Azure Virtual Desktop Authentication

Question

Azure Virtual Desktop Authentication

Rajitha Wickramasinghe 6

Firstly, all your advice and recommendations are greatly appreciated.

This seems to be a common issue but I dont seem to be able to get it to work.

I've deployed a Virtual Desktop on Azure and all is well long as the MFA is disabled for the user.

Excluding the user from the CA policy doesnt work either.

I have selected "All Cloud Apps" and excluded Azure Virtual Desktop and Azure Windows VM sign in.

How do I make sure that authentication works while having MFA turned on?

2 answers

Your answer

Answer 1

Here's how to create a Conditional Access policy that requires multi-factor authentication when connecting to Azure Virtual Desktop:
Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
In the search bar, type Azure Active Directory and select the matching service entry.
Browse to Security > Conditional Access.
Select New policy > Create new policy.
Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
Under Assignments, select Users or workload entities.
Under the Include tab, select Select users and groups and tick Users and groups. On the right, search for and choose the group that contains your Azure Virtual Desktop users as group members.
Select Select.
Under Assignments, select Cloud apps or actions.
Under the Include tab, select Select apps.
On the right, select one of the following apps based on which version of Azure Virtual Desktop you're using.

Also, to know about Virtual Desktop Cloud, visit CloudDesktopOnline.

Answer 2

Lee Hubble 15

Hi Rajitha

To use MFA with Azure Virtual Desktop, you need to ensure that Per-User MFA is disabled for any user attempting to sign in and instead use only conditional access.

Enforce Azure Active Directory Multi-Factor Authentication for Az ure Virtual Desktop using Conditional Access

Per-User MFA is not compatible with Virtual Desktop as mentioned in this artictle: Azure AD joined session host VMs

Many thanks
Lee

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Rajitha Wickramasinghe 6 Reputation points

2023-03-04T05:33:02.66+00:00

Thanks Lee but apologies if this is a silly question.
We have a standard policy where all users need to authenticate via a OTP using the MFA policy. If I disable per user, does it not then request for 2FA for other logins?
Rajitha Wickramasinghe 6 Reputation points

2023-03-06T16:05:06.5+00:00

@Lee Hubble Thanks for the support. Had to play around the CA policy a bit but basically, the MFA prompts and allows the VD access.
Lee Hubble 15 Reputation points

2023-03-10T13:56:44.53+00:00

Sorry for not getting back to you sooner. I'll mention for anyone else that stumbles upon this, in the Conditional Access policy you need to include the 'Azure Virtual Deskop' app but exclude "Azure Windows VM Sign-In". You also need to turn off per-user in link below and enable modern authentication for the accounts signing into Azure Virtual Desktop. https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?BrandContextID=O365
KarishmaTiwari-MSFT 20,762 Reputation points Microsoft Employee Moderator

2023-03-30T06:56:07.71+00:00

Thanks for sharing the resolution for others.

Share via

Azure Virtual Desktop Authentication

2 answers

Your answer