Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Unable to add Azure Virtual Desktop Client Enterprise App to Conditional Access

Copper Contributor

We currently use conditional access to allow certain contractors to sign into VMs, and from these VMs, access other MS Apps. Currently we block all applications from outside the VM ip range, but exclude the Virtual desktop applications to allow the users to do the initial signin to the VM. 

 

When contractors are using the Virtual Desktop app, it seems to work ok. However, recently when signing in via the browser only and launching from there, the conditional access rule is blocking them as the application ID isn't in the exclude list, and we are unable to add it: a85cf173-4192-42f8-81fa-777a763e6e2c

 

The documentation: https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd shows that web signins may originate from this application ID, but without the ability to add this to the exclusion apps, we cannot find another workaround that allows access via the browser. I also tried adding this app in to the policy via GraphAPI, but I get an error saying that this first party application isn't allowed.

 

I need to know if there is another workaround or if Microsoft are planning to add this to the CA compatibility list? I'm not sure why some of the Virtual desktop apps are there but this one is not. 

1 Reply
For us fix to this was to add: Windows Cloud Login Entra ID app to the exclude list.

As mentioned in documentation:
"The clients used to access Azure Virtual Desktop use the Microsoft Remote Desktop Entra ID app to authenticate to the session host today. An upcoming change will transition the authentication to the Windows Cloud Login Entra ID app. To ensure a smooth transition, you need to add both Entra ID apps to your CA policies."

Link: https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd