Assign users/groups to the Microsoft RDP (MFA) app

All users who login to any machine that has the Credential Provider installed will need to be assigned to the Microsoft RDP (MFA) app. By default, the App Sign-On policy for this app prompts for MFA every login.

  1. Sign in to your Okta tenant as an administrator.
  2. Click the app name.
  3. In the Microsoft RDP (MFA) app in Okta, select the Sign On tab. In the Settings section, select Edit and choose the Application username format to assign to users of this app. In the example Okta username is selected but you can make any choice.ClosedScreenshot

    Sign On Methods screen

    When the end user signs in, the application user format must match exactly.

    Best practice: Okta recommends using a username prefix, as Windows uses the SAMAccountName for login.

  4. Select the Assignments tab and assign the app to users or groups. After selecting Assign, enter the user name. For more information on assigning apps, see Assign app integrations.

    The user name entered here must match the format you selected in the preceding step. For example, in the case that the full UPN for a user is in the format, and you entered AD SAM account name for the username format above, enter only the name portion of the UPN for the user name. The portion of the UPN is included in the AD SAM account name.

  5. Navigate to the Sign on tab to configure sign on rules specific to this app.

  6. On the Sign On tab, scroll to the Sign On Policy section. Signon policy
  7. The App Sign-On policy for this app is set to prompt for MFA for every login.
    Create a new sign on rule if you do not want to prompt some or all of your users for MFA.
    Assign users to the new rule and leave the ‘Prompt for factor’ checkbox unchecked.
    App sign on rule with 'prompt for factor' not enabled.

    Okta sign on policy does not apply to Microsoft RDP App. Only the app sign on policy as defined in this step is evaluated.

  8. Select Done when finished. Your system is completely configured.