Exclude MFA for Office applicaions inside WVD

Kavindu Dayananda 76 Reputation points


We have a requirement to exclude MFA while accessing Office applications inside WVD while users are logging from our cooperate network .

I know that we can exclude WVD app/trusted locations from conditional access, and when we configure it like that ,it will not prompt MFA for WVD but will prompt for office applications inside. Our requirement is when users logging to WVD from their cooperate network , they should not get MFA prompt for any Office applications inside WVD session.

All the session hosts have only private static IPs. Public IP (Internet) is dynamic.

Please advise.


Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,349 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,331 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,696 Reputation points Microsoft Employee

    You should be able to set up conditional access to exclude users from certain locations from the MFA policy while they are accessing certain applications using the steps in this article.

    The conditional access policies allow you to include or exclude users and allow you to select "mobile apps and desktop clients" based on locations. Is that what you are looking for?

    If it needs to be more granular than the options in that article, this may require a feature request in User Voice.

    0 comments No comments

  2. Václav Kořánek SC 1 Reputation point

    Exclude place is for static IPs. But WVD has Public IP (Internet) dynamic.

    0 comments No comments

  3. Simon Burbery 546 Reputation points

    You can add an outbound NAT gateway to the network your AVD hosts are in. That gives you a known outbound IP you can then exclude from your MFA policy.


  4. Simon Burbery 546 Reputation points

    Maybe you could get an intune device license for the host? Then make sure it is compliant and you can exclude compliant devices from your MFA policy. I am not sure what cost that would be in your region, but it should be closer to 10 than 40.

    0 comments No comments

  5. Simon Burbery 546 Reputation points

    Well @Václav Kořánek SC I hope you realized before I did... turns out assigning a public IP to a VM, the VM will always use that IP outbound as well !! I did not know this until reading about gateways again today...

    Even if you had 5 AVD hosts, assigning each one a basic public IP and excluding these from MFA is cheaper than the NAT gateway solution.

    My public IP costs less than NZD$4 / month... that is the solution for small deployments.

    0 comments No comments