Skip to main content
How To

Setting up multi-factor authentication on Azure Virtual Desktop gotcha and troubleshooting

By July 28, 2021November 16th, 2021No Comments

Setting up multi-factor authentication on Azure Virtual Desktop gotcha and troubleshooting

Setting up multi-factor authentication on Azure Virtual Desktop is a necessity. Don’t see it being too long and most likely already occurring that bad actors are trying to access the tenant’s Azure Virtual Desktop. It’s not very hard to figure out how to access one for a user with a virtual desktop assigned to them. Once it becomes mainstream, and it will, there will be an influx of bad actors trying to access the Azure Virtual Desktops.

Requirements:

  1. Azure AD P1 – Needed for conditional access
  2. Knowledge of Azure
  3. RBAC – Security Administrator
  4. Have set up Azure Virtual Desktop in the tenant, or the app will not show in the conditional access policy setup

1 Gotcha:

Make sure you do not have a per-user MFA set up on the user who will be accessing the virtual desktop; use conditional access policy instead. Per-user MFA is not supported, and if you have this on, you will not be able to log into your Virtual Desktop; see troubleshooting screenshots. When per user MFA is turned on, the sign-on logs do not report an entry, making it hard to troubleshoot the issue.

Turn off per user MFA

To turn off per user MFA for the user’s using Azure Virtual Desktop

Go to https://portal.azure.com

  • Open Azure Active Directory
  • Click on users
  • Click on Per-user MFA

Or use this URL https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx

Per User MFA 1 - Azure Virtual Desktop Calgary

Find the user who will be logging into Azure Virtual Desktop

Ensure it is set to Disabled.  If not disable

Disable Per User MFA - Azure Virtual Desktop Calgary

Disable per user MFA with PowerShell

Run this PowerShell in an ISE window or save as a ps1 file to run locally. The operation can only be done by using the MSOnline Module.

Please note this will disable per user MFA for all your users in the tenant.  Ensure you have a conditional access policy in place prior.

If you want to only disable per user MFA on one user, replace Get-MsolUser -All with Get-MsolUser -userprincipal <username>

# Sets the MFA requirement state
function Set-MfaState {
    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $ObjectId,
        [Parameter(ValueFromPipelineByPropertyName=$True)]
        $UserPrincipalName,
        [ValidateSet("Disabled","Enabled","Enforced")]
        $State
    )
    Process {
        Write-Verbose ("Setting MFA state for user '{0}' to '{1}'." -f $ObjectId, $State)
        $Requirements = @()
        if ($State -ne "Disabled") {
            $Requirement =
                [Microsoft.Online.Administration.StrongAuthenticationRequirement]::new()
            $Requirement.RelyingParty = "*"
            $Requirement.State = $State
            $Requirements += $Requirement
        }
        Set-MsolUser -ObjectId $ObjectId -UserPrincipalName $UserPrincipalName `
                     -StrongAuthenticationRequirements $Requirements
    }
}
# Disable MFA for all users
Get-MsolUser -All | Set-MfaState -State Disabled

Source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

Set up a conditional access policy for Azure Virtual Desktop

  • From a browser open https://portal.azure.com
  • Login with your admin account
  • Search for Conditional and click on Azure AD Conditional Access

Conditional Access - Azure Virtual Desktop Calgary

  • Create a New Policy

New Policy - Azure Virtual Desktop Calgary

  • Name your policy, ie AVD MFA required

Name your policy - Azure Virtual Desktop Calgary

  • Click on Users and groups
  • Select the group of users that this policy will apply to for Azure Virtual Desktop.

Select Groups in Policy - Azure Virtual Desktop Calgary

  • Click apps or actions

Pick apps in policy - Azure Virtual Desktop Calgary

  • Click on Select apps

Select Apps in Policy 2- Azure Virtual Desktop Calgary

From the Select Cloud apps window type

  • “Windows virtual” may change to Azure Virtual Desktop at some point, but for now, it’s still called Windows Virtual Desktop.
  • Click on Windows Virtual Desktop, ensure the guid is 9cdead84-a844-4324-93f2-b2e6bb768d07.

Select AVD App in Policy - Azure Virtual Desktop Calgary

  • And click Select
  • Should now look like this

Select AVD App in Policy 2 - Azure Virtual Desktop Calgary

  • Next, click on Conditions
  • Click on Client apps.

Depending on your Azure Active Directory License, you may see many options like User risk and Sign-in risk.  For this example, we want to be prompted for MFA each time we access Azure Virtual Desktop.

Conditions in Policy - Azure Virtual Desktop Calgary 

  • Select Configure – Yes
  • We only need to select Browser, and Mobile apps and desktop clients as this policy only apply to Azure Virtual Desktop.

Conditions Clients Apps in Policy - Azure Virtual Desktop Calgary

  • Click Done
  • Next, under Access controls, click on Grant.
  • From the Grant window, select Require multi-factor authentication

Grant access with MFA in Policy - Azure Virtual Desktop Calgary

  • Click Select at the bottom
  • To turn on the policy, select On for Enable policy

Test your policy

In the browser

For the desktop

  • Download the windows client from https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-windows-7-10
  • Install
  • Add a feed and use https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery
  • Enter your Microsoft work or school account
  • You should now get prompted to approve the sign-in with your configured MFA method

Troubleshooting

If you get any of the following errors

Per User MFA error 1 - Azure Virtual Desktop Calgary

Or

Per User MFA error 1 - Azure Virtual Desktop Calgary

  • Please double-check the user and password is right; you have access to the resource, and per-user MFA is disabled.
  • If all have been checked and still getting the error, try resetting your password, It seems bizarre, but this works.

Conclusion

Azure Virtual Desktop is a great tool for remote and hybrid work.  I would still recommend that any desktop connecting to Azure Virtual Desktop have a virus scanner in place. Keyloggers could still steal your password, but at least with MFA in place, there is a secondary authentication required.

Leave a Reply