MFA on AAD Joined Devices

%3CLINGO-SUB%20id%3D%22lingo-sub-2574330%22%20slang%3D%22en-US%22%3EMFA%20on%20AAD%20Joined%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2574330%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%20i%20have%20enabled%20the%20Preview%20feature%20to%20AAD%20Join%20and%20Intune%20Enrol%20the%20Virtual%20desktops%2C%20however%20i%20had%20to%20disable%20MFA%20and%20CAPs%20that%20enforce%20MFA%20so%20to%20login%20using%20the%20AAD%20user%20accounts.%20This%20seems%20to%20be%20a%20big%20showstopper%20unless%20there%20is%20a%20way%20to%20enforce%20MFA%3F%3C%2FP%3E%3CP%3ENote%3A%20The%20MFA%20works%20well%20for%20Azure%20ADDS%20joined%20Virtual%20desktops.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%23AzureVirtualDesktop%20%23MFA%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2581778%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20on%20AAD%20Joined%20Devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2581778%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F883446%22%20target%3D%22_blank%22%3E%40Nikonline%3C%2FA%3E%26nbsp%3BI%20replied%20on%20the%20other%20thread%20and%20will%20update%20the%20public%20documentation%20soon%20but%20the%20sort%20version%20is%20that%20to%20enforce%20MFA%2C%20you%20need%20to%20set%20the%20CA%20policy%20on%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3E%20app%20but%20disable%20it%20from%20the%20%3CSTRONG%3EAzure%20Windows%26nbsp%3BVM%26nbsp%3BSign-In%3C%2FSTRONG%3E%20app.%20This%20will%20enforce%20MFA%20at%20the%20service%20level%20instead%20of%20the%20VM%20level.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All, i have enabled the Preview feature to AAD Join and Intune Enrol the Virtual desktops, however i had to disable MFA and CAPs that enforce MFA so to login using the AAD user accounts. This seems to be a big showstopper unless there is a way to enforce MFA?

Note: The MFA works well for Azure ADDS joined Virtual desktops. 

 

#AzureVirtualDesktop #MFA

1 Reply

@Nikonline I replied on the other thread and will update the public documentation soon but the sort version is that to enforce MFA, you need to set the CA policy on the Windows Virtual Desktop app but disable it from the Azure Windows VM Sign-In app. This will enforce MFA at the service level instead of the VM level.