Jan 15 2020 08:21 PM - edited Jan 16 2020 02:06 AM
Is there any guidance out there on using WVD with MFa accounts?
I have a total cloud environment. No on prem ever. Implemented AZ AD DS. set up WVD. Working for users without MFA. But unable to login on desktop or web for users with MFA enabled.
Guidance? Articles? i seemed to have missed something??
Jan 16 2020 01:40 AM
We have the same set up. Cloud only, with AADDS and users set up with MFA can log in through the RDC and Web without issue. From what I have see you are prompted for MFA when you initially subscribe, but not thereafter.
Jan 16 2020 01:49 AM - edited Jan 16 2020 01:53 AM
@HandA I kinda thought that should be the case but I get stuff like:
The remote computer that you are trying to you are trying to connect to requires Network Level Authentication (NLA), but your Windows Domain controller cannot be contacted to perform NLA. if you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialogue box.
Jan 16 2020 02:03 AM
and
also the workstations are AD joined I get that but are they Azure AD joined? Do I have to do some sorta 'hybrid' install so the Win 10 desktops support Azure AD and normal AD??
Jan 16 2020 03:38 AM
If you have managed to deploy Windows Virtual Desktops (Personal or pooled) using the portal or arm templates, then they will becomes Domain joined to Azure AD Domain Services. And if that process was successful then I am assuming you have the networking in place between your WVD VNET and your ADDS VNET (VNET Peering required).
You will see the computer accounts of the WVD's in Azure ADDS if you use ADUC to connect.
When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client? If you do, that should have no bearing on it. We have that set up also.
What this might be is the Sync between Azure AD and ADDS. Try changing your password in Azure AD then wait for that to Sync to AADDS.
Jan 16 2020 03:47 AM
>>When you say the workstations are Azure AD joined, do you mean the devices that are running the RD Client?
No I mean the VMs in the pool that are connected to Azure AD DS.
>>What this might be is the Sync between Azure AD and ADDS.
Sync report as working and I know it works because if I disable a non MFA user in Azure AD they can't access WVD VMs.
Do I need secure LDAP enabled?
Jan 16 2020 03:55 AM
The sync report may be working but in order for a user to sign into any service that uses AADDS the password hash has to be synced. For that to occur they need to change their password on Azure AD. If that's definitely been done then its not that.
Do you have any condition access policies with MFA?
Jan 16 2020 03:59 AM
>>Do you have any condition access policies with MFA?
Yes but I'm accessing from a desktop that is using that same account. Also the non MFA accounts are also subject to some conditional access policies.
What do I need to check or enable with CA if I know the login is working from my location already?
Jan 16 2020 04:01 AM
>> For that to occur they need to change their password on Azure AD
Are you saying that after AADDS is set up all users have to reset their password so a hash gets generated and synced? Again, my non-MFA accounts haven't had a password change and they can login fine.
Jan 16 2020 05:13 AM
Solution
That is my understanding yes, as per the Microsoft document I sent. If ADDS was set up recently then there is a high possibility that a high proportion of users have not changed there password.
You can test this by dumping out user accounts and last password change to see if you get any sort of correlation.
Jan 16 2020 07:25 PM - edited Jan 17 2020 06:14 AM
Well done. The AADDS password hash creation appears to certainly have been the issue. I have an MFA user working now on a stand alone machine. Still some SSO challenges inside the WVD desktop to solve but I'll work those out.
Really appreciate the assist. I wrote up a blog article for others giving you credit as well.
https://blog.ciaops.com/2020/01/17/azure-ad-domain-services-cloud-only-user-passwords/
Thanks again!
Jan 17 2020 06:12 AM
Sep 21 2020 11:13 PM
HI Robert. This is Joel. I am looking forward in implementing MFA for the WVD users, how can I achieve this? Is there any documentation available? Please let me know. @RobertCrane
Sep 21 2020 11:22 PM
@gadmin285 See above blog post link of mine
Jan 16 2020 05:13 AM
Solution
That is my understanding yes, as per the Microsoft document I sent. If ADDS was set up recently then there is a high possibility that a high proportion of users have not changed there password.
You can test this by dumping out user accounts and last password change to see if you get any sort of correlation.