How to login to Azure AD joined AVD VMs with MFA configured from Hybrid Domain joined machines without Windows Hello / Hello for Business?

Question

I seem (not 100% certain this is the problem, so open to suggestions) to only be able to login to my Azure AD joined AVD VMs (with a conditional access policy enforcing MFA for offsite IP ranges) from end-points with Windows Hello enabled.

My company needs to be able to access Azure AD joined AVD VMs from Windows 10 AD joined end-points (laptops), with MFA configured for these connections if the end-point is off-site (i.e. not on a Ricardo LAN IP range) - which is the most common use-case. The Windows 10 AD joined endpoints are hybrid joined to the same Domain as the Azure AD Domain (via Azure AD Connect Sync).

 

From my research – Azure AD joined AVD VMs require Windows Hello (Strong Authentication) configured on the End-Point to pass-through the MFA claim to the AVD workstations. But, a significant number of our AD Servers are Windows Server 2012 with no plan to upgrade – so I think this means Windows Hello / Hello for Business will not be able to be configured for our on-prem Domain. Please confirm if this is correct?

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

This page (https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa#azure-ad-joined-session-host-vms): 

Seems to suggest that if you cannot configure Windows Hello / Hello for Business, then you need to disable MFA in the conditional Access Policy for the Azure VMs for the login to succeed:

 

https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#enforce-conditional-access-policies

 

But, we cannot disable MFA for external access to the Azure AVD VMs – as this is against company security policy.

So, how is it possible for us to access these Azure AD joined AVD VMs from our legacy, hybrid  Domain Joined endpoints, if we cannot use Windows Hello / Hello for Business?

 

FWIW, I have (somehow?) been able to configure my Windows 11 laptop which is hybrid joined to the legacy AD Domain with Windows Hello Biometric and PIN login, even though it is not enabled on our Domain. You can see below, that Windows Hello login options are disabled – but I can login to my laptop and unlock the screen with either my face or a PIN and I can login to the Azure AD joined AVD VMs successfully from this end-point:

 

 

So this would suggest that there is a way to achieve this without Windows Hello / Hello for Business on the end-points and still be able to sign in to these Azure AD joined AVD VMs.

 

Would really appreciate some help on this, so thanks in advance for any advice/help offered...

Regards

Gary

Answer 1

Hello there,

Login to Azure VMs using Azure Active Directory Credentials.

Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs

Choose the right authentication method for your Azure Active Directory hybrid identity solution

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--