Conditional MFA


Lets say I have 2 applications configured. Radius for VPN and Microsoft RDP for desktop logins. I have 20 users enrolled. All 20 users must use MFA to connect to VPN. Now I only want 5 of my 20 users to require MFA for RDP. The other 15 enrolled user should be able to log into windows without MFA. How do I set this up? I have my users broken into groups but it I can’t figure out how to bypass those 15 users in the Microsoft RDP application.

Kind regards,

Okay, I think I figured this out. I’d love if someone could confirm I am doing this correctly.

Microsoft RDP application policy settings:
MFA required policy applied to MFA required group
Application policy set to not require MFA for any user


Hi @BWeaver,

This is indeed the way I’d do it.

Antony Gallez

Hey @BWeaver ! Your plan looks right to me.