Recently I implemented Windows Virtual Desktop (WVD) for a customer. This customer has the policy that you always needs to get challenged by Multi-Factor Authentication (MFA) before you get access to a Remote Application or Desktop, except when connecting from a managed device.
To achieve this with Windows Virtual Desktop, an Azure Conditional Access policy must be created with session settings (at this moment, I know there are some great improvements on the roadmap for this).
Without this Azure Conditional Access policy, the user can check-mark the Remember me option when authenticate in the Remote Desktop client, with this option on, the end user no longer receives a login request for days, even after a reboot of the device. Fortunately there is already a good workaround as I will show you in this blog.
To setup the configuration described in this blog you need to have to following in your environment:
- A Windows Virtual Desktop environment up and running (including required licenses)
- For Conditional Access policies you need to have at least an Azure AD P1 license (part of EM+S and M365 license)
In this blog
This blog will cover the following steps:
- Step 1 : Create a Conditional Access Policy with Session settings
- Step 2 : Test the results
Step 1 : Create a Conditional Access Policy with Session settings
For the following steps login to the Microsoft Azure Portal as a Global Administrator.
Open the Azure AD Conditional Access services.
Click the + New policy button
Give the Conditional Access policy a name, in this case I will give it the name Windows Virtual Desktop – MFA. Click under Assignments on Users and groups and select the users or groups that you want to apply this policy to. Click Done
Click on Cloud apps or actions, click Select apps and search and select the Windows Virtual Desktop and the Windows Virtual Desktop Client. Click Select and Done.
Under Access controls click Grant. On the right hand side, select Grand access and then select Require multi-factor authentication (if you want to enforce MFA) and (optionally) Require device to be marked as compliant (if you want to make an exception for managed and compliant devices). At the bottom of the page select Require one of the selected controls. Click Select
Click on Sessions. On the right hand side select Sign-in frequency. Now you have to fill in a value in Hours or Days, in this case, I configure one hour. Click Select
Make sure that you set the Enable Policy setting to On and click Create
Step 2 : Test the results
Now that the Conditional Access policy is in place, its time to test it.
Open the Remote Desktop Client and click Subscribe
Enter your username and password and click Sign in
As you can see, you now will be challenged with Multi-Factor Authentication.
After that, all published Remote Applications and Desktops are visible.
Now lets start Firefox for example. As expected for the first time you start an application you will get prompted for your credentials. Fill in your username and password, and if you want checkmark Remember me. Press OK
After an hour start the same or another application. As you can see, you will be asked for your credentials again, even when you have selected the Remember me checkbox the previous time.
And you will also be challenged by Multi-Factor Authentication, as expected.
NOTE: I tested this from a PC that is not managed by Microsoft Intune. If I was testing this from a managed and compliant Windows 10 device, I will not get challenged by MFA as configured in the Conditional Access policy.