Home / Windows RDP SSO / MFA for Windows RDP via SSO
Authentication
Local Agent
Gateway RDP Proxy
Zero-Day Shield

Enforce Multi-Factor Authentication on Every Windows RDP Session — Any IdP, Any MFA Factor

Add MFA to Windows Server RDP without NPS, RADIUS, or Azure AD Premium. OnePAM enforces your IdP's MFA (Duo, FIDO2, push, biometrics) on every RDP connection via SAML/OIDC SSO.

Start Free Trial See How It Works
Overview

MFA for RDP — Without NPS Complexity

Multi-factor authentication for Windows RDP should be simple. It isn't. Microsoft's native approach requires Azure AD Premium P1/P2, NPS with the Azure MFA extension, RADIUS configuration, and an RD Gateway — a four-component architecture that's expensive, complex, and limited to Azure AD's MFA methods. Organizations using Okta, Google Workspace, Duo, or other non-Microsoft IdPs have no Microsoft-supported path to RDP MFA at all. OnePAM eliminates this complexity entirely. OnePAM authenticates users via standard SAML 2.0 or OIDC — which means any IdP's MFA policies apply automatically. Deploy via local agent or gateway RDP proxy, and MFA is enforced from day one.

Local Agent

Install the OnePAM agent on each Windows server. The agent intercepts RDP authentication and enforces SAML/OIDC SSO with Kerberos and Protected User support before granting desktop access — no gateway required.

Gateway RDP Proxy

Run a dedicated OnePAM gateway with native RDP protocol support. Users authenticate via SAML/OIDC at the gateway, which brokers the RDP session using Kerberos NLA. No agent needed on target servers.

RDP Security Risks

Why RDP Needs MFA

Without identity-based RDP access, these risks threaten your Windows servers every day.

Compromised passwords enable immediate RDP access without a second factor — leading 50%+ of ransomware incidents
Microsoft's native RDP MFA (NPS + RADIUS + Azure MFA) is too complex for most organizations to deploy correctly
Non-Microsoft IdPs (Okta, Google, Duo) have no native path to enforce MFA on RDP sessions
Password-only RDP is the single largest gap in enterprise MFA coverage
The Challenge

RDP Security Challenges

These are the risks organizations face with traditional RDP authentication.

NPS/RADIUS Complexity

Microsoft's RDP MFA requires NPS + RADIUS + Azure MFA extension + RD Gateway. A four-component stack that's difficult to deploy and troubleshoot.

Azure AD Premium Required

The NPS MFA extension requires Azure AD Premium P1 or P2. Organizations without Microsoft licensing have no native RDP MFA option.

Non-Microsoft IdP Exclusion

Organizations using Okta, Google Workspace, Ping Identity, or Duo as their primary IdP cannot use Microsoft's native RDP MFA path.

Limited MFA Factors

The NPS approach is limited to Azure AD's MFA methods. Organizations using FIDO2 keys, Duo push, or Okta Verify cannot use their preferred factors.

No Session Recording

Even with MFA deployed via NPS, there's no session recording.

Deployment Failures

NPS + RADIUS + Azure MFA is notoriously difficult to troubleshoot. Authentication failures and RADIUS timeouts are common.

The OnePAM Solution

How OnePAM Enforces MFA on RDP

Step-by-step guide to deploying identity-based Windows RDP access.

1

Configure Your IdP

Connect OnePAM to your SAML 2.0 or OIDC identity provider with MFA requirements configured.

Your IdP controls the MFA experience — whatever your IdP supports is enforced.
2

Deploy Agent or Gateway

Install the OnePAM agent on Windows servers or deploy a gateway RDP proxy.

Agent mode handles authentication at the server. Gateway mode handles authentication centrally.
3

User Initiates RDP

User opens an RDP connection. OnePAM redirects to your IdP for authentication.

The user sees their familiar IdP login page. MFA is prompted per your IdP's policies.
4

MFA Verified

User completes MFA. The IdP issues a signed assertion.

OnePAM validates the assertion and evaluates access policies.
5

RDP Session Established

After identity and MFA verification, OnePAM establishes the RDP session.

