Home / Windows RDP SSO / Azure AD / Entra ID RDP SSO
Identity Provider
Local Agent
Gateway RDP Proxy
Zero-Day Shield

Use Azure AD (Entra ID) SAML/OIDC to Authenticate RDP Sessions on Any Windows Server

Microsoft

Connect Azure AD / Microsoft Entra ID to Windows Server RDP via OnePAM. Enforce Conditional Access, MFA, and session recording on every RDP connection — without Azure AD Premium NPS complexity.

Start Free Trial See How It Works
Overview

Azure AD SSO for Windows RDP — Simplified

Microsoft Azure AD (now Microsoft Entra ID) is the identity platform for organizations using Microsoft 365, Azure, and hybrid Active Directory environments. While Azure AD provides excellent SSO for cloud applications via SAML and OIDC, extending that same SSO experience to Windows Server RDP is surprisingly complex. Microsoft's native approach requires Azure AD Premium P1/P2 licensing, NPS (Network Policy Server) with the Azure MFA extension, RADIUS configuration, and RD Gateway — a multi-component architecture that's difficult to deploy, debug, and maintain. OnePAM provides a dramatically simpler alternative. OnePAM integrates with Azure AD / Entra ID as a standard SAML 2.0 or OIDC application, leveraging your existing Conditional Access policies, MFA requirements, and group-based access controls. Users authenticate via their familiar Azure AD login (with Authenticator push, FIDO2 key, or any MFA method) and OnePAM brokers the RDP session — via local agent or gateway RDP proxy. No NPS, no RADIUS, no RD Gateway complexity.

Local Agent

Install the OnePAM agent on each Windows server. The agent intercepts RDP authentication and enforces SAML/OIDC SSO with Kerberos and Protected User support before granting desktop access — no gateway required.

Gateway RDP Proxy

Run a dedicated OnePAM gateway with native RDP protocol support. Users authenticate via SAML/OIDC at the gateway, which brokers the RDP session using Kerberos NLA. No agent needed on target servers.

RDP Security Risks

Why Azure AD + RDP Is Hard Without OnePAM

Without identity-based RDP access, these risks threaten your Windows servers every day.

Azure AD Conditional Access policies don't natively apply to RDP sessions on Windows servers
Microsoft's RDP MFA path (NPS + RADIUS + Azure MFA extension) is complex and fragile
Azure AD-joined devices get SSO for Windows logon, but server RDP remains password-based
Organizations pay for Azure AD Premium but can't apply those policies to RDP access
The Challenge

RDP Security Challenges

These are the risks organizations face with traditional RDP authentication.

NPS/RADIUS Complexity

Microsoft's native RDP MFA requires NPS, RADIUS, Azure MFA extension, and RD Gateway — a four-component architecture that's complex to deploy and maintain.

Conditional Access Gap

Azure AD Conditional Access policies control access to cloud apps, but they don't natively apply to RDP sessions on Windows servers.

Azure AD Premium Required

The NPS MFA extension requires Azure AD Premium P1 or P2 licensing, adding cost on top of the deployment complexity.

No Session Recording

Even with Azure AD + NPS + RD Gateway, there's no native session recording. You need a separate PAM solution for visual audit trails.

Hybrid Identity Complexity

Organizations with hybrid AD (on-prem + Azure AD) face additional challenges synchronizing identities and applying consistent RDP policies.

Limited to Azure MFA

The NPS approach only works with Azure AD's built-in MFA. Third-party MFA solutions (Duo, FIDO2 keys via non-Microsoft flows) aren't supported.

The OnePAM Solution

How OnePAM Connects Azure AD to RDP

Step-by-step guide to deploying identity-based Windows RDP access.

1

Register OnePAM in Azure AD

Add OnePAM as an Enterprise Application in Azure AD / Entra ID with SAML 2.0 or OIDC configuration.

Standard Azure AD enterprise app registration. Configure SAML SSO with assertion consumer service URL, entity ID, and attribute mapping. Takes under 10 minutes.
2

Apply Conditional Access Policies

Use your existing Azure AD Conditional Access policies to control RDP access — device compliance, location, risk level, MFA requirements.

OnePAM triggers Azure AD's Conditional Access evaluation for every RDP session. Policies you already have for cloud apps now apply to RDP access.
3

Choose Agent or Gateway

Install the OnePAM agent on Windows servers for direct SSO, or deploy a gateway RDP proxy for agentless coverage.

Agent mode integrates with Windows credential provider. Gateway mode runs externally. Both receive the Azure AD-authenticated identity after Conditional Access evaluation.
4

Map Azure AD Users to Windows Accounts

Map Azure AD UPN or email to Windows domain accounts for RDP session establishment.

OnePAM supports UPN matching ([email protected] to DOMAIN\user), email-based mapping, and just-in-time local account creation for external users.
5

Enable Session Recording and Auditing

Activate visual RDP session recording and centralized audit logging with Azure AD identity context.

Every RDP session is tied to the Azure AD identity, Conditional Access policy applied, MFA method used, and device compliance status — all in one audit log.
Business Impact

Benefits of Azure AD SSO for RDP via OnePAM

Measurable security and operational outcomes from deploying OnePAM Windows RDP SSO.

