en-US

Enable Microsoft Entra ID Authentication Enforcement

Supported on: At least Windows 11 Version 24H2

Registry

HKLM SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

Value name: EnableMicrosoftEntraIdAuthenticationEnforcement

Enabled: EnableMicrosoftEntraIdAuthenticationEnforcement = 1

Disabled: EnableMicrosoftEntraIdAuthenticationEnforcement = 0

Description

This policy setting allows you to specify whether to require server-side enforcement of Microsoft Entra ID authentication. If you enable this policy setting, all Remote Desktop Services clients must use RDS AAD Auth in order to authenticate to RD Session Host servers. This policy does not allow fallback to other authentication methods. Network Level Authentication (NLA) is required to be enabled in order for this policy to be effective. Refer to the "Require user authentication for remote connections by using Network Level Authentication" policy. If you disable or do not configure this policy setting, then Microsoft Entra ID Authentication Enforcement is not enforced.