Recently I implemented Windows Virtual Desktop (WVD) for a customer. This customer has the policy that you always needs to get challenged by Multi-Factor Authentication (MFA) before you get access to a Remote Application or Desktop, except when connecting from a managed device.
To achieve this with Windows Virtual Desktop, an Azure Conditional Access policy must be created with session settings (at this moment, I know there are some great improvements on the roadmap for this).
Without this Azure Conditional Access policy, the user can check-mark the Remember me option when authenticate in the Remote Desktop client, with this option on, the end user no longer receives a login request for days, even after a reboot of the device. Fortunately there is already a good workaround as I will show you in this blog.
Requirements
To setup the configuration described in this blog you need to have to following in your environment:
- A Windows Virtual Desktop environment up and running (including required licenses)
- For Conditional Access policies you need to have at least an Azure AD P1 license (part of EM+S and M365 license)
In this blog
This blog will cover the following steps:
- Step 1 : Create a Conditional Access Policy with Session settings
- Step 2 : Test the results
Step 1 : Create a Conditional Access Policy with Session settings
For the following steps login to the Microsoft Azure Portal as a Global Administrator.
Open the Azure AD Conditional Access services.
Click the + New policy button
Give the Conditional Access policy a name, in this case I will give it the name Windows Virtual Desktop – MFA. Click under Assignments on Users and groups and select the users or groups that you want to apply this policy to. Click Done
Click on Cloud apps or actions, click Select apps and search and select the Windows Virtual Desktop and the Windows Virtual Desktop Client. Click Select and Done.
Under Access controls click Grant. On the right hand side, select Grand access and then select Require multi-factor authentication (if you want to enforce MFA) and (optionally) Require device to be marked as compliant (if you want to make an exception for managed and compliant devices). At the bottom of the page select Require one of the selected controls. Click Select
Click on Sessions. On the right hand side select Sign-in frequency. Now you have to fill in a value in Hours or Days, in this case, I configure one hour. Click Select
Make sure that you set the Enable Policy setting to On and click Create
Step 2 : Test the results
Now that the Conditional Access policy is in place, its time to test it.
Open the Remote Desktop Client and click Subscribe
Enter your username and password and click Sign in
As you can see, you now will be challenged with Multi-Factor Authentication.
After that, all published Remote Applications and Desktops are visible.
Now lets start Firefox for example. As expected for the first time you start an application you will get prompted for your credentials. Fill in your username and password, and if you want checkmark Remember me. Press OK
After an hour start the same or another application. As you can see, you will be asked for your credentials again, even when you have selected the Remember me checkbox the previous time.
And you will also be challenged by Multi-Factor Authentication, as expected.
NOTE: I tested this from a PC that is not managed by Microsoft Intune. If I was testing this from a managed and compliant Windows 10 device, I will not get challenged by MFA as configured in the Conditional Access policy.
Hi Robin
Can you have the policy apply for an IP range in case you’re not managing the devices with InTune? For example all connections from behind the public IP of the company will not be challenged with MFA, but all others will?
Yes you can, by the conditions you can exclude the IP or IP range.
Great stuff, thank you.
Robin – were you able to identify a similar Conditional Access policy to require MFA after an hour for the WVD web client (http://aka.ms/wvdweb) since locking down the Windows RD client is only half the battle when the users can also access the web client and not be reprompted for MFA after an hour?
Hi Anthony, the Windows RD Client works a little different. But with this CA in place you also gets an MFA challenge when login on. The only difference is that you don’t get an MFA request every hour. But once the users closes the browser and later on want to login again. MFA will be prompted again, and that is not the case with the local Remote Desktop client.
What happens if you configure 1 hour in the policy. Will you be prompted after 1 hour active or only when 1 hour inactivity ?
No, active sessions we stay active, only when a user starts a new application.
Great article. If you don’t select the frequency tab will you be prompted for MFA each time? This is a requirement for us as 1 hour delay is a security risk.
1 (one) is the minimum value you can fill in, so 1 hour is minimum for this interval at this moment.
Thanks for the detailed explanation! Once I activate this, I get a problem similar to the one described in this article though: https://techcommunity.microsoft.com/t5/windows-virtual-desktop/login-loop-in-remote-desktop-client/m-p/1459028
Any idea on what might be causing this?