Forum Discussion
AVD with AAD only support with MFA from a device not associated with the same tenant?
Hi,
From what I gather in the documentation AVD with AAD only does not support MFA from client which is not AAD Registered/Joined (or Hybrid joined) to the same tenant.
But, is authentication from devices not in the same tenant the very situation where MFA would be beneficial?
So, if I would create some kind of BYOD scenario where the physical hardware are only used as a jump station to the AVD, I would not be able to enable MFA during login? Sure, when subscribing to the workspace I would be prompted once - but for subsequent turns I would login automatically, since I'd be forced to exclude the 'Azure Windows VM Sign-In' from my Conditional Access policy to be able to login.
Or am I missing something obvious here?
Looking forward to your kind reply,
Theodor
This isn't exactly what you're looking for, but would get you close: you can ensure that per-user MFA is not enabled on any users, and make sure your MFA conditional access policy is only set to the Cloud apps or actions of Windows Virtual Desktop, and not Azure Windows VM Sign-In.
As you noted, this will allow relaunches of the desktops without MFA. To mitigate this, you can then set the Access Controls > Session > Sign-in frequency to a short timeout. This will ensure that the user has to sign back into the AVD client app itself once the set timeout has expired, when they try to launch a connection. (https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa)
The effect of this is that MFA is still enforced at desktop launch or reconnection provided you set your sign-in frequency low enough, but is enforced at the layer of communication between the AVD client and the control plane (e.g. when retrieving the RDP connection data), instead of on the RDP connection / Windows login process itself.
- Hi Smaiberger,
many thanks for your reply!
I read through the article you share and I attempted it in practice, but I just can't get it to work. To simplify I created 1 CA policy which enforce MFA for everything except 'Azure Windows VM Sign-In' and set the sessions 'Sign-in frequency' to 1 hour. After this I noticed that for my portal.azure.com experience I am prompted to refresh my session, but the SessionDesktop experience keps working without having to re-authenticate using MFA.
So, more accurately: I can keep an active session in my Remote Desktop Client without being prompted to re-authenticate for more than two hours. After more than two hours I can also restart my PC and still not being prompted.
Any suggestions?I spun up an AAD-joined host pool and ran some tests with the timeout set to 1 hour to validate the behavior you're seeing.
I need to do more testing, but they do seem to indicate that there's something like a background refresh of the token happening as long as the session is actively connected from the client as you noted. If the sign-in frequency is set to 1 hour and a session is not actively connected, the timeout takes effect as expected after the 1 hour of disconnection. Here's the timeline of tests I've run so far:
5:09 PM: Remote desktop app is open and I've recently launched a desktop, then disconnectced the session, and left the Remote Desktop app open. I implement a conditional access policy with a 1 hour timeout
6:10 PM: In the already-open Remote Desktop app, I click to reconnect to the desktop. I am prompted for auth including 2FA by the Remote Desktop application before the desktop starts to connect, followed by the normal password prompt from the RDP connection. I disconnect from the desktop.
6:17 PM: Reconnect to desktop, which was last authed to 7 minutes ago. I receive no login prompt from the Remote Desktop app side (and did not expect one, since I'd just authed 7 minutes ago), only the normal password prompt from the RDP connection. I minimize the session to my taskbar.
7:18 PM: I disconnect from the desktop and try to reconnect to the desktop from the Remote Desktop app. I do not receive a prompt for auth from the Remote Desktop app, only the normal password prompt from the RDP connection. However, if I try to refresh the workspace, I am then prompted for auth, and if I don't auth successfully, I can't then attempt another launch of the desktop without having to auth (including MFA). I connect to the desktop and leave it minimized.
8:20 PM: (Repeat of previous test) Remote desktop app open, session was reconnected to > 1 hour ago, and left minimized in my taskbar. I disconnect from the desktop and try to reconnect to the desktop from the Remote Desktop app. I do not receive a prompt for auth from the Remote Desktop app, only the normal password prompt from the RDP connection. However, if I try to refresh the workspace, I am then prompted for auth, and if I don't auth successfully, I can't then attempt another launch of the desktop without having to auth (including MFA). I connect to the desktop, then disconnect from it.
9:31 PM: Remote desktop app is open, session has been disconnected for > 1h. I try to reconnect to the desktop. I am prompted for auth by the Remote Desktop application before the desktop starts to connect, including 2FA required. I disconnect from the desktop.
If you open the RD app, connect to a desktop, then disconnect from it, wait over an hour, and reconnect to it, are you then prompted for 2FA like I'm seeing? Or do you not receive the 2FA prompt on reconnect in that case either?
