Forum Discussion
MicrosoftPUBLIC PREVIEW: Announcing public preview of Azure AD joined VMs
- End-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.
MicrosoftPeter Meuser, RobHyde, Nikonline, jmh_7, PhillipHamlyn, Chris_Gilles_1337 I see that you've all been discussing MFA for this solution. First, appreciate the discussion and feedback. I will be updating the main documentation to call out how to configure MFA which is essentially what you've figured out. The general recommendation is to enable the CA policy on the Windows Virtual Desktop app and disable it from the Azure Windows VM Sign-In app. MFA will still be triggered as needed when traversing the gateway.
Rob's method to exclude specific VMs might work but I haven't tested it yet so can't officially recommend it.
David, this solution doesn’t seem to comply with the Microsoft Partner Agreement security standards.
I didn't have the time to test the solution on my end yet, but this a long-waited feature that we will start to deploy as soon it is GA.
As stated in this article, all sign-ins must be MFA:
https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq
Can conditional access be used to meet the MFA requirement?
Yes, you can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner we need to ensure that each user has an MFA challenge for every single authentication. This means you won't be able to use the feature of conditional access that circumvents the requirement for MFA.
Can you confirm that you have any plans to support Windows Hello/Full SSO support without MFA exceptions? If the only way planned to sign-in is to exclude the app in the conditional access, are we still compliant as a Microsoft Partner?
Thank you!
- So after exempting Azure Windows VM Sign-In from our CA MFA policy I'm still seeing the security error when using the web login as well as the 'error' using the windows desktop app.
- Ok so I'm in the same boat with the 'security error'. I'm using an account that is excluded from MFA but no dice.
- DavidBelanger
fmartel MFA is already supported with this solution. You do have to configure it on the "Windows Virtual Desktop" app and not the "Azure Windows VM Sign-In" app. I updated the documentation here to call this out: https://docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm#enabling-mfa-for-azure-ad-joined-vms
- You put a lot of effort into pointing out that MFA is something Microsoft wants everyone to use.
I'm not David but can assure you that:
Yes, Microsoft wants everyone to use MFA and that is probably one of the big reasons the feature is not intended for production use at this time.
Yes it will support MFA when it is production ready.
