MFA / Conditional Access Policies not always being enforced when opening WVD

Tom 21 Reputation points
2020-11-04T08:30:09.973+00:00

We have set up a policy using a third party control (DUO MFA) for our WVD environment. This seems to work fine when subscribing to the WVD feed for the first time in the Remote Desktop Client but users are not prompted for a MFA after that. We have set up the policy with the one-hour sign-in frequency as seen below per the instructions here.

37453-image.png

When checking to see the Sign-in logs for this user, only the windows sign-in on the laptop the user is starting the WVD application from is registered as seen below. The user succesfully logged onto the WVD host at 8:11:40 AM. The actual sign in to the WVD is not registered and thus no CA policy and MFA is applied. Note that this user has had his laptop off all night and that the one-hour sign-in frequency control has been turned on for this policy from the very beginning. Users seem to be prompted for a refresh (and MFA) every day or every other day but there seem to be no clear pattern. It is definitely not just the one-hour period of inactivity.

37404-image.png

Is there any way to explain this? Have we misconfigured something?

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,365 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,532 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 27,096 Reputation points
    2020-11-24T00:13:35.62+00:00

    @Tom , Sign in frequency does not control inactivity, it controls how old of an authentication is allowed. If the devices are hybrid joined or AzureAD joined, then SIF measures how long has it been since the device unlock. Please take a look to [User sign-in frequency and multi-factor authentication] (https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency-and-multi-factor-authentication).

    Also if custom controls are used (DUO MFA) we do not treat that control separately. If device is unlocked with a password it is good enough to satisfy that SIF control. In general on devices that are AAD Joined or Hybrid Joined (devices that have PRT) will se way fewer prompts because we consider device unlock a prompt within itself.

    Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.