No NPS/RADIUS Required

Eliminate the NPS, RADIUS, and Azure MFA extension stack. OnePAM connects Azure AD to RDP via standard SAML/OIDC — no middleware.

Zero NPS infrastructure

Conditional Access for RDP

Apply your existing Azure AD Conditional Access policies to RDP sessions — device compliance, location, risk level, and MFA strength.

Full Conditional Access coverage

Works with Azure AD Free/P1

OnePAM uses standard SAML/OIDC, which works with Azure AD Free (with limitations) and Azure AD Premium P1. No P2 required for basic RDP SSO.

Lower licensing costs

Visual Session Recording

Add session recording to RDP — a capability that Azure AD + NPS + RD Gateway cannot provide natively.

Built-in visual recordings

Unified Audit with Cloud Apps

RDP access events appear alongside Azure AD sign-in logs and OnePAM's centralized audit trail.

Single audit platform

Deploy in Minutes, Not Days

Azure AD enterprise app registration + OnePAM deployment takes minutes. NPS + RADIUS + RD Gateway takes days or weeks.

Minutes vs. days
RDP SSO Features

Windows RDP SSO Capabilities

Every feature needed for enterprise-grade Windows RDP authentication.

Azure AD / Entra ID SAML 2.0 & OIDC integration
Conditional Access policy enforcement for RDP
MFA via Microsoft Authenticator, FIDO2, phone, or any Azure MFA method
Agent and gateway deployment modes
UPN-to-Windows account mapping
Visual RDP session recording
Azure AD group-based access policies
Device compliance verification via Conditional Access
Just-in-time local account provisioning
Unified audit trail with Azure AD sign-in events
Security

Zero-Day Protection Features

Enterprise-grade security controls for RDP access.

Full Conditional Access evaluation before RDP
Azure AD risk-based authentication support
Compliant device requirement enforcement
TLS encryption for all connections
Automatic session termination on Azure AD sign-out
Network isolation in gateway mode
Real-World Scenarios

Azure AD RDP SSO Use Cases

Common scenarios where organizations deploy OnePAM Windows RDP SSO.

1
Extending Azure AD Conditional Access policies to cover RDP access on on-premise and Azure Windows servers
2
Replacing NPS/RADIUS/RD Gateway with OnePAM for simpler Azure AD RDP MFA
3
Enforcing device compliance for RDP sessions using Azure AD's device management
4
Providing recorded RDP access to Azure VMs with Azure AD SSO and session recording
5
Hybrid identity scenarios where Azure AD-synced identities need SSO for on-premise server RDP
6
Reducing Azure AD Premium P2 costs by using OnePAM for RDP SSO instead of the full NPS stack
Frequently Asked Questions

Azure AD / Entra ID RDP SSO FAQ

Common questions about Windows RDP SSO and zero-day protection.

How is OnePAM different from Azure AD + NPS for RDP MFA?

OnePAM is dramatically simpler. The NPS approach requires Azure MFA extension, NPS server, RADIUS configuration, and RD Gateway — a four-component stack. OnePAM is a single application that connects to Azure AD via standard SAML/OIDC and provides SSO, MFA, session recording, and policy enforcement for RDP.

Do I still need Azure AD Premium?

OnePAM works with Azure AD Free for basic SAML SSO. For Conditional Access policies (device compliance, location-based access, risk detection), Azure AD Premium P1 is required — but you likely already have it. No P2 is needed.

Can OnePAM use Microsoft Authenticator for MFA?

Yes. OnePAM triggers Azure AD authentication, which uses whatever MFA method you've configured — Microsoft Authenticator push, FIDO2, phone call, SMS, or any Azure AD MFA method.

Does this work with Azure AD hybrid join?

Yes. OnePAM supports pure Azure AD, hybrid Azure AD, and on-premises AD environments. Identity mapping is flexible — UPN, email, SAMAccountName, or custom attributes.
Also Available

Windows RDP SSO for Other Editions & Use Cases

OnePAM adds identity-based RDP access to any Windows edition — same approach, same security.

Windows Server 2022 RDP SSO
Windows Server
Windows Server 2019 RDP SSO
Windows Server
Windows Server 2016 RDP SSO
Windows Server
Windows Server 2012 R2 RDP SSO
End-of-Life Server
Windows Server 2008 R2 RDP Protection
End-of-Life Server
Okta SAML SSO for Windows RDP
Identity Provider
RDP Zero-Day & BlueKeep Protection
Zero-Day Protection
RDP Session Recording with SSO
Compliance & Audit
MFA for Windows RDP via SSO
Authentication
RDP Access Compliance
Compliance & Audit
Replace RDP Jump Boxes with SSO Platform
Architecture
RDP Ransomware Prevention
Threat Prevention

Connect Azure AD to RDP — Without NPS Complexity.

Use your existing Azure AD / Entra ID identity for RDP SSO. Apply Conditional Access, enforce MFA, and record sessions — deployed in minutes.

Start Free Trial View All RDP SSO Guides