Forum Discussion
Guidance on using WVD with MFA user accounts and Azure AD DS?
Is there any guidance out there on using WVD with MFa accounts?
I have a total cloud environment. No on prem ever. Implemented AZ AD DS. set up WVD. Working for users without MFA. But unable to...
That is my understanding yes, as per the Microsoft document I sent. If ADDS was set up recently then there is a high possibility that a high proportion of users have not changed there password.
You can test this by dumping out user accounts and last password change to see if you get any sort of correlation.
If you have managed to deploy Windows Virtual Desktops (Personal or pooled) using the portal or arm templates, then they will becomes Domain joined to Azure AD Domain Services. And if that process was successful then I am assuming you have the networking in place between your WVD VNET and your ADDS VNET (VNET Peering required).
You will see the computer accounts of the WVD's in Azure ADDS if you use ADUC to connect.
When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client? If you do, that should have no bearing on it. We have that set up also.
What this might be is the Sync between Azure AD and ADDS. Try changing your password in Azure AD then wait for that to Sync to AADDS.
>>When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client?
No I mean the VMs in the pool that are connected to Azure AD DS.
>>What this might be is the Sync between Azure AD and ADDS.
Sync report as working and I know it works because if I disable a non MFA user in Azure AD they can't access WVD VMs.
Do I need secure LDAP enabled?
The sync report may be working but in order for a user to sign into any service that uses AADDS the password hash has to be synced. For that to occur they need to change their password on Azure AD. If that's definitely been done then its not that.
Do you have any condition access policies with MFA?
>> For that to occur they need to change their password on Azure AD
Are you saying that after AADDS is set up all users have to reset their password so a hash gets generated and synced? Again, my non-MFA accounts haven't had a password change and they can login fine.
That is my understanding yes, as per the Microsoft document I sent. If ADDS was set up recently then there is a high possibility that a high proportion of users have not changed there password.
You can test this by dumping out user accounts and last password change to see if you get any sort of correlation.
>>Do you have any condition access policies with MFA?
Yes but I'm accessing from a desktop that is using that same account. Also the non MFA accounts are also subject to some conditional access policies.
What do I need to check or enable with CA if I know the login is working from my location already?
HI Robert. This is Joel. I am looking forward in implementing MFA for the WVD users, how can I achieve this? Is there any documentation available? Please let me know. RobertCrane
