Share via

Unable to use MFA with Azure Virtual Desktop

Miguel González Vigil 51 Reputation points
2022-06-06T08:55:05.427+00:00

Hey,

I'm unable to use Azure Virtual Desktop with an account with MFA enabled. When I enable MFA, after entering my credentials, I've got the following error:

"Your credentials do not work".

I firmly know problem comes from MFA, because if I switch off, I can login perfectly fine.

I've tried creating a CA policy as Microsoft Learn suggests, but it doesn't work.

I raised a ticket to Microsoft Support, and they just provide me a workaround: Turn MFA off before log in, and turn it on again once I'm already logged in.

Is there a permanent solution to use MFA for Azure Virtual Desktop?

FYI my environment is Azure AD joined, if it helps.

Thanks,

Best regards

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,835 questions
Accepted answer
  1. Simon Burbery 691 Reputation points
    2022-07-22T10:11:23.29+00:00

    Right now I understand the situation:... =) firstly, you mentined above that the CA policy was not working. If you can create CA policies then you should not have any users Enabled or Enforced in the per-user MFA portal - they must all be Disabled. The per-user settings you have configured are overriding the CA policy. If you remove the per-user settings, the CA policy will enforce MFA based on the policy settings (which excludes the Azure VM sign-in), rather than the reduced 'on/off' functionality of the per-user MFA settings. In your case the CA policy would apply to Admin roles rather than users or groups.
    When you first subscribe to AVD, you will be prompted for MFA, but when you log in to the VM, you will not.

    Secondly, basic security practices. There is no reason for you to log into AVD (or any endpoint for that matter!) with a Global Admin account or a Domain Admin account.
    Same goes for VPN right?, you should always log into your environment with a standard user account, then for Admin tasks elevate using your separate admin account. Then you wouldn't have this issue at all =)

    2 people found this answer helpful.

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lee 26 Reputation points
    2022-06-11T00:15:20.54+00:00

    Make sure the Conditional Access is setup properly, especially the session time-out is ON for ALL of the rules.

    0 comments
  2. Miguel González Vigil 51 Reputation points
    2022-06-13T06:25:12.587+00:00

    @Lee :

    I created a CA policy according to Microsoft's documentation, but still not working...

    Talking about security turn MFA off , log in on a VM and turn MFA on again is a bad practice... it's not a good workaround...

    0 comments
  3. Simon Burbery 691 Reputation points
    2022-07-20T13:32:30.923+00:00

    You'll definitely want your AVD users to have Azure AD Premium P1 license so that you can use Conditional Access rather than per-user MFA. We recommend Business Premium as it also covers the usage rights and shared computer activation for Office, but if you are 'doing it on the cheap' and not using Office, then just pay the few dollars for each user to have Azure AD P1 so you can use CA. Or you could look at using 'Duo Authentication for Windows login' which does what you are looking for. Or you can use Intune so you can bypass MFA for Compliant devices.

    CA policies provide the required flexibility for scenarios like this, just exclude the 'Azure Windows VM sign in' app from the MFA policy as below. Users are prompted for MFA when they subscribe to AVD, which is then cached so it doesn't constantly annoy your users accessing your published apps & desktops. It doesn't make much sense to then prompt again when they launch the app (if that is really required for some reason then use the Duo agent). If a hacker is trying to get in, they need to subscribe first so will fail the MFA requirement at that stage.

    I agree though it would be great if MS developed a client similar to Duo that could provide this functionality - perhaps there is good reason why they haven't done it yet (e.g. blocked by legal process), or they've decided Windows Hello is your second factor for the Windows login screen... I imagine it is a significant development effort to integrate Azure MFA into the Windows login, but hey maybe they have it on the roadmap, or are already in the process of doing it. They are a company of many companies doing many different things; I'm sure the AVD team would've loved the OS team to have talked to the Azure AD team to have MFA integrated into the login from release! =)

    222659-remote-desktop-client.png

    222771-exclude-azure-vm-login-from-mfa.png

  4. Simon Burbery 691 Reputation points
    2022-07-21T15:38:29.397+00:00

    That is strange! Can you check the per-user console here - https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx

    Make sure all users 'Multi-Factor Auth Status' = 'Disabled'.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.