Require MFA Prompt Again Inside AVD Session After Windows App Login

Question

Require MFA Prompt Again Inside AVD Session After Windows App Login

Robin Hitch 185

We are using the Windows App to connect to Azure Virtual Desktop (AVD) Entra authetication.

Current authentication flow:

Windows App → Password + MFA → Session Host → Desktop

Requirement / Question:

After users successfully authenticate to the Windows App using Password + MFA, we would like users to be prompted for MFA again when launching the AVD desktop/session host.

Expected flow:

Windows App → Password + MFA → Session Host → Password + MFA → Desktop

Could you please advise:

Is it possible to enforce a second MFA prompt after launching the AVD session host?
Can Conditional Access policies be configured to require MFA again inside the AVD session?
Are there any supported Microsoft recommendations or best practices for this scenario?
Does this require any third-party identity or security integration?

Rukmini 42,515 Reputation points Microsoft External Staff Moderator

2026-05-29T13:02:34.1666667+00:00

Hello @Robin Hitch This scenario is not supported by design in Azure Virtual Desktop with Microsoft Entra authentication. After the user signs in to the Windows App with Password + MFA, the authentication is completed and a token is issued. When the user launches the AVD session, the session host sign-in uses this token in a non-interactive flow, so it will not trigger another MFA prompt.

Conditional Access policies can enforce MFA for AVD access, however they are evaluated only during the initial sign-in to the service and not again during the Windows logon inside the session host. Because of this, it is not possible to configure CA to require MFA a second time within the same connection flow.

Regarding your test where Microsoft Entra SSO is set to Not configured, the “The logon attempt failed” behavior is expected in many cases. Password-based sign-in to Microsoft Entra joined session hosts has strict requirements (such as device state and allowed sign-in methods). Windows Hello (PIN) works because it satisfies strong authentication, whereas password-only attempts may fail depending on the configuration.

Overall, enforcing MFA both at Windows App sign-in and again inside the AVD session is not supported. The recommended approach is to use Microsoft Entra SSO with Conditional Access MFA, and if stricter control is required, use Sign-in frequency policies instead of attempting a second MFA prompt.
Robin Hitch 185 Reputation points

2026-05-29T13:07:26.85+00:00

Hi Rukmini,

Thanks for the reply and clarification.

2 answers

Your answer

Rukmini 42,515 Reputation points Microsoft External Staff Moderator

2026-05-29T13:02:34.1666667+00:00

Hello @Robin Hitch This scenario is not supported by design in Azure Virtual Desktop with Microsoft Entra authentication. After the user signs in to the Windows App with Password + MFA, the authentication is completed and a token is issued. When the user launches the AVD session, the session host sign-in uses this token in a non-interactive flow, so it will not trigger another MFA prompt.

Conditional Access policies can enforce MFA for AVD access, however they are evaluated only during the initial sign-in to the service and not again during the Windows logon inside the session host. Because of this, it is not possible to configure CA to require MFA a second time within the same connection flow.

Regarding your test where Microsoft Entra SSO is set to Not configured, the “The logon attempt failed” behavior is expected in many cases. Password-based sign-in to Microsoft Entra joined session hosts has strict requirements (such as device state and allowed sign-in methods). Windows Hello (PIN) works because it satisfies strong authentication, whereas password-only attempts may fail depending on the configuration.

Overall, enforcing MFA both at Windows App sign-in and again inside the AVD session is not supported. The recommended approach is to use Microsoft Entra SSO with Conditional Access MFA, and if stricter control is required, use Sign-in frequency policies instead of attempting a second MFA prompt.
Robin Hitch 185 Reputation points

2026-05-29T13:07:26.85+00:00

Hi Rukmini,

Thanks for the reply and clarification.

Answer 1

Rukmini 42,515 Microsoft External Staff Moderator

@Robin Hitch

This error can occur if you have configured a legacy per-user Enabled/Enforced Microsoft Entra multifactor authentication or the Security Defaults are active.

To fix the issue:

Remove the legacy per-user MFA setting or disable the Security Defaults. You can find detailed steps on how to do this in the Microsoft documentation: Disable or Enable per-user Microsoft Entra multifactor authentication to secure sign-in events,

Providing a default level of security in Microsoft Entra ID – Microsoft Entra | Microsoft Learn.

Resolving MFA-Related RDP Issues to Azure VMs

0 comments

Answer 2

hi Robin Hitch & thanks for join me here at Q&A portal,

with native AVD and Microsoft Entra authentication, you normally cannot force a clean second MFA prompt inside the same session launch after the user already passed MFA in Windows App. Conditional Access applies to the AVD sign-in flow and session frequency, not as a separate “MFA again at Windows desktop logon” step. Microsofts supported way is to enforce MFA for Azure Virtual Desktop using Conditional Access and tune sign-in frequency if u want users challenged more often https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa

If u enable AVD single sign-on, the session host uses the Entra token and the experience is intentionally seamless https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on

So the supported options looks like require MFA when connecting to AVD, reduce Conditional Access sign-in frequency,

require compliant device, trusted location, or authentication strength, disable SSO if you want users to type credentials again, but that still does not guarantee a second MFA prompt every time.

If the requirement is literally “MFA twice, once in Windows App and once again after session host launch”, that is not a normal supported AVD pattern with Entra Conditional Access alone. You would need a third-party MFA/credential provider inside the session host, but that adds complexity and is not the standard Msft recommendation.

rgds,

Alex

&

If my answer was helpful pls mark it and additional thx if u follow me at Q&A portal

Robin Hitch 185 Reputation points

2026-05-29T11:17:02.5833333+00:00

Hi Alex,

Thanks for the reply and clarification.

After setting the Host Pool RDP property "Microsoft Entra single sign-on" to Not configured, the password authentication fails with the error message: "The login attempt failed" when launching the AVD session.

However, if users sign in using the Windows PIN, the connection works .

Share via

Require MFA Prompt Again Inside AVD Session After Windows App Login

2 answers

Your answer