Step-by-Step Guide to Securing Windows Virtual Desktop in Azure with Conditional Access and MFA

One of my biggest complaints about using Azure AD P1 to issue Azure MFA challenges on a traditional RDS deployment via RADIUS authentication is that it issues an MFA challenge on every login. That’s almost as annoying as trying to understand Microsoft Licensing.

Fortunately, securing Windows Virtual Desktop in Azure with Conditional Access and MFA is a breeze and dramatically improves the user experience!

Requirements for Securing Windows Virtual Desktop in Azure with Conditional Access and MFA

Here are a few prerequisites that you’ll need already configured in your lab:

  • An Azure CSP Subscription from Infused Innovations (Or any Azure Subscription will work too)

  • An existing deployment of Windows Virtual Desktop in Azure

  • In addition to the Windows Virtual Desktop licensing requirements, you’ll need one of the following SKUs for conditional access and Azure MFA:

    • Azure AD P1 / P2

      • Azure AD P2 includes risk-based conditional access

    • Enterprise Mobility + Security (EM+S) E3 / E5

      • EM+S E5 includes risk-based conditional access

    • Microsoft 365 E3 / E5

      • The Identity Threat Protection add-on SKU adds risk-based conditional access to Microsoft 365 E3

      • Microsoft 365 E5 includes risk-based conditional access

  • Consider reviewing our Getting Started with Conditional Access and Azure MFA guide if you’re not familiar with conditional access

Configure Windows Virtual Desktop in Azure with Conditional Access and MFA

When you integrate any application with Azure SSO as either a SAML 2.0 endpoint or Enterprise Application, it’s simple to create a conditional access policy to enforce MFA challenges for that application.

Create a new Conditional Access Policy

  • Under Assignments, target All Users or choose a pilot group

  • Under Cloud Apps search for Windows Virtual Desktop and select the apps that are registered in your tenant:

  • Under Conditions exclude Devices marked as compliant to allow your enrolled and healthy devices to bypass MFA challenges:

  • Note: You can optionally target risky sign-ins only. Or if you’re using thin clients at an office, you might want to exempt a trusted location.

  • Under Access Control select Require multi-factor authentication

Closing Thoughts on Securing Windows Virtual Desktop in Azure with Conditional Access and MFA

The new Windows Virtual Desktop service delivers exactly the MFA experience that I want to deliver to all our clients at Infused Innovations. I can allow users to bypass MFA when they’re accessing corporate resources in an approved environment; otherwise require an MFA challenge when they’re not.

It takes less than 15 minutes to secure Windows Virtual Desktop in Azure with Conditional Access and MFA compared to at least two hours to configure the Azure MFA extension with NPS to protect a traditional RDS deployment. (That time estimate is assuming you’ve deployed RDS with NPS before.) That is extraordinary value with minimal effort!

The improvements that Microsoft continues to build into their cloud offerings are delivering enterprise-class security and features at values that any SMB can afford.

 

Contact Us for More Information:

Name *
Name