Share via

Conditional Access – AVD SSO for SharePoint from Trusted Locations while enforcing MFA for All Cloud Apps

Cleon Russell 110 Reputation points
2026-05-14T17:46:39.93+00:00

Hi all,

  1. Question

    Hi all, I’m looking for some guidance on Conditional Access policy design in an Azure Virtual Desktop (AVD) environment. We currently enforce MFA for “All cloud apps”, which is working as expected from a security perspective. However, we are trying to improve the user experience when accessing SharePoint Online from within AVD sessions.

    Requirement

    We would like to achieve the following:
    • ✅ Enforce MFA for all cloud apps
    • ✅ Allow seamless SSO for SharePoint Online when users are accessing from trusted office locations
    • ✅ Ensure users are still prompted for MFA when accessing SharePoint externally
    • ✅ Prevent users from having to re-authenticate for SharePoint after signing into AVD

    Scenario

    • Users sign into AVD (with MFA)
    • From within the AVD session, they access SharePoint Online
    • Despite already being authenticated, they are prompted again for credentials/MFA
    • Trusted office locations are already configured in Entra ID (Named Locations)

    Proposed Approach

    We are considering the following design:
    1. Modify the existing “All cloud apps” policy:
      • Keep “All cloud apps” selected
      • Exclude: Office 365 SharePoint Online
    2. Create a new Conditional Access policy for SharePoint:
      • Cloud app: Office 365 SharePoint Online
      • Conditions:
      • Include: Any location
      • Exclude: Trusted office locations (Named Locations)
      • Grant control:
      • Require MFA

    Questions

    1. Is this the recommended approach to achieve SSO for SharePoint within AVD sessions while still enforcing MFA externally?
    2. Are there any risks or best practices when excluding SharePoint from an “All cloud apps” policy?
Microsoft Security | Microsoft Entra | Microsoft Entra ID

Answer accepted by question author

Sina Salam 29,106 Reputation points Volunteer Moderator
2026-05-18T15:00:44.0466667+00:00

Hello Cleon Russell,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having Conditional Access, Azure Virtual Desktop (AVD), and SharePoint Online SSO issues where users are repeatedly prompted for authentication or MFA even after successfully signing in to AVD from trusted locations.

The issue was caused by Conditional Access policy separation without fully validating Azure Virtual Desktop Single Sign-On (SSO), Primary Refresh Token (PRT) availability, browser device identity integration, and token reuse between AVD and SharePoint Online authentication flows.

The most reliable and Microsoft-recommended resolution is to:

  • Configure and validate Azure Virtual Desktop Single Sign-On (SSO)
  • Ensure the session host is Microsoft Entra joined or Hybrid Entra joined
  • Verify that a valid Primary Refresh Token (PRT) is available inside the AVD session
  • Configure browser SSO correctly for Microsoft Edge or Google Chrome
  • Separate SharePoint Online into its own Conditional Access policy
  • Exclude only trusted named locations from SharePoint MFA requirements
  • Review Sign-in Frequency and Session Control policies for token reauthentication conflicts Validate authentication and token claims using Microsoft Entra sign-in logs

After properly configuring AVD SSO, validating PRT availability, enabling browser-based device identity, and implementing a dedicated SharePoint Conditional Access policy for trusted locations, SharePoint Online authentication completed successfully without repeated MFA prompts while still enforcing MFA externally.

Use the below resource links for more reading and implementation guidance:

I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.