Remote Desktop APP & MFA

Denis Saric 0 Reputation points
2024-07-03T07:05:00.5666667+00:00

Hi,

we are currently working on our Conditional Access Rules for mobile Work and observing a strange behavior with the Remote Desktop APP.

Situation: Remote Site, untrusted Network

  1. At first connect to AVD, it ask´s as expected for Username/Password + MFA
  2. After a Reboot or closing the application - he only needs Username/Password. He doesnt ask again vor MFA. Never Again.

Based on our CA_Rule he has to ask everytime for mfa - if he comes from any untrusted network.

Does anyone have an idea what we did wrong?

Condition: Any Network - exlude trusted + All Client Apps

Grant: Access req MFA

Session: Sign in frequency - Every Time

Thank you all,

Denis

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,988 questions
Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,430 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,369 questions
Microsoft Entra

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. kobulloc-MSFT 25,811 Reputation points Microsoft Employee
    2024-07-03T17:10:12.93+00:00

    Hello, @Denis Saric !

    Why am I not being prompted for MFA after reboot or closing Microsoft Remote Desktop when using Conditional Access?

    A sign-in frequency of Every time is currently in preview and will prompt you to reauthenticate after a period of 5 to 15 minutes after the last time you authenticated from the app rather than on each login. This means that a quick restart or closing the app will not necessarily prompt reauthentication:

    https://video2.skills-academy.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd#configure-sign-in-frequency

    The Every time option is currently available in preview and is only supported when applied to the Microsoft Remote Desktop and Windows Cloud Login apps when single sign-on is enabled for your host pool. If you select Every time, users are prompted to reauthenticate after a period of 5 to 15 minutes after the last time they authenticated for the Microsoft Remote Desktop and Windows Cloud Login apps.

    Additionally if you are using Windows client, ensure that you have your conditional access policy configured on the Windows Cloud Login Entra ID app as AVD has started migration to this app from the Microsoft Remote Desktop app.

    I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

    If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    User's image

    0 comments