Windows Virtual Desktop and Passwordless

Oscar 142 Reputation points
2020-08-21T12:17:51.76+00:00

Hello,

Does anyone know which best deployment can be applied for Microsoft Azure Windows Virtual Desktop to use Microsoft Azure Passwordless less solution?

Our setup is:

  1. Run MS Enterprise Agreement for Azure Premium P1
  2. All end-user devices only Azure AD Joined, managed via Intune MDM
  3. All end-user devices connected to the public network only
  4. All users have EMS E3 license
  5. VPN link run between On-Prem AD and Azure AD
  6. On-Prem AD users synced via Azure AD Connect
  7. AD FS 3.0

We would like to avoid deployment of Hybrid Windows Hello for Business if possible, it is because we plan to phase-out ADFS.

Would be great to understand:
A) What is supported now with Passwordless for WVD?
B) What are future plans for Passwordless for WVD?

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,362 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,471 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oscar 142 Reputation points
    2020-08-26T09:12:55.693+00:00

    @MarileeTurscak

    Hello Marilee,

    I have asked the same question to MS Support, and the answer was that with our setup, where end-users devices don't have connectivity to the on-prem network, there is no solution for Passwordless, only if use Windows Hello for Business.

    It is very interesting that MS release 3x new features, but then there is a lot of dependencies or missing integration:

    Passwordless;
    Windows Virtual Desktop;
    The transition from federation to cloud authentication;

    But at result, we cannot use last one and plan to remove ADFS, because WVD requires Windows Hello for Business and WHFB deployment requires ADFS.

    1 person found this answer helpful.
    0 comments
  2. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2020-08-21T23:48:56.167+00:00

    Microsoft Authenticator passwordless phone sign-in is supported by Windows Virtual Desktop. You don't need to do anything special to make it work since it's already built-in. You just need to enable it in Azure AD in Authentication Methods.

    19671-image.png

    To find out about future plans you can check the Authenticator blogs on TechNet and the Passwordless sign-in documentation.

    0 comments
  3. Oscar 142 Reputation points
    2020-08-24T09:41:24.17+00:00

    @MarileeTurscak

    Hello Marilee,

    I do have Microsoft Authenticator passwordless phone sign-in enabled for my account, but still, I receive a password prompt when running WVD.

    Can you please explain the scenario for your answer? Is it maybe if "Azure AD user account" and "WVD" like full cloud only? like no on-prem AD Connect sync+ADFS etc. setup?

  4. Oscar 142 Reputation points
    2021-03-04T10:05:15.93+00:00

    Hello,

    So far my research stop at Microsoft:

    1. To login to WVD App (web/desktop) can be done using Passwordless
    2. Apps, that are published from on-premise AD domain, ask for domain credentials
    3. The authentication traffic goes and ends in "rdweb.wvd.microsoft.com", but this is not our domain, therefore we receive an authentication prompt

    The solution from Microsoft to deploy WHFB works, but it requires a VPN connection from my client's PC to the domain, but we don't have VPN and don't want to deploy it.

    0 comments