We are getting ready to deploy Windows Virtual Desktops into our prod environment, but I have a few concerns with the authentication process. As of now I have a conditional access policy that will require a user to use MFA when subscribing to our host pool using the Remote Desktop client app. This is great, but the sign in prompts one time, then seems to cache the auth token. I am looking for a way to prompt for sign-in every time, or require the sign in to be available on a certain IP via conditional access. We are a hybrid AD configuration with well established policies to protect our resources requiring all external access to have MFA requirement. This bypasses this requirement. This seems like a potential issue if someone were gain access to a computer and just click right through into the hosted app that is readily available in the RD app.
Is there something I might be missing to set this as an option that requires a user to auth every time?
You are correct that the Remote Desktop App seems to cache the authentication token. In my experience, I don't have to refresh the token for at least a week or more unless I change IPs. For example, traveling from Boston to CT, when I arrive at my destination I typically have to provide the MFA code again (but not my username and password).
I would be interested in a way to control how long the authentication session can live for here as well.
I would like to know this as well, my experience so far is identical. A customer of mine would like to have the MFA prompt each time a connection is made. So if the caching can be disabled then that would be a step forward.