Share via

Remote Desktop APP & MFA

Denis Saric 0 Reputation points
2024-07-03T07:05:00.5666667+00:00

Hi,

we are currently working on our Conditional Access Rules for mobile Work and observing a strange behavior with the Remote Desktop APP.

Situation: Remote Site, untrusted Network

  1. At first connect to AVD, it ask´s as expected for Username/Password + MFA
  2. After a Reboot or closing the application - he only needs Username/Password. He doesnt ask again vor MFA. Never Again.

Based on our CA_Rule he has to ask everytime for mfa - if he comes from any untrusted network.

Does anyone have an idea what we did wrong?

Condition: Any Network - exlude trusted + All Client Apps

Grant: Access req MFA

Session: Sign in frequency - Every Time

Thank you all,

Denis

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,842 questions
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Authenticator
Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. kobulloc-MSFT 26,811 Reputation points Microsoft Employee Moderator
    2024-07-03T17:10:12.93+00:00

    Hello, @Denis Saric !

    Why am I not being prompted for MFA after reboot or closing Microsoft Remote Desktop when using Conditional Access?

    A sign-in frequency of Every time is currently in preview and will prompt you to reauthenticate after a period of 5 to 15 minutes after the last time you authenticated from the app rather than on each login. This means that a quick restart or closing the app will not necessarily prompt reauthentication:

    https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd#configure-sign-in-frequency

    The Every time option is currently available in preview and is only supported when applied to the Microsoft Remote Desktop and Windows Cloud Login apps when single sign-on is enabled for your host pool. If you select Every time, users are prompted to reauthenticate after a period of 5 to 15 minutes after the last time they authenticated for the Microsoft Remote Desktop and Windows Cloud Login apps.

    Additionally if you are using Windows client, ensure that you have your conditional access policy configured on the Windows Cloud Login Entra ID app as AVD has started migration to this app from the Microsoft Remote Desktop app.

    I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

    If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    User's image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.