SOLVED

Guidance on using WVD with MFA user accounts and Azure AD DS?

MVP

Is there any guidance out there on using WVD with MFa accounts?

 

I have a total cloud environment. No on prem ever. Implemented AZ AD DS. set up WVD. Working for users without MFA. But unable to login on desktop or web for users with MFA enabled.

 

Guidance? Articles? i seemed to have missed something??

13 Replies

@RobertCrane 

 

We have the same set up. Cloud only, with AADDS and users set up with MFA can log in through the RDC and Web without issue. From what I have see you are prompted for MFA when you initially subscribe, but not thereafter.

@HandA I kinda thought that should be the case but I get stuff like:

 

The remote computer that you are trying to you are trying to connect to requires Network Level Authentication (NLA), but your Windows Domain controller cannot be contacted to perform NLA. if you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialogue box.

and

 

wvd2.jpg

 

also the workstations are AD joined I get that but are they Azure AD joined? Do I have to do some sorta 'hybrid' install so the Win 10 desktops support Azure AD and normal AD??

@RobertCrane 

 

If you have managed to deploy Windows Virtual Desktops (Personal or pooled) using the portal or arm templates, then they will becomes Domain joined to Azure AD Domain Services. And if that process was successful then I am assuming you have the networking in place between your WVD VNET and your ADDS VNET (VNET Peering required).

You will see the computer accounts of the WVD's in Azure ADDS if you use ADUC to connect. 

 

When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client? If you do, that should have no bearing on it. We have that set up also.

 

What this might be is the Sync between Azure AD and ADDS. Try changing your password in Azure AD then wait for that to Sync to AADDS.

 

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#ena...

 

 

 

 

 

@HandA 

 

>>When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client?

 

No I mean the VMs in the pool that are connected to Azure AD DS.

 

>>What this might be is the Sync between Azure AD and ADDS.

 

Sync report as working and I know it works because if I disable a non MFA user in Azure AD they can't access WVD VMs.

 

Do I need secure LDAP enabled?

@RobertCrane 

 

The sync report may be working but in order for a user to sign into any service that uses AADDS the password hash has to be synced. For that to occur they need to change their password on Azure AD. If that's definitely been done then its not that.

 

Do you have any condition access policies with MFA?

@HandA 

 

>>Do you have any condition access policies with MFA?

 

Yes but I'm accessing from a desktop that is using that same account. Also the non MFA accounts are also subject to some conditional access policies.

 

What do I need to check or enable with CA if I know the login is working from my location already?

@HandA

 

>> For that to occur they need to change their password on Azure AD

 

Are you saying that after AADDS is set up all users have to reset their password so a hash gets generated and synced? Again, my non-MFA accounts haven't had a password change and they can login fine.

best response confirmed by RobertCrane (MVP)
Solution

@RobertCrane 

 

That is my understanding yes, as per the Microsoft document I sent. If ADDS was set up recently then there is a high possibility that a high proportion of users have not changed there password.

 

You can test this by dumping out user accounts and last password change to see if you get any sort of correlation.

 

@HandA 

Well done. The AADDS password hash creation appears to certainly have been the issue. I have an MFA user working now on a stand alone machine. Still some SSO challenges inside the WVD desktop to solve but I'll work those out.

 

Really appreciate the assist. I wrote up a blog article for others giving you credit as well.

 

https://blog.ciaops.com/2020/01/17/azure-ad-domain-services-cloud-only-user-passwords/

 

Thanks again!

@RobertCrane 

 

That's great news Robert. Glad you've got it working!

HI Robert. This is Joel. I am looking forward in implementing MFA for the WVD users, how can I achieve this? Is there any documentation available? Please let me know. @RobertCrane 

@gadmin285 See above blog post link of mine

1 best response

Accepted Solutions
best response confirmed by RobertCrane (MVP)
Solution

@RobertCrane 

 

That is my understanding yes, as per the Microsoft document I sent. If ADDS was set up recently then there is a high possibility that a high proportion of users have not changed there password.

 

You can test this by dumping out user accounts and last password change to see if you get any sort of correlation.

 

View solution in original post