The session is logged with full MFA metadata and optionally recorded.
Business Impact

Benefits of OnePAM MFA for RDP

Measurable security and operational outcomes from deploying OnePAM Windows RDP SSO.

Any IdP, Any MFA Factor

Use Okta Verify, Google 2-step, Duo push, FIDO2 keys, biometrics — not limited to Azure AD.

Universal MFA support

No NPS/RADIUS Infrastructure

Eliminate the NPS + RADIUS + Azure MFA extension stack. OnePAM is a single component.

Zero middleware

Deploy in 15 Minutes

IdP app registration + OnePAM deployment takes 15 minutes.

15-minute deployment

Session Recording Included

MFA + session recording in one platform.

Recording built in

Close the Ransomware Door

Compromised passwords alone can't grant RDP access.

Ransomware prevention

Granular MFA Policies

Require stronger MFA for production servers, lighter MFA for development servers.

Policy-based MFA strength
RDP SSO Features

Windows RDP SSO Capabilities

Every feature needed for enterprise-grade Windows RDP authentication.

MFA via any SAML/OIDC IdP (Okta, Azure AD, Google, Duo, Ping)
Push notifications, FIDO2, biometrics, OTP, SMS
Agent and gateway deployment modes
Per-server MFA policy configuration
Step-up MFA for sensitive servers
Session recording with MFA metadata
Adaptive MFA via IdP risk policies
Group-based MFA requirements
Bypass policies for emergency/break-glass access
Unified audit trail with MFA status per session
Security

Zero-Day Protection Features

Enterprise-grade security controls for RDP access.

IdP-enforced MFA on every RDP session
MFA method logging for compliance
Step-up authentication for high-risk access
IdP risk assessment integration
Emergency bypass with audit logging
Automatic re-authentication on timeout
Real-World Scenarios

RDP MFA Use Cases

Common scenarios where organizations deploy OnePAM Windows RDP SSO.

1
Enforcing MFA on all RDP sessions to meet cyber insurance requirements
2
Adding Okta Verify or Duo push MFA to Windows Server RDP without NPS infrastructure
3
Requiring FIDO2 hardware keys for RDP access to production Windows servers
4
Eliminating password-only RDP as a ransomware initial access vector
5
Meeting SOC 2 and PCI DSS multi-factor authentication requirements for server access
6
Providing different MFA strength levels for different server environments
Frequently Asked Questions

MFA for Windows RDP via SSO FAQ

Common questions about Windows RDP SSO and zero-day protection.

Can I use Duo Security for RDP MFA with OnePAM?

Yes. If Duo is configured as an MFA factor in your IdP, OnePAM automatically leverages Duo push, Duo passcodes, or Duo biometrics.

Does OnePAM MFA work with FIDO2 hardware keys?

Yes. FIDO2/WebAuthn hardware keys (YubiKey, Titan Key, etc.) are supported through your IdP.

What if my users can't reach their IdP for MFA?

OnePAM supports configurable offline/break-glass policies for IdP outages.

Does MFA add latency to RDP connections?

MFA adds a few seconds for the authentication step. Once authenticated, there is zero latency impact on the ongoing RDP session.
Also Available

Windows RDP SSO for Other Editions & Use Cases

OnePAM adds identity-based RDP access to any Windows edition — same approach, same security.

Windows Server 2022 RDP SSO
Windows Server
Windows Server 2019 RDP SSO
Windows Server
Windows Server 2016 RDP SSO
Windows Server
Windows Server 2012 R2 RDP SSO
End-of-Life Server
Windows Server 2008 R2 RDP Protection
End-of-Life Server
Azure AD / Entra ID RDP SSO
Identity Provider
Okta SAML SSO for Windows RDP
Identity Provider
RDP Zero-Day & BlueKeep Protection
Zero-Day Protection
RDP Session Recording with SSO
Compliance & Audit
RDP Access Compliance
Compliance & Audit
Replace RDP Jump Boxes with SSO Platform
Architecture
RDP Ransomware Prevention
Threat Prevention

MFA for RDP Should Be Simple. Now It Is.

Enforce MFA on every Windows RDP session — any IdP, any factor. No NPS, no RADIUS, no complexity. Deploy in 15 minutes.

Start Free Trial View All RDP SSO Guides