Introduction
If your users are unable to use their phones (neither private nor company) or have a non-personal account for accessing the Microsoft 365 Portal or AVD, this might raise some questions within the security team about how to secure these accounts with multi-factor authentication. In some cases, users don’t need to access company resources from the internet. In that case, you can restrict the sign-ins of these accounts to the internal network only and disable MFA. However, if users need to access company resources from the internet, do not disable MFA. Instead, consider using FIDO Keys or hardware OATH tokens. FIDO Keys are great and secure, but pricier. A good alternative are hardware OATH tokens. You can store the tokens on a keychain and for non-technical users the tokens are easier to use and can be set-up by the IT department. Personally, I encounter those use cases in healthcare institutes, where hardware tokens are a better solution than FIDO keys.
In the following scenario, I will demonstrate the setup of secure access to AVD with hardware tokens.
Configuration
- Fist of all, sign in to the Entra ID Portal or the Azure Portal and navigate to Entra ID (Activate your PIM roles)
- Navigate to Protection -> Authentication methods-> Hardware OATH tokens (Preview)
Enable the setting and target the OATH tokens to a specific group. In this case, the group CSGA-PRD-IAM-AVD was used, which contains all AVD users.
NOTE: You must configure the hardware tokens separately, so they can be used by the users. For more information, see OATH hardware tokens (Preview)
- After you have configured the Authentication method, create a conditional access policy to force the user in the group CSGA-PRD-IAM-AVD to use MFA when accessing the AVD Client (web or local installation).
Here is an example of a conditional access policy that I would use for this use case:
- In the end, after you have created the conditional access policy, you can test the sign-in to the AVD client with the hardware tokens. Voilà, you have secured your AVD access with hardware tokens.