Configure Okta org

Before installing the Okta credential provider for Windows, you must :

  • Define a group for the end users who will authenticate RDP sign ins.
  • Specify MFA authenticators, including the authenticator to use for RDP sign in.
  • Add and configure the Microsoft RDP (MFA) app.
  1. Define groups the will be used to authenticate:
    1. Sign in to your Okta tenant as an administrator.
    2. In the Admin Console, go to Directory > Groups.
    3. Click Add Group.
    4. Complete the fields in the Add group dialog and click Save.
    5. Add people to the group. See Users, groups, and profiles.
  2. Specify authentication:
    1. In the Admin Console, go to Security > Authenticators.
    2. From the Add Authenticator dialog, select an authenticator. For example Okta Verify.
    3. Configure factor specific settings as appropriate.
    4. Note: Okta recommends that at a minimum, Okta Verify be specified.

    5. Once added, some Authenticators may be further configured from the list of added Authenticators by clicking Actions > Edit.
  3. Configure enrollment:
    1. In the Admin console, go to Security > Authenticators.
    2. Select the Enrollment tab.
    3. Click Add Multifactor Policy.
    4. Enter a Policy name and optional Policy description.
    5. In the Assign to groups field, enter the name of the previously created group.
    6. In the Effective factors section, for each required authenticator, select Required.
    7. Click Create Policy.
    8. In the Add Rule dialog, define an appropriate rule and click Add Rule.
  4. Add and configure the Microsoft RDP (MFA) app:
    1. Sign in to your Okta tenant as an administrator.
    2. In the Admin console, go to Applications > Applications > Add Application, search for Microsoft RDP (MFA), and then click Add.
    3. Enter a unique application label and click Next.
    4. Click Done when complete.

RDP can fail with the error message Multifactor Authentication Failed if a user attempts to RDP into a server with the RDP agent installed that does not match an Microsoft RDP (MFA) App username.