My customers are asking for improvements in the authentication of the WVD App

%3CLINGO-SUB%20id%3D%22lingo-sub-2429267%22%20slang%3D%22en-US%22%3EMy%20customers%20are%20asking%20for%20improvements%20in%20the%20authentication%20of%20the%20WVD%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2429267%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20customers%20are%20asking%20for%20improvements%20in%20the%20authentication%20of%20the%20WVD%20App%3C%2FP%3E%3CP%3EThe%20current%20WVD%20App%20stores%20authentication%20information%20for%20the%20time%20specified%20in%20the%20Conditional%20Access(in%20my%20case%20%3A%201%20hour)%2C%20even%20if%20you%20shut%20down%20the%20app%20or%20reboot%20your%20PC%20once%20it%20is%20authenticated%3C%2FP%3E%3CP%3EMy%20customers%20want%20the%20credential%20removed%20when%20the%20WVD%20app%20is%20closed%3C%2FP%3E%3CP%3EBecause%20they%20want%20to%20use%20the%20WVD%20app%20on%20a%20public%20PC%2C%20so%20they%20think%20that%20maintaining%20the%20credential%20for%20an%20hour%20with%20conditional%20access%20can%20cause%20serious%20security%20problems%3C%2FP%3E%3CP%3EAfter%20searching%20several%20documents%2C%20I%20found%20that%20the%20only%20way%20to%20control%20the%20cookie%20values%20of%20the%20tokens%20stored%20in%20the%20app%20is%20only%20the%20app%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELink%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fusers-revoke-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fenterprise-users%2Fusers-revoke-access%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Once%20an%20application%20issues%20its%20own%20session%20token%2C%20access%20to%20the%20application%20is%20governed%20by%20the%20application's%20session.%20At%20this%20point%2C%20the%20user%20is%20affected%20by%20only%20the%20authorization%20policies%20that%20the%20application%20is%20aware%20of.%3C%2FP%3E%3CP%3EThe%20authorization%20policies%20of%20Azure%20AD%20are%20reevaluated%20as%20often%20as%20the%20application%20sends%20the%20user%20back%20to%20Azure%20AD.%20Reevaluation%20usually%20happens%20silently%2C%20though%20the%20frequency%20depends%20on%20how%20the%20application%20is%20configured.%20It's%20possible%3CBR%20%2F%3Ethat%20the%20app%20may%20never%20send%20the%20user%20back%20to%20Azure%20AD%20as%20long%20as%20the%20session%20token%20is%20valid.%3C%2FP%3E%3CP%3EFor%20a%20session%20token%20to%20be%20revoked%2C%20the%20application%20must%20revoke%20access%20based%20on%20its%20own%20authorization%20policies.%20Azure%20AD%20can't%20directly%20revoke%20a%20session%20token%20issued%20by%20an%20application%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20change%20the%20WVD%20app%20to%20delete%20information%20about%20credential%20when%20it%20is%20closed%20or%20%22unsubscribe%22%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20my%20customers%20have%20one%20more%20requirement%3C%2FP%3E%3CP%3ECitrix%20and%20VMware%20Horizon%20View%20that%20is%20our%20competitor%20offer%20the%20option%20for%20end%20users%20can%20reboot%20VM%20by%20themselves%3C%2FP%3E%3CP%3EThis%20is%20a%20very%20convenient%20way%20for%20end%20users%20to%20solve%20these%20problems%20most%20easily%20if%20a%20simple%20problem%20occurs%20in%20the%20VM%3C%2FP%3E%3CP%3EBy%20adding%20the%20reboot%20option%20in%20the%20WVD%20app%2C%20it%20seems%20that%20simple%20issues%20in%20VM%20can%20be%20solved%20very%20easy%20by%20end%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2436613%22%20slang%3D%22en-US%22%3ERe%3A%20My%20customers%20are%20asking%20for%20improvements%20in%20the%20authentication%20of%20the%20WVD%20App%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2436613%22%20slang%3D%22en-US%22%3EAre%20you%20deploying%20Windows%2010%20multi-session%20VMs%20as%20pooled%20hosts%3F%20Allowing%20end%20users%20to%20reboot%20those%20is%20obviously%20not%20a%20good%20idea.%20I%20haven't%20played%20with%20WVD%20using%20personal%20hosts%20and%20non-multi-session%20Win10.%20Are%20you%20saying%20end%20users%20can't%20reboot%20in%20that%20scenario%20either%3F%3C%2FLINGO-BODY%3E
Occasional Visitor

My customers are asking for improvements in the authentication of the WVD App

The current WVD App stores authentication information for the time specified in the Conditional Access(in my case : 1 hour), even if you shut down the app or reboot your PC once it is authenticated

My customers want the credential removed when the WVD app is closed

Because they want to use the WVD app on a public PC, so they think that maintaining the credential for an hour with conditional access can cause serious security problems

After searching several documents, I found that the only way to control the cookie values of the tokens stored in the app is only the app

 

Link: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access

 

"Once an application issues its own session token, access to the application is governed by the application's session. At this point, the user is affected by only the authorization policies that the application is aware of.

The authorization policies of Azure AD are reevaluated as often as the application sends the user back to Azure AD. Reevaluation usually happens silently, though the frequency depends on how the application is configured. It's possible
that the app may never send the user back to Azure AD as long as the session token is valid.

For a session token to be revoked, the application must revoke access based on its own authorization policies. Azure AD can't directly revoke a session token issued by an application"

 

Is it possible to change the WVD app to delete information about credential when it is closed or "unsubscribe"?

 

And my customers have one more requirement

Citrix and VMware Horizon View that is our competitor offer the option for end users can reboot VM by themselves

This is a very convenient way for end users to solve these problems most easily if a simple problem occurs in the VM

By adding the reboot option in the WVD app, it seems that simple issues in VM can be solved very easy by end users.

 

Thank you

2 Replies
Are you deploying Windows 10 multi-session VMs as pooled hosts? Allowing end users to reboot those is obviously not a good idea. I haven't played with WVD using personal hosts and non-multi-session Win10. Are you saying end users can't reboot in that scenario either?
For the reboot issue, if the user is assigned to a personal desktop and given the right permissions, they should be able to reboot the VM from within the session. We don't currently have an option in the client to remotely reboot the PC without being connected to it. And as David mentioned, you don't generally want users rebooting multi-session VMs.

For the credentials, the client doesn't save the credentials, it's standard behavior for Azure AD. We are working on an option to prompt for credentials every time which may help with this. Otherwise, when the signs out of the subscription, it should clear the user as expected. If they are using a public device, they really should be signing out.