Configure your Okta org for MFA Credential Provider for Windows

Before you install the Okta MFA Credential Provider for Windows, you must complete the following tasks in your Okta org:

  • Define a group for the users allowed to access the Windows Server using RDP.
  • Enable the MFA authenticators to use for RDP sign-in.
  • Add and configure the Microsoft RDP (MFA) app.
  1. Define groups to use for authentication:
    1. Sign in to your Okta tenant as an administrator.
    2. In the Admin Console, go to DirectoryGroups.
    3. Click Add Group.
    4. Complete the fields and then click Save.
    5. Add people to the group. See Users, groups, and profiles.
  2. Enable MFA:
    1. In the Admin Console, go to SecurityAuthenticators.
    2. Click Add authenticator.
    3. Click Add on the authenticator you want to add. At a minimum, add Okta Verify.
    4. Configure the authenticator and then click Add.
    5. In the Actions menu, choose Edit to configure more settings.
  3. Configure MFA enrollment:
    1. In the Admin Console, go to SecurityAuthenticators.
    2. Select the Enrollment tab.
    3. Click Add Multifactor Policy.
    4. Enter a policy name and description.
    5. In the Assign to groups field, enter the name of the group for the users allowed to access the Windows Server using RDP.
    6. In the Effective factors section, select Required for each required authenticator.
    7. Click Create Policy.
    8. Click Add Rule, and then configure it.
  4. Add and configure the Microsoft RDP (MFA) app:
    1. In the Admin Console, go to ApplicationsApplications.

    2. Click Add Application and then enter Microsoft RDP (MFA) in the search box.
    3. Click Add on the Microsoft RDP (MFA) app.
    4. Enter a name for the app and then click Next. RDP may fail if the name of the RDP agent that the user connects to doesn’t match the Microsoft RDP (MFA) App name.
    5. Select the Assignments tab.
    6. Assign the application to groups or individuals.
    7. Save your changes.
    8. Select the Sign On tab.
    9. Click Add Rule and add any required sign-on rules.
    10. Click Done when complete.