Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.
But also when being able to reach the IDP, no?
I don’t see how being able to use passwords previous to the previous makes any sense even with that in mind.
When the PC can connect to the IDP, I would expect it to validate against that one and only that one.