Forum Discussion

ATSI's avatar
ATSI
Copper Contributor
Aug 02, 2021

Windows 365 / Azure Virtual Desktop MFA Not Being Enforced?

Was doing some tests today using an AAD user that has enforced MFA:

 

  • Connecting to AVD VM using MFA Enabled AAD credentials... doesn't work
    • VM using the AAD auth preview
    • If I disable MFA enforcement it works fine
  • Connecting to a Windows 365 PC using MFA Enabled AAD credential... works
    • Brand new VM spun up today
    • Works with MFA enforcement and without

For the actual RD session that connects via RD Gateway, it doesn't look like MFA is in use.  And, for W365, it looks like it's actually bypassing the MFA enforcement.

 

Is this accurate?  

3 Replies

    • ATSI's avatar
      ATSI
      Copper Contributor
      Aug 03, 2021

      Steven DeQuincey 

       

      I've tested this quite a bit now...

       

      For a WVD Windows 10 VM:

      • MFA disabled, I can login without issue
      • MFA Enabled, I cannot login
      • Conditional MFA Enabled, I cannot login

      For a Windows 365 VM:

      • I can login regardless of whether or not MFA is enabled, a MFA prompt doesn't happen

      I'm comparing this to local RDS or an RDS in Azure where authentication can be configured to require MFA, forcing a prompt on the Authenticator app to connect. I'm pretty sure W365 is bypassing MFA and am under the impression RD Gateway in WVD/W365 doesn't actually support MFA.  

      • ATSI's avatar
        ATSI
        Copper Contributor
        Aug 04, 2021

        I think I might have sorted myself out:

         

        • https://docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm
          • Only works by default if the connecting machine is aad joined , hybrid aad joined, or registered to the same aad tenant
          • Need to also add targetisaadjoined:i:1 if you want to access via a web client or a non-aad machine
        • https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required
          • Only works if you are excluding "Azure Windows VM Sign-In" from MFA so that a machine not using Windows Hello for Business can connect

        I'm guessing that means W365 has all this setup to bypass these requirements.  Still doesn't completely make sense to me why it works when a user has MFA enforced...

Resources