Windows 365 / Azure Virtual Desktop MFA Not Being Enforced?

%3CLINGO-SUB%20id%3D%22lingo-sub-2598150%22%20slang%3D%22en-US%22%3EWindows%20365%20%2F%20Azure%20Virtual%20Desktop%20MFA%20Not%20Being%20Enforced%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2598150%22%20slang%3D%22en-US%22%3E%3CP%3EWas%20doing%20some%20tests%20today%20using%20an%20AAD%20user%20that%20has%20enforced%20MFA%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSTRONG%3EConnecting%20to%20AVD%20VM%20using%20MFA%20Enabled%20AAD%20credentials...%20doesn't%20work%3C%2FSTRONG%3E%3CUL%3E%3CLI%3EVM%20using%20the%20AAD%20auth%20preview%3C%2FLI%3E%3CLI%3EIf%20I%20disable%20MFA%20enforcement%20it%20works%20fine%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CSTRONG%3EConnecting%20to%20a%20Windows%20365%20PC%20using%20MFA%20Enabled%20AAD%20credential...%20works%3C%2FSTRONG%3E%3CUL%3E%3CLI%3EBrand%20new%20VM%20spun%20up%20today%3C%2FLI%3E%3CLI%3EWorks%20with%20MFA%20enforcement%20and%20without%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EFor%20the%20actual%20RD%20session%20that%20connects%20via%20RD%20Gateway%2C%20it%20doesn't%20look%20like%20MFA%20is%20in%20use.%26nbsp%3B%20And%2C%20for%20W365%2C%20it%20looks%20like%20it's%20actually%20bypassing%20the%20MFA%20enforcement.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20accurate%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2602675%22%20slang%3D%22en-US%22%3ERE%3A%20Windows%20365%20%2F%20Azure%20Virtual%20Desktop%20MFA%20Not%20Being%20Enforced%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2602675%22%20slang%3D%22en-US%22%3ECheck%20out%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-365%2Fset-conditional-access-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-365%2Fset-conditional-access-policies%3C%2FA%3E%20-%20You%20need%20to%20select%20the%20right%20apps%20for%20CA%20policies%20on%20Windows%20365.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2605507%22%20slang%3D%22en-US%22%3ERE%3A%20Windows%20365%20%2F%20Azure%20Virtual%20Desktop%20MFA%20Not%20Being%20Enforced%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2605507%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F196561%22%20target%3D%22_blank%22%3E%40Steven%20DeQuincey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tested%20this%20quite%20a%20bit%20now...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20a%20WVD%20Windows%2010%20VM%3A%3C%2FP%3E%3CUL%3E%3CLI%3EMFA%20disabled%2C%20I%20can%20login%20without%20issue%3C%2FLI%3E%3CLI%3EMFA%20Enabled%2C%20I%20cannot%20login%3C%2FLI%3E%3CLI%3EConditional%20MFA%20Enabled%2C%20I%20cannot%20login%3C%2FLI%3E%3C%2FUL%3E%3CP%3EFor%20a%20Windows%20365%20VM%3A%3C%2FP%3E%3CUL%3E%3CLI%3EI%20can%20login%20regardless%20of%20whether%20or%20not%20MFA%20is%20enabled%2C%20a%20MFA%20prompt%20doesn't%20happen%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'm%20comparing%20this%20to%20local%20RDS%20or%20an%20RDS%20in%20Azure%20where%20authentication%20can%20be%20configured%20to%20require%20MFA%2C%20forcing%20a%20prompt%20on%20the%20Authenticator%20app%20to%20connect.%26nbsp%3BI'm%20pretty%20sure%20W365%20is%20bypassing%20MFA%20and%20am%20under%20the%20impression%20RD%20Gateway%20in%20WVD%2FW365%20doesn't%20actually%20support%20MFA.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2613747%22%20slang%3D%22en-US%22%3ERE%3A%20Windows%20365%20%2F%20Azure%20Virtual%20Desktop%20MFA%20Not%20Being%20Enforced%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2613747%22%20slang%3D%22en-US%22%3E%3CP%3EI%20think%20I%20might%20have%20sorted%20myself%20out%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fdeploy-azure-ad-joined-vm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDeploy%20Azure%20AD%20joined%20VMs%20in%20Azure%20Virtual%20Desktop%20-%20Azure%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CUL%3E%3CLI%3EOnly%20works%20by%20default%20if%20the%20connecting%20machine%20is%20aad%20joined%20%2C%20hybrid%20aad%20joined%2C%20or%20registered%20to%20the%20same%20aad%20tenant%3C%2FLI%3E%3CLI%3ENeed%20to%20also%20add%26nbsp%3B%3CSTRONG%3Etargetisaadjoined%3Ai%3A1%26nbsp%3B%3C%2FSTRONG%3Eif%20you%20want%20to%20access%20via%20a%20web%20client%20or%20a%20non-aad%20machine%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhowto-vm-sign-in-azure-ad-windows%23mfa-sign-in-method-required%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign%20in%20to%20Windows%20virtual%20machine%20in%20Azure%20using%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CUL%3E%3CLI%3EOnly%20works%20if%20you%20are%20excluding%20%22Azure%20Windows%20VM%20Sign-In%22%20from%20MFA%20so%20that%20a%20machine%20not%20using%20Windows%20Hello%20for%20Business%20can%20connect%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'm%20guessing%20that%20means%20W365%20has%20all%20this%20setup%20to%20bypass%20these%20requirements.%26nbsp%3B%20Still%20doesn't%20completely%20make%20sense%20to%20me%20why%20it%20works%20when%20a%20user%20has%20MFA%20enforced...%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Was doing some tests today using an AAD user that has enforced MFA:

 

  • Connecting to AVD VM using MFA Enabled AAD credentials... doesn't work
    • VM using the AAD auth preview
    • If I disable MFA enforcement it works fine
  • Connecting to a Windows 365 PC using MFA Enabled AAD credential... works
    • Brand new VM spun up today
    • Works with MFA enforcement and without

For the actual RD session that connects via RD Gateway, it doesn't look like MFA is in use.  And, for W365, it looks like it's actually bypassing the MFA enforcement.

 

Is this accurate?  

3 Replies
Check out https://docs.microsoft.com/en-us/windows-365/set-conditional-access-policies - You need to select the right apps for CA policies on Windows 365.

@Steven DeQuincey 

 

I've tested this quite a bit now...

 

For a WVD Windows 10 VM:

  • MFA disabled, I can login without issue
  • MFA Enabled, I cannot login
  • Conditional MFA Enabled, I cannot login

For a Windows 365 VM:

  • I can login regardless of whether or not MFA is enabled, a MFA prompt doesn't happen

I'm comparing this to local RDS or an RDS in Azure where authentication can be configured to require MFA, forcing a prompt on the Authenticator app to connect. I'm pretty sure W365 is bypassing MFA and am under the impression RD Gateway in WVD/W365 doesn't actually support MFA.  

I think I might have sorted myself out:

 

I'm guessing that means W365 has all this setup to bypass these requirements.  Still doesn't completely make sense to me why it works when a user has MFA enforced...