Setting up multi-factor authentication on Azure Virtual Desktop gotcha and troubleshooting

Setting up multi-factor authentication on Azure Virtual Desktop is a necessity. Don’t see it being too long and most likely already occurring that bad actors are trying to access the tenant’s Azure Virtual Desktop. It’s not very hard to figure out how to access one for a user with a virtual desktop assigned to them. Once it becomes mainstream, and it will, there will be an influx of bad actors trying to access the Azure Virtual Desktops.

Requirements:

1. Azure AD P1 – Needed for conditional access
2. Knowledge of Azure
3. RBAC – Security Administrator
4. Have set up Azure Virtual Desktop in the tenant, or the app will not show in the conditional access policy setup

1 Gotcha:

Make sure you do not have a per-user MFA set up on the user who will be accessing the virtual desktop; use conditional access policy instead. Per-user MFA is not supported, and if you have this on, you will not be able to log into your Virtual Desktop; see troubleshooting screenshots. When per user MFA is turned on, the sign-on logs do not report an entry, making it hard to troubleshoot the issue.

Turn off per user MFA

To turn off per user MFA for the user’s using Azure Virtual Desktop

Go to https://portal.azure.com

• Open Azure Active Directory
• Click on users
• Click on Per-user MFA

Or use this URL https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx

Find the user who will be logging into Azure Virtual Desktop

Ensure it is set to Disabled.  If not disable

Disable per user MFA with PowerShell

Run this PowerShell in an ISE window or save as a ps1 file to run locally. The operation can only be done by using the MSOnline Module.

Please note this will disable per user MFA for all your users in the tenant.  Ensure you have a conditional access policy in place prior.

If you want to only disable per user MFA on one user, replace Get-MsolUser -All with Get-MsolUser -userprincipal <username>

# Sets the MFA requirement state
function Set-MfaState {
    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $UserPrincipalName,
        [ValidateSet("Disabled","Enabled","Enforced")]
        $State
    )
    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
                [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }
        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
                     -StrongAuthenticationRequirements $Requirements
    }
}
# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

Source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Set up a conditional access policy for Azure Virtual Desktop

• From a browser open https://portal.azure.com
• Login with your admin account
• Search for Conditional and click on Azure AD Conditional Access

• Create a New Policy

• Name your policy, ie AVD MFA required

• Click on Users and groups
• Select the group of users that this policy will apply to for Azure Virtual Desktop.

• Click apps or actions

• Click on Select apps

From the Select Cloud apps window type

• “Windows virtual” may change to Azure Virtual Desktop at some point, but for now, it’s still called Windows Virtual Desktop.
• Click on Windows Virtual Desktop, ensure the guid is 9cdead84-a844-4324-93f2-b2e6bb768d07.

• And click Select
• Should now look like this

• Next, click on Conditions
• Click on Client apps.

Depending on your Azure Active Directory License, you may see many options like User risk and Sign-in risk.  For this example, we want to be prompted for MFA each time we access Azure Virtual Desktop.

• Select Configure – Yes
• We only need to select Browser, and Mobile apps and desktop clients as this policy only apply to Azure Virtual Desktop.

• Click Done
• Next, under Access controls, click on Grant.
• From the Grant window, select Require multi-factor authentication

• Click Select at the bottom
• To turn on the policy, select On for Enable policy

Test your policy

In the browser

• Go to https://rdweb.wvd.microsoft.com/arm/webclient
• Login in with your Microsoft work or school account
• You should now get prompted to approve the sign-in with your configured MFA method

For the desktop

• Download the windows client from https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-windows-7-10
• Install
• Add a feed and use https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery
• Enter your Microsoft work or school account
• You should now get prompted to approve the sign-in with your configured MFA method

Troubleshooting

If you get any of the following errors

Or

• Please double-check the user and password is right; you have access to the resource, and per-user MFA is disabled.
• If all have been checked and still getting the error, try resetting your password, It seems bizarre, but this works.

Conclusion

Azure Virtual Desktop is a great tool for remote and hybrid work.  I would still recommend that any desktop connecting to Azure Virtual Desktop have a virus scanner in place. Keyloggers could still steal your password, but at least with MFA in place, there is a secondary authentication required.