | +<!-- INTERNAL LINKS --> |
| 97 | +[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md |
| 98 | +[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md |
| 99 | +[create-azure-ad-ds-instance]: tutorial-create-instance.md |
| 100 | +[configure-azureadds-vnet]: tutorial-configure-networking.md |
| 101 | +[tutorial-create-join-vm]: join-windows-vm.md |
| 102 | +[user-mfa-registration]: ../active-directory/authentication/howto-mfa-nps-extension.md#register-users-for-mfa |
| 103 | +[nps-extension]: ../active-directory/authentication/howto-mfa-nps-extension.md |
| 104 | +[azure-mfa-nps-integration]: ../active-directory/authentication/howto-mfa-nps-extension-rdg.md |
| 105 | +[register-nps-ad]:../active-directory/authentication/howto-mfa-nps-extension-rdg.md#register-server-in-active-directory |
| 106 | +[create-nps-policy]: ../active-directory/authentication/howto-mfa-nps-extension-rdg.md#configure-network-policy |
| 107 | +[concepts-mfa]: ../active-directory/authentication/concept-mfa-howitworks.md |
| 108 | +
|
| 109 | +<!-- EXTERNAL LINKS --> |
| 110 | +[deploy-remote-desktop]: https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure |
| 111 | +[rd-web-client]: https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-web-client-admin |
| 112 | +[rds-high-availability]: https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-plan-high-availability |
0 commit comments