How to configure Conditional Access with Session Management for Windows Virtual Desktop (WVD)

Recently I implemented Windows Virtual Desktop (WVD) for a customer. This customer has the policy that you always needs to get challenged by Multi-Factor Authentication (MFA) before you get access to a Remote Application or Desktop, except when connecting from a managed device.

To achieve this with Windows Virtual Desktop, an Azure Conditional Access policy must be created with session settings (at this moment, I know there are some great improvements on the roadmap for this).

Without this Azure Conditional Access policy, the user can check-mark the Remember me option when authenticate in the Remote Desktop client, with this option on, the end user no longer receives a login request for days, even after a reboot of the device. Fortunately there is already a good workaround as I will show you in this blog.

Requirements

To setup the configuration described in this blog you need to have to following in your environment:

  • A Windows Virtual Desktop environment up and running (including required licenses)
  • For Conditional Access policies you need to have at least an Azure AD P1 license (part of EM+S and M365 license)

In this blog

This blog will cover the following steps:

  • Step 1 : Create a Conditional Access Policy with Session settings
  • Step 2 : Test the results

Step 1 : Create a Conditional Access Policy with Session settings

For the following steps login to the Microsoft Azure Portal as a Global Administrator.

Open the Azure AD Conditional Access services.

Click the + New policy button

Give the Conditional Access policy a name, in this case I will give it the name Windows Virtual Desktop – MFA. Click under Assignments on Users and groups and select the users or groups that you want to apply this policy to. Click Done

Click on Cloud apps or actions, click Select apps and search and select the Windows Virtual Desktop and the Windows Virtual Desktop Client. Click Select and Done.

Under Access controls click Grant. On the right hand side, select Grand access and then select Require multi-factor authentication (if you want to enforce MFA) and (optionally) Require device to be marked as compliant (if you want to make an exception for managed and compliant devices). At the bottom of the page select Require one of the selected controls. Click Select

Click on Sessions. On the right hand side select Sign-in frequency. Now you have to fill in a value in Hours or Days, in this case, I configure one hour. Click Select

Make sure that you set the Enable Policy setting to On and click Create

Step 2 : Test the results

Now that the Conditional Access policy is in place, its time to test it.

Open the Remote Desktop Client and click Subscribe

Enter your username and password and click Sign in

As you can see, you now will be challenged with Multi-Factor Authentication.

After that, all published Remote Applications and Desktops are visible.

Now lets start Firefox for example. As expected for the first time you start an application you will get prompted for your credentials. Fill in your username and password, and if you want checkmark Remember me. Press OK

After an hour start the same or another application. As you can see, you will be asked for your credentials again, even when you have selected the Remember me checkbox the previous time.

And you will also be challenged by Multi-Factor Authentication, as expected.

NOTE: I tested this from a PC that is not managed by Microsoft Intune. If I was testing this from a managed and compliant Windows 10 device, I will not get challenged by MFA as configured in the Conditional Access policy.

10 comments

About Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close