Enforce Azure AD Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access

Azure Virtual Desktop is a desktop and app virtualization cloud service by Microsoft. This service allows you to provide your employees a VDI, so they can work from anywhere via the Microsoft cloud (Azure). However, since the Azure Virtual Desktop service is publicly accessible via the Internet by default, it is necessary to implement the highest security measures to protect the environment.

An easy attack point for hackers are user accounts, which are only protected with a simple password. Using traditional passwords aren’t secure enough anymore. Hackers have developed countless tried and tested methods of stealing credentials and gaining unauthorized access to user accounts. To secure your accounts, Microsoft provides Azure AD Multi-Factor Authentication with Conditional Access.

“Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Alex Weinert, Director of Identity Security at Microsoft in his blog post “Your Pa$$word doesn’t matter”.

In this blog article you learn step-by-step how to enforce Azure AD Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access:

1. Prepare your environment
   1. Licensing
   1. Azure AD group
2. Set up Azure AD MFA / Conditional Access
   1. Enable Azure AD Multi-Factor Authentication
   1. Create an Azure AD-based Conditional Access policy for all Azure Virtual Desktop connections
3. Test your configuration
4. Troubleshooting

1.   Prepare your environment

There are two preconditions that need to be observed:

• Licensing
• Azure AD group

Licensing

Azure AD Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your requirements:

Feature	Azure AD Free – Security defaults (enabled for all users)	Azure AD Free – Global Administrators only	Office 365	Azure AD Premium P1	Azure AD Premium P2
Protect Azure AD tenant admin accounts with MFA	●	● (Azure AD Global Administrator accounts only)	●	●	●
Mobile app as a second factor	●	●	●	●	●
Phone call as a second factor		●	●	●	●
SMS as a second factor		●	●	●	●
Admin control over verification methods		●	●	●	●
Fraud alert				●	●
MFA Reports				●	●
Custom greetings for phone calls				●	●
Custom caller ID for phone calls				●	●
Trusted IPs				●	●
Remember MFA for trusted devices		●	●	●	●
MFA for on-premises applications				●	●
Conditional access				●	●
Risk-based conditional access					●

As we can see from the table, we need an Azure AD Premium P1 or Azure AD Premium P2 license to set up Azure AD Multi-Factor Authentication using Conditional Access. Licensing is per user, so you need to purchase a license for each user account, that should be able to use Azure AD Multi-Factor Authentication with Conditional Access.

For test scenarios, Azure AD Premium P2 licenses can be activated directly in the Azure Portal: Azure Active Directory -› Manage / Licenses -› Get a free trial. With activation you get 100 test licenses for a period of 30 days.

Azure AD group

Furthermore, we need an Azure Active Directory group with our Azure Virtual Desktop users assigned as group members.

2. Set up Azure AD MFA / Conditional Access

Enable Azure AD Multi-Factor Authentication

The first step is to active Azure AD Multi-Factor Authentication. For this we go to the Azure portal and navigate to the “Azure AD Identity Protection” page.

On the “Protect” section in the vertical menu on the left side, click “Multifactor authentication policy” and configure the policy as follows:

• Assignments: Click on “All users”
• Include: “Select individuals and groups” and select your Azure AD group with your Azure Virtual Desktops users
• Policy enforcement: Set the switch to “Enabled”
• Save

Create an Azure AD-based Conditional Access policy for all Azure Virtual Desktop connections

Now we will create the CA policy for all AVD connections. So we have to go to the “Azure AD Conditional Access” page.

In the “Policies” menu, create a new policy via the button “New policy”.

In the following menu we can configure the policy. First of all, we give the policy a describing name. Then we will have a look the “Assignment” section.

Users:

• Include: Select users and group
• Select the “Users and groups” checkbox
• Select your Azure AD group with your Azure Virtual Desktops users

Cloud apps or actions:

• Select what this policy applies to: Cloud apps
• Include: Select apps
• Select “Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07)” and “Microsoft Remote Desktop (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c)”

Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07) is used when the user subscribes to a feed and authenticates to the Azure Virtual Desktop Gateway during a connection. Microsoft Remote Desktop (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c) is used when the user authenticates to the session host when single sign-on is enabled.

---

Conditions -› Client apps

• Configure: Yes
• Select “Browser”, “Mobile apps and desktop clients”, “Exchange ActiveSync clients” and “Other clients”

Finally, we will configure the “Access controls” section.

Grant:

• Select “Grant access”
• Select “Require multifactor authentication” or your preferred option
• For multiple controls: Select your preferred option

Session:

• Select the “Sign-in frequency” checkbox
• In the “Periodic reauthentication” section type in your preferred values e.g. 4 Hours

Concluding set the “Enable policy” switch to “On” and create the policy.

3. Test your configuration

Now we want to test the policy. To do this, we access our Azure Virtual Desktop once via browser and once via desktop client.

Browser:

• Go to https://rdweb.wvd.microsoft.com/arm/webclient
• Log in with your AVD user
• Now the configured MFA method should be queried

Desktop client:

• Download, install and open the client: https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-windows-7-10
• Select “Subscribe” and log in with your AVD user
• Log in with your AVD user
• Connect to the Azure Virtual Desktop, then the configured MFA method should be queried

4. Troubleshooting

If you have problems logging in to the Azure Virutal Desktop, you may receive one of the following error messages:

Credentials & Permissions:

• Ensure username and password are correct
• Ensure that the user the necessary permissions

MFA per user:

• Ensure multi-factor authentication per user is disabled for the affected users
• PowerShell: “Get-MsolUser -UserPrincipalName max.mustermann@musterdomain.onmicrosoft.com | Set-MsolUser -StrongAuthenticationRequirements @()”

Azure AD recommendation: Switch from per-user MFA to Conditional Access MFA

5. Conclusion

Since user accounts with traditional passwords are no longer secure enough and make life easy for hackers, you need to implement different measures to increase the level of security and protect your environment – especially when using public cloud services.

To secure your accounts, use MFA – that’s a defacto standard for secure IT environments. Microsoft provides Azure AD Multi-Factor Authentication with Conditional Access. It’s very easy to implement but very effective.

In addition, many state laws require organizations to have strong authentication processes in place, especially when working with sensitive data. MFA is therefore, depending on industry or use case, a necessary measure to stay compliant.