David, can I just clarify the Azure MFA side of things please. I think I may have gotten a little excited at the Azure MFA integration bit. I currently use Azure MFA Server alongside an RDP gateway. The MFA server pretty much provides the Radius proxy to Azure AD which in turn uses the NPS policies stored on the RD Gateway to gain access. I believe that setup will not work for this deployment of guacamole.
What's needed is the Azure MFA NPS extension. https://docs.microsoft.com/en-gb/azure/active-directory/authentication/howto-mfa-nps-extension I'm planning on setting up a new Windows server to run this extension from to test with Guacamole. I could potentially just run the Azure NPS Extension from our current Azure MFA box, but I don't want to affect anything running on that as it's currently production. If anyone's doing this already please do let me know. Just to also confirm my previous question, do the Guacamole AD groups need to be the 'guacConfigGroup' object class, or just normal AD security groups? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/