Policy
Enable Microsoft Entra ID Authentication Enforcement
This policy setting allows you to specify whether to require server-side enforcement of Microsoft Entra ID authentication. If you enable this policy setting, all Remote Desktop Services clients must use RDS AAD Auth in order to authenticate to RD Session Host servers. This policy does not allow fallback to other authentication methods. Network Level Authentication (NLA) is required to be enabled in order for this policy to be effective. Refer to the "Require user authentication for remote connections by using Network Level Authentication" policy. If you disable or do not configure this policy setting, then Microsoft Entra ID Authentication Enforcement is not enforced.
d33193a0b6e0 TS_MICROSOFT_ENTRA_ID_AUTHENTICATION_ENFORCEMENT_POLICY Registry
Copy registry mappings
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\EnableMicrosoftEntraIdAuthenticationEnforcement (enabled) = 1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\EnableMicrosoftEntraIdAuthenticationEnforcement (disabled) = 0Policy notes
This policy setting allows you to specify whether to require server-side enforcement of Microsoft Entra ID authentication. If you enable this policy setting, all Remote Desktop Services clients must use RDS AAD Auth in order to authenticate to RD Session Host servers. This policy does not allow fallback to other authentication methods. Network Level Authentication (NLA) is required to be enabled in order for this policy to be effective. Refer to the "Require user authentication for remote connections by using Network Level Authentication" policy. If you disable or do not configure this policy setting, then Microsoft Entra ID Authentication Enforcement is not enforced.