Azure Virtual Desktop is a desktop and app virtualization cloud service by Microsoft. This service allows you to provide your employees a VDI, so they can work from anywhere via the Microsoft cloud (Azure). However, since the Azure Virtual Desktop service is publicly accessible via the Internet by default, it is necessary to implement the highest security measures to protect the environment.
An easy attack point for hackers are user accounts, which are only protected with a simple password. Using traditional passwords aren’t secure enough anymore. Hackers have developed countless tried and tested methods of stealing credentials and gaining unauthorized access to user accounts. To secure your accounts, Microsoft provides Azure AD Multi-Factor Authentication with Conditional Access.
“Your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
Alex Weinert, Director of Identity Security at Microsoft in his blog post “Your Pa$$word doesn’t matter”.
In this blog article you learn step-by-step how to enforce Azure AD Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access:
There are two preconditions that need to be observed:
Azure AD Multi-Factor Authentication can be used, and licensed, in a few different ways depending on your requirements:
Feature | Azure AD Free – Security defaults (enabled for all users) | Azure AD Free – Global Administrators only | Office 365 | Azure AD Premium P1 | Azure AD Premium P2 |
Protect Azure AD tenant admin accounts with MFA | ● | ● (Azure AD Global Administrator accounts only) | ● | ● | ● |
Mobile app as a second factor | ● | ● | ● | ● | ● |
Phone call as a second factor | ● | ● | ● | ● | |
SMS as a second factor | ● | ● | ● | ● | |
Admin control over verification methods | ● | ● | ● | ● | |
Fraud alert | ● | ● | |||
MFA Reports | ● | ● | |||
Custom greetings for phone calls | ● | ● | |||
Custom caller ID for phone calls | ● | ● | |||
Trusted IPs | ● | ● | |||
Remember MFA for trusted devices | ● | ● | ● | ● | |
MFA for on-premises applications | ● | ● | |||
Conditional access | ● | ● | |||
Risk-based conditional access | ● |
As we can see from the table, we need an Azure AD Premium P1 or Azure AD Premium P2 license to set up Azure AD Multi-Factor Authentication using Conditional Access. Licensing is per user, so you need to purchase a license for each user account, that should be able to use Azure AD Multi-Factor Authentication with Conditional Access.
For test scenarios, Azure AD Premium P2 licenses can be activated directly in the Azure Portal: Azure Active Directory -› Manage / Licenses -› Get a free trial. With activation you get 100 test licenses for a period of 30 days.
Furthermore, we need an Azure Active Directory group with our Azure Virtual Desktop users assigned as group members.
The first step is to active Azure AD Multi-Factor Authentication. For this we go to the Azure portal and navigate to the “Azure AD Identity Protection” page.
On the “Protect” section in the vertical menu on the left side, click “Multifactor authentication policy” and configure the policy as follows:
Now we will create the CA policy for all AVD connections. So we have to go to the “Azure AD Conditional Access” page.
In the “Policies” menu, create a new policy via the button “New policy”.
In the following menu we can configure the policy. First of all, we give the policy a describing name. Then we will have a look the “Assignment” section.
Users:
Cloud apps or actions:
Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07) is used when the user subscribes to a feed and authenticates to the Azure Virtual Desktop Gateway during a connection. Microsoft Remote Desktop (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c) is used when the user authenticates to the session host when single sign-on is enabled.
Conditions -› Client apps
Finally, we will configure the “Access controls” section.
Grant:
Session:
Concluding set the “Enable policy” switch to “On” and create the policy.
Now we want to test the policy. To do this, we access our Azure Virtual Desktop once via browser and once via desktop client.
Browser:
Desktop client:
If you have problems logging in to the Azure Virutal Desktop, you may receive one of the following error messages:
Credentials & Permissions:
MFA per user:
Azure AD recommendation: Switch from per-user MFA to Conditional Access MFA
Since user accounts with traditional passwords are no longer secure enough and make life easy for hackers, you need to implement different measures to increase the level of security and protect your environment – especially when using public cloud services.
To secure your accounts, use MFA – that’s a defacto standard for secure IT environments. Microsoft provides Azure AD Multi-Factor Authentication with Conditional Access. It’s very easy to implement but very effective.
In addition, many state laws require organizations to have strong authentication processes in place, especially when working with sensitive data. MFA is therefore, depending on industry or use case, a necessary measure to stay compliant.