Azure Virtual Desktop MFA Sign-In Frequency

Microsoft has announced in April 2025 that the “Every time sign-in frequency” Conditional Access Policy option is now generally available for Azure Virtual Desktop (short AVD). This feature allows you to prompt users to reauthenticate when launching a new connection after a specified period of time, enhancing overall security and user experience. You can now configure reauthentication requirements to occur more frequently, strengthening your security posture and ensuring that access to your virtual desktop environment remains secure. How often a user is prompted to reauthenticate depends on the configured Conditional Access Policy. Learn how to enforce MFA for AVD and optionally configure sign-in frequency in the sections below.

Introduction

Users can sign into AVD from anywhere using different devices and clients. To help maintain a secure environment, implementing MFA through Microsoft Entra is crucial. MFA prompts users for an additional form of identification along with their username and password during the sign-in process. You can enforce MFA for AVD using Conditional Access Policies and specify whether it applies to web clients, mobile apps, desktop clients, or all client types.

When a user connects to a remote session, they must authenticate to the AVD service (e.g. Windows App to simplify things) and the session host or RemoteApps. If MFA is enabled, it prompts the user for their account credentials and a second form of authentication, ensuring security during access. For sessions, once the user provides their username and password for the session host, this process becomes seamless with single sign-on (short SSO) enabled.

Prerequisites

To get started, here’s what you need:

  • Assign users a license that includes Microsoft Entra ID P1 or P2.
  • A Microsoft Entra group with your Azure Virtual Desktop users assigned as group members.
  • Enable Microsoft Entra multifactor authentication. Disable the Security Defaults and create Conditional Access Policies.

Create a Conditional Access Policy

Here’s how to create a Conditional Access policy that requires multifactor authentication when connecting to Azure Virtual Desktop:

  1. Sign In: Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
    • Or activate it via PIM for Entra roles.
  2. Browse: Navigate to Protection → Conditional Access → Policies.
  3. New Policy: Select “New policy” and give your policy a meaningful name.

Assignments

  1. Users: Under Assignments → Users, select the group that contains your AVD users.
  2. Resources: Under Assignments → Target resources, select the relevant target resources based on the resources you’re trying to protect.

Configure Target Resources for Azure Virtual Desktop

For AVD (based on Azure Resource Manager), you can configure MFA and sign-in frequency policies on these different apps:

  • Azure Virtual Desktop (App ID 9cdead84-a844-4324-93f2-b2e6bb768d07):
    • Applies when the user subscribes to Azure Virtual Desktop, authenticates to the Azure Virtual Desktop Gateway during a connection, and when diagnostics information is sent to the service from the user’s local device.
    • Sign-in frequency behaviour: Enforces reauthentication when a user subscribes to Azure Virtual Desktop, manually refreshes their list of resources, and authenticates to the Azure Virtual Desktop Gateway during a connection. Once the reauthentication period is over, background feed refresh and diagnostics upload silently fail until the user completes their next interactive sign-in to Microsoft Entra.
    • Tip: The app name was previously Windows Virtual Desktop. If you registered the Microsoft.DesktopVirtualization resource provider before the display name changed, the application will be named Windows Virtual Desktop with the same app ID as Azure Virtual Desktop.
  • Microsoft Remote Desktop (App ID a4a365df-50f1-4397-bc59-1a1564b8bb9c):
    • Applies when the user authenticates to the session host when SSO is enabled as of today.
    • Sign-in frequency behaviour: Enforces reauthentication when a user signs in to a session host when single sign-on is enabled.
    • Important: An upcoming change will transition the authentication to the Windows Cloud Login Entra ID app. To ensure a smooth transition, you need to add both Microsoft Remote Desktop and Windows Cloud Login apps to your Conditional Access Policies.
  • Windows Cloud Login (App ID 270efc09-cd0d-444b-a71f-39af4910ec45):
    • Applies when the user authenticates to the session host when SSO is enabled in the future.
    • Sign-in frequency behaviour: Enforces reauthentication when a user signs in to a session host when single sign-on is enabled.

Do not select: The app called Azure Virtual Desktop Azure Resource Manager Provider (App ID 50e95039-b200-4007-bc97-8d5790743a63). This app is only used for retrieving the user feed and shouldn’t have MFA.

Configuring Conditions

  1. Target specific Client Apps: Configure the policy to apply to web clients, mobile apps and desktop clients, or all client types.
    • Select Browser if you want the policy to apply to the web client.
    • Select Mobile apps and desktop clients if you want to apply the policy to other clients.

Configure Access Control

  1. Grant Access: Under Access controls → Grant, select “Require multi-factor authentication”.
  2. Enable Policy: Set the policy status to “On” and create it.

Configure Sign-In Frequency

Sign-in frequency policies let you configure how often users are required to sign-in when accessing Microsoft Entra-based resources. This can help secure your environment and is especially important for personal devices, where the local OS may not require MFA or may not lock automatically after inactivity.

Steps to Configure Sign-In Frequency

  1. Open Policy: Access the Conditional Access policy you previously created.
  2. Session Controls: Under Access controls Session, select “Sign-in frequency”.
  3. Choose Frequency: Opt for either “Periodic reauthentication” or “Every time” and set the time period.

Important Considerations regarding the Sign-In Frequency

  • Resource Authentication: Reauthentication occurs only when a new access token is requested.
  • Session Stability: Users won’t be prompted again if their connection persists beyond the configured sign-in frequency, unless there is a network disruption that necessitates reconnecting.

Legacy MFA Methods and Azure Windows VM Sign-In

For connections to succeed, you must disable the legacy per-user MFA sign-in method. If strong authentication methods like Windows Hello for Business are preferred, exclude the Azure Windows VM Sign-In app from your Conditional Access policy. Find out more here: Resolving MFA-Related RDP Issues To Azure VMs

Conclusion

Implementing multifactor authentication and configuring sign-in frequency are pivotal in enhancing the security of your AVD environment. These Conditional Access features in Microsoft Entra, now generally available, empower organizations to protect their resources robustly while providing a seamless and secure user experience. Stay ahead in securing your virtual desktops and ensure your users remain protected wherever they connect from.

Additional Resources

Learn more about how to configure MFA for AVD in the official Microsoft learn docs – Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access – Azure | Microsoft Learn

You might also like
Tags: Azure Virtual Desktop, Microsoft, Microsoft Azure, Microsoft Entra

More Similar Posts