Has anyone else experienced inconsistent MFA enforcement when using Azure Virtual Desktop (AVD)? I set up a Conditional Access policy to require MFA for every sign-in, and while it works for the initial login, the issue arises when users disconnect or log off. They can reconnect without being prompted for MFA again, even with the 'Sign-in frequency' set to 'Every time.' I noticed that during the first login, the App ID is the Azure Virtual Desktop Client, but on subsequent logins, it changes to 'Windows Sign In,' which seems to bypass the MFA requirement. Any tips or solutions on how to ensure MFA is enforced consistently for all AVD logins, regardless of disconnections or reboots?
2 Answers
It sounds like you might want to take a closer look at your Conditional Access policy settings. Sometimes, the App ID switching can happen due to how sessions are managed between AVD and Windows Sign In. Double-check that your policy includes all appropriate apps that could influence the sign-in process. Also, make sure that there are no conflicting policies applying that might override your MFA requirement.
You might also want to verify the session controls in your policy. If 'Sign-in frequency' is set correctly but the MFA prompts are still being bypassed, it could be an issue with how session persistence is set up in AVD. Consider consulting the Microsoft documentation to see if there are any special requirements for your setup.
Good point! Ensuring session persistence aligns with Conditional Access policies can be tricky. Let us know if you find anything specific!
I think you're right! It's worth revisiting those configurations to ensure nothing is slipping through the cracks. Thanks for the insight!