WVD Spring Update Conditional Access Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1450878%22%20slang%3D%22en-US%22%3EWVD%20Spring%20Update%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1450878%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20enabled%20the%20Spring%20Update%20in%20my%20test%20tenant%2C%20and%20cannot%20find%20the%20newer%20'Windows%20Virtual%20Desktop%20Client'%20in%20the%20list%20of%20cloud%20applications%20in%20the%20conditional%20access%20portal.%20Is%20there%20an%20extra%20step%20required%20to%20get%20the%20client%20app%20with%20ID%26nbsp%3Ba85cf173-4192-42f8-81fa-777a763e6e2c%20to%20be%20selectable%20in%20the%20Azure%20AD%20Conditional%20Access%20Policies%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20setting%20the%26nbsp%3BWindowsAzureActiveDirectoryIntegratedApp%20tag%20on%20the%20app%2C%20but%20that%20didn't%20seem%20to%20change%20anything%20in%20the%20CA%20portal.%20Any%20advice%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451383%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Spring%20Update%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451383%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20were%20going%20back%20through%20the%20setup%20documentation%20and%20found%20that%20the%20instructions%20for%20MFA%20actually%20reference%20the%20other%20app%2C%20and%20not%20the%20client%20app.%20The%20issue%20we're%20having%20I%20think%20is%20that%20we%20have%20an%20MFA%20policy%20for%20all%20apps%20%2F%20trusted%20locations%20and%20we%20can't%20exclude%20this%20one%20as%20we%20would%20want%20to.%20The%20error%20on%20sign-ins%20includes%20the%20ID%20of%20the%20client%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451551%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Spring%20Update%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451551%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20testing%2C%20we%20found%20that%20applying%20the%20policy%20to%20the%20'Windows%20Virtual%20Desktop'%20application%2C%20as%20is%20spelled%20out%20in%20the%20documentation%2C%20solves%20the%20problem.%20I%20was%20just%20thrown%20off%20by%20the%20CA%20error%20indicating%20the%20client%20app%20ID%20was%20the%20issue.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22john-matlock-tech_1-1591720058414.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F197628iB0DF91D37A337A9A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22john-matlock-tech_1-1591720058414.png%22%20alt%3D%22john-matlock-tech_1-1591720058414.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I've enabled the Spring Update in my test tenant, and cannot find the newer 'Windows Virtual Desktop Client' in the list of cloud applications in the conditional access portal. Is there an extra step required to get the client app with ID a85cf173-4192-42f8-81fa-777a763e6e2c to be selectable in the Azure AD Conditional Access Policies?

 

I tried setting the WindowsAzureActiveDirectoryIntegratedApp tag on the app, but that didn't seem to change anything in the CA portal. Any advice would be greatly appreciated.

2 Replies

We were going back through the setup documentation and found that the instructions for MFA actually reference the other app, and not the client app. The issue we're having I think is that we have an MFA policy for all apps / trusted locations and we can't exclude this one as we would want to. The error on sign-ins includes the ID of the client app.

In testing, we found that applying the policy to the 'Windows Virtual Desktop' application, as is spelled out in the documentation, solves the problem. I was just thrown off by the CA error indicating the client app ID was the issue.

john-matlock-tech_1-1591720058414.png