Enable Microsoft Entra ID Authentication Enforcement

Supported OS tags: Windows11

This policy setting allows you to specify whether to require server-side enforcement of Microsoft Entra ID authentication. If you enable this policy setting, all Remote Desktop Services clients must use RDS AAD Auth in order to authenticate to RD Session Host servers. This policy does not allow fallback to other authentication methods. Network Level Authentication (NLA) is required to be enabled in order for this policy to be effective. Refer to the "Require user authentication for remote connections by using Network Level Authentication" policy. If you disable or do not configure this policy setting, then Microsoft Entra ID Authentication Enforcement is not enforced.

This policy has no additional user input fields.

• Computer
  Always prompt for password upon connection

  At least Windows Server 2003 operating systems or Windows XP Professional
• Computer
  Disconnect remote session on lock for legacy authentication

  Windows 11 22H2 SERVER
• Computer
  Disconnect remote session on lock for Microsoft identity platform authentication

  Windows 11 22H2 SERVER
• Computer
  Do not allow local administrators to customize permissions

  At least Windows Server 2003
• Computer
  Require secure RPC communication

  At least Windows Server 2003
• Computer
  Require use of specific security layer for remote (RDP) connections

  At least Windows Vista
• Computer
  Require user authentication for remote connections by using Network Level Authentication

  At least Windows Vista
• Computer
  Server authentication certificate template

  At least Windows Vista
• Computer
  Set client connection encryption level

  At least Windows Server 2003 operating systems or Windows XP Professional