Enable Microsoft Entra ID Authentication Enforcement
Supported on: At least Windows 11 Version 24H2
Registry
SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Value name: EnableMicrosoftEntraIdAuthenticationEnforcement
Enabled: EnableMicrosoftEntraIdAuthenticationEnforcement = 1
Disabled: EnableMicrosoftEntraIdAuthenticationEnforcement = 0
Description
This policy setting allows you to specify whether to require server-side enforcement of Microsoft Entra ID authentication. If you enable this policy setting, all Remote Desktop Services clients must use RDS AAD Auth in order to authenticate to RD Session Host servers. This policy does not allow fallback to other authentication methods. Network Level Authentication (NLA) is required to be enabled in order for this policy to be effective. Refer to the "Require user authentication for remote connections by using Network Level Authentication" policy. If you disable or do not configure this policy setting, then Microsoft Entra ID Authentication Enforcement is not enforced.