Conditional access policy for access on WVD

%3CLINGO-SUB%20id%3D%22lingo-sub-1548291%22%20slang%3D%22en-US%22%3EConditional%20access%20policy%20for%20access%20on%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1548291%22%20slang%3D%22en-US%22%3E%3CP%3EAll-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20complete%20Azure%20AD%20with%20ADDS%20for%20WVD.%26nbsp%3B%20Currently%2C%20we%20have%20conditional%20access%20policies%20that%20require%20a%20device%20be%20marked%20compliant%20to%20access%20certain%20tools.%26nbsp%3B%20What%20is%20best%20way%20to%20have%20a%20similar%20policy%20with%20WVD%3F%26nbsp%3B%20It%20seems%20that%20a%20hybrid%20join%20would%20be%20the%20right%20way%2C%20but%20as%20I%20don't%20have%20an%20on%20premises%20AD%20server%2C%20would%20I%20have%20to%20spin%20one%20up%20in%20Azure%20just%20to%20get%20hybrid%20join%3F%26nbsp%3B%20Any%20advice%20would%20be%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1924457%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20access%20policy%20for%20access%20on%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1924457%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F638649%22%20target%3D%22_blank%22%3E%40patrick-h%3C%2FA%3E%26nbsp%3Bdid%20you%20work%20this%20out%20by%20any%20chance%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1548479%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20access%20policy%20for%20access%20on%20WVD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1548479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F638649%22%20target%3D%22_blank%22%3E%40patrick-h%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPiggybacking%20onto%20this%20as%20I've%20put%20a%20CA%20policy%20in%20place%20to%20require%20MFA%20at%20login%20at%20after%20each%20hour.%20It%20works%20flawlessly%20with%20the%20web%20client%2C%20but%20does%20not%20seem%20to%20work%20for%20the%20desktop%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20have%20subscribed%20to%20a%20stream%20with%20the%20desktop%20client%20you%20are%20locked%20in%20and%20then%20you%20can%20just%20launch%20it%20the%20VM%20once%20you%20launch%20the%20desktop%20client.%20Ideally%2C%20you%20would%20need%20to%20login%20and%20pass%20MFA%20after%20launching%20the%20desktop%20client%20unless%20you%20had%20not%20expired%20the%20X%20time%20CA%20Policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20back%20this%20was%20brought%20and%20documented%20as%20an%20issue%20last%20year%20while%20it%20was%20in%20its%20infancy%20but%20from%20looking%20around%20there%20doesn't%20seem%20to%20be%20a%20solution%20to%20this.%20Requiring%20MFA%20at%20every%20login%20is%20a%20necessity%20for%20some%20organizations.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

All-

 

We are complete Azure AD with ADDS for WVD.  Currently, we have conditional access policies that require a device be marked compliant to access certain tools.  What is best way to have a similar policy with WVD?  It seems that a hybrid join would be the right way, but as I don't have an on premises AD server, would I have to spin one up in Azure just to get hybrid join?  Any advice would be appreciated. 

3 Replies

@patrick-h 

Piggybacking onto this as I've put a CA policy in place to require MFA at login at after each hour. It works flawlessly with the web client, but does not seem to work for the desktop client.

 

Once you have subscribed to a stream with the desktop client you are locked in and then you can just launch it the VM once you launch the desktop client. Ideally, you would need to login and pass MFA after launching the desktop client unless you had not expired the X time CA Policy.

 

Looking back this was brought and documented as an issue last year while it was in its infancy but from looking around there doesn't seem to be a solution to this. Requiring MFA at every login is a necessity for some organizations.

@patrick-h did you work this out by any chance?

@msmyth Yes.  Easiest way right now is to setup a load balancer with a public IP for outbound connections.  Then setup conditional access that allows traffic from that IP.  https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#lb