SOLVED

How to setup MFA with WVD?

%3CLINGO-SUB%20id%3D%22lingo-sub-1697631%22%20slang%3D%22en-US%22%3EHow%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1697631%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20idea%20about%20how%20we%20setup%20MFA%20when%20we%20login%20to%20our%20Azure%20Portal.%20I%20have%20a%20scenario%20now%20like%20I%20want%20to%20use%20MFA%20when%20users%20login%20into%20WVD%20machine.%20Is%20it%20possible%3F%20if%20so%20how%20can%20I%20achieve%20it%3F%20Please%20give%20me%20some%20suggestions%20or%20inputs.%20Thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1701027%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1701027%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20set%20up%20MFA%20in%20the%20portal%20and%20when%20users%20access%20the%20WVD%20infrastructure%20they%20will%20be%20asked%20to%20work%20with%20MFA.%26nbsp%3BThe%20advantage%20with%20a%20conditional%20access%20policy%20is%20that%20you%20can%20set%20up%20MFA%20explicitly%20for%20WVD.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%23enabling-security-defaults%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fconcept-fundamentals-security-defaults%23enabling-security-defaults%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20hope%20this%20will%20help.%20Regards%20Tom%20Wechsler%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557804%22%20target%3D%22_blank%22%3E%40gadmin285%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1700755%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1700755%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20suggestion.%20I%20guess%20this%20will%20work%2C%20but%20we%20have%20to%20get%20the%20AAD%20license%20here.%20Can't%20we%20just%20use%20normal%20MFA%20and%20achieve%20MFA%20while%20we%20are%20logging%20into%20WVD%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1699085%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1699085%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20an%20Azure%20AD%20Premium%20P1%20license%2C%20I%20would%20recommend%20that%20you%20implement%20MFA%20with%20a%20conditional%20access%20policy.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fset-up-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fset-up-mfa%3C%2FA%3E%3C%2FP%3E%3CP%3EI%20hope%20this%20helps.%20Regards%2C%20Tom%20Wechsler%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557804%22%20target%3D%22_blank%22%3E%40gadmin285%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1698684%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698684%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557804%22%20target%3D%22_blank%22%3E%40gadmin285%3C%2FA%3E%26nbsp%3BHi%2C%20make%20sure%20you%20are%20familiar%20with%20the%20following%20documentation%20on%20how%20to%20setup%20MFA%20for%20WVD%20service%20%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fset-up-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fset-up-mfa%3C%2FA%3E%3C%2FP%3E%3CP%3EShoul%20cover%20everything%20you%20need..%20Regards%2C%20MS%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1706214%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1706214%22%20slang%3D%22en-US%22%3E%3CP%3EI%20understand%20now.%20We%20can%20configure%20the%20normal%20MFA%2C%20and%20when%20ever%20user's%20try%20to%20login%20to%20the%20WVD%20they%20will%20be%20asked%20to%20put%20a%20verification%20code%20(I%20have%20tested%20this%20yesterday)%20and%20the%20other%20way%20is%20purchase%20the%20P1%20or%20P2%20license%20and%20setup%20MFA%20with%20conditional%20access.%20This%20will%20be%20expensive%20as%20we%20pay%20for%20the%20license.%20So%20my%20doubt%20has%20been%20cleared.%20Thanks%20Tom%20Wechsler%20for%20all%20the%20suggestions.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F593067%22%20target%3D%22_blank%22%3E%40TomWechsler%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1707436%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1707436%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20happy%20to%20help.%20Regards%20Tom%20Wechsler%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F557804%22%20target%3D%22_blank%22%3E%40gadmin285%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1802459%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20setup%20MFA%20with%20WVD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1802459%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F245332%22%20target%3D%22_blank%22%3E%40MaximSokoloff%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20a%20hardware%20token%20supported%20in%20a%20WVD%20and%20or%20a%20Citrix%20VDI%20scenario%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20would%20be%20useful%20in%20scenario%20in%20a%20call%20centre%20environment%20where%20users%20are%20not%20allowed%20to%20use%20their%20mobile%20device%20so%20cannot%20receive%20an%20sms%2C%20or%20use%20the%20authenticator%20app%20to%20retrieve%20their%20passcode.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi

 

I have a idea about how we setup MFA when we login to our Azure Portal. I have a scenario now like I want to use MFA when users login into WVD machine. Is it possible? if so how can I achieve it? Please give me some suggestions or inputs. Thanks

8 Replies
best response confirmed by gadmin285 (Contributor)
Solution

@gadmin285 Hi, make sure you are familiar with the following documentation on how to setup MFA for WVD service : https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa

Shoul cover everything you need.. Regards, MS 

If you have an Azure AD Premium P1 license, I would recommend that you implement MFA with a conditional access policy.

https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa

I hope this helps. Regards, Tom Wechsler @gadmin285 

Thanks for the suggestion. I guess this will work, but we have to get the AAD license here. Can't we just use normal MFA and achieve MFA while we are logging into WVD?

You can set up MFA in the portal and when users access the WVD infrastructure they will be asked to work with MFA. The advantage with a conditional access policy is that you can set up MFA explicitly for WVD.

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-d...

I hope this will help. Regards Tom Wechsler@gadmin285 

I understand now. We can configure the normal MFA, and when ever user's try to login to the WVD they will be asked to put a verification code (I have tested this yesterday) and the other way is purchase the P1 or P2 license and setup MFA with conditional access. This will be expensive as we pay for the license. So my doubt has been cleared. Thanks Tom Wechsler for all the suggestions. @TomWechsler 

I was happy to help. Regards Tom Wechsler @gadmin285 

@MaximSokoloff 

Is a hardware token supported in a WVD and or a Citrix VDI scenario?

 

This would be useful in scenario in a call centre environment where users are not allowed to use their mobile device so cannot receive an sms, or use the authenticator app to retrieve their passcode.

You can setup hardware tokens in azure mfa and then change your preference for those users to be the hardware token and not the authenticator app. We do this for many clients where phones are not allowed in their place for work.

You can also just have multiple methods but you'll want to set the preferred method for the one most used as that will be the default one Microsoft provides.