Secure access to your WVD hostpool with Conditional Access and Azure MFA
Windows Virtual Desktop is still waiting for full Azure AD support. But one thing you can enable is Azure Multifactor Authentication. This will secure the webaccess but also the Windows client for Windows Virtual Desktop. But, note that it will not enable MFA on the remote desktop access to the WVD itself, only the access to the “feed” of your published apps and desktops.
In the Windows client for Windows Virtual Desktop, a user can select remember me, regardless of using MFA or not. The client will then remember the token from your Azure Active Directory and the user will not be prompted again. With Conditional Access, we can set a timeout for this token and require a new authentication. It´s pretty easy to implement, easy to use and will increase the security alot.
Create a Conditional Access policy for WVD
- Open the Azure portal
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. (In my example: Grant – WVD app with MFA)
- Under Assignments, Include the users and groups that will be targeted by this policy and select Done.
- Under Cloud apps or actions, Include the specific app Windows Virtual Desktop
Make sure you select Windows Virtual Desktop (App ID 9cdead84-a844-4324-93f2-b2e6bb768d07) (There are also old apps for classic wvd deployments)
- Under Conditions, Client apps decide if you want MFA on the Web App or Desktop App (or both)
- Under Conditions, Client State decide if you want exclude your Intune managed and compliant devices (Optional)
- Under Access Controls, Grant Select Require Multi-Factor authentication
- Finally, Under Access Controls, Session Select Sign-in frequency and set it on prefered timelimit. (for example 1 hour)
Go ahead and Create your policy, make sure to select Enable policy = On.
Your WVD hostpool is now more secure and your users will be required to perform a Multi-factor authentication to access the feed. Note, you should already have MFA with a Conditional access rule that require MFA for all apps. Then this rule will add session timelimit for saved credentials in WVD client.