Forum Discussion
AVD with AAD only support with MFA from a device not associated with the same tenant?
Hi ShawnMaiberger,
So unfortunately I am unable to completely replicate your experience. Or maybe I am misunderstanding how you are prompted? We have configured a session timeout, but when it is reached and I try to reconnect to my VM I just get an error message "Couldn't connect" as per image below. The only way to connect to the VM again is to unsubscribe and subscribe to the same workspace. This seem like to much a hazzle for the everyday user and is such not a valid scenario.
When I click the Workspace details button I see that "We need your sign in information to refresh this feed. Click refresh to get started." - but nothing happens when I click refresh.
Just to clarify, I have 1 CA policy with require MFA for everyone but have excluded "Azure Windows VM Sign-In".
Any thoughts?
BR
Theodor
TheodorBrander That's definitely not the behavior I'm getting. I created and annotated a video with what I get for you here, so you can see how it works for me. https://www.youtube.com/watch?v=cuSXPkCJlKo
The video starts with me having an invalid token (it's been > 1 hour since I last had a desktop connected), as you can see from the details tab. Instead of clicking refresh, I just try to open a desktop, and get the expected 2FA prompt, followed by the RDP connection's U/P (since you'll always get U/P prompt in this configuration). Then I show that after disconnect, I can refresh the feed and launch the desktop again without prompt, since doing the 2FA on desktop launch successfully refreshed my token for an hour.
Alternatively (not shown), the opposite order works. If it's been more than an hour and I see my last refresh was not successful, I can click refresh on the feed first, and get a prompt for 2FA when doing that. Then once I do that, I do not get a 2FA prompt on launching the desktop, since I have a valid token for 1 hour for anything I do with that identity within the Remote Desktop app.
My gut instinct says there's something being applied at the Conditional Access policy that isn't quite matching, i.e. being applied too broadly. There are multiple services involved, and I'm thinking that maybe doing an include all, exclude only on VM sign-in might be causing some issues with the feed refresh. I know back in WVD classic, for example, there was a separate entry for both the desktop and the feed both on the AVD side, separate from the VM sign-in on the Azure VM side. So there may be some other services your policy is applying to since you're doing all by default that are making things not quite work as expected.
What you might try doing is setting your Cloud Apps and Actions as a test to exclude: none, include: only Windows Virtual Desktop (make sure it's the same GUID as the one below, as there are a few for AVD classic as well that aren't the ones you want).
The following are my CAP settings that lead to the results as in the video:
Users or workload identities settings
Cloud apps or actions settings
Grant settings
Session settings
Also, what version of the AVD client are you using? I don't think it should matter, but I'm on the latest, 1.2.2687.0.
Thank you for your reply ShawnMaiberger! Unfortunately, I do not know where I messed up (or if there is some other problem/root cause). So, I have now downloaded the latest version of remote app and changed so that I only have 1 CAP, identical to what you have below. But no cigar. I still have the issue where after the time-out is reached, the error message I posted earlier ("We need your sign in information to refresh this feed.") where I am unable to login without unsubscribing and then resubscribing.
I have looked through the sign-in logs in Azure Active Directory and the only two entries I have are from "Azure Virtual Desktop Client" when i subscribe and then from the "Windows Sign In" during the RDP authentication. I thought it might be something with my devices being enrolled to Intune, so I created some new Session Hosts that was not enrolled, but ye - still no change. Maybe MS support next?
- Did you get this sorted? I have similar issue. I just found that the MS Store version of Microsoft Remote Desktop is not supported for AVD. You have to use the Desktop version: https://learn.microsoft.com/en-gb/azure/virtual-desktop/whats-new-client-windows