Forum Discussion
Solved
Guidance on using WVD with MFA user accounts and Azure AD DS?
Is there any guidance out there on using WVD with MFa accounts?
I have a total cloud environment. No on prem ever. Implemented AZ AD DS. set up WVD. Working for users without MFA. But unable to...
That is my understanding yes, as per the Microsoft document I sent. If ADDS was set up recently then there is a high possibility that a high proportion of users have not changed there password.
You can test this by dumping out user accounts and last password change to see if you get any sort of correlation.
and
also the workstations are AD joined I get that but are they Azure AD joined? Do I have to do some sorta 'hybrid' install so the Win 10 desktops support Azure AD and normal AD??
If you have managed to deploy Windows Virtual Desktops (Personal or pooled) using the portal or arm templates, then they will becomes Domain joined to Azure AD Domain Services. And if that process was successful then I am assuming you have the networking in place between your WVD VNET and your ADDS VNET (VNET Peering required).
You will see the computer accounts of the WVD's in Azure ADDS if you use ADUC to connect.
When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client? If you do, that should have no bearing on it. We have that set up also.
What this might be is the Sync between Azure AD and ADDS. Try changing your password in Azure AD then wait for that to Sync to AADDS.
>>When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client?
No I mean the VMs in the pool that are connected to Azure AD DS.
>>What this might be is the Sync between Azure AD and ADDS.
Sync report as working and I know it works because if I disable a non MFA user in Azure AD they can't access WVD VMs.
Do I need secure LDAP enabled?
The sync report may be working but in order for a user to sign into any service that uses AADDS the password hash has to be synced. For that to occur they need to change their password on Azure AD. If that's definitely been done then its not that.
Do you have any condition access policies with MFA?