Add information on Every Time Sign in frequency.

davidbel · davidbel · commit 157970dd0310 · 2024-02-08T15:23:12.000-08:00
diff --git a/articles/virtual-desktop/set-up-mfa.md b/articles/virtual-desktop/set-up-mfa.md
@@ -3,7 +3,7 @@ title: Enforce Microsoft Entra multifactor authentication for Azure Virtual Desk
 description: How to enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access to help make it more secure.
 author: Heidilohr
 ms.topic: how-to
-ms.date: 10/27/2023
+ms.date: 02/12/2024
 ms.author: helohr
 ---
 
@@ -101,18 +101,29 @@ Here's how to create a Conditional Access policy that requires multifactor authe
 
 ## Configure sign-in frequency
 
-To optionally configure the time period before a user is asked to sign-in again:
+Sign-in frequency policies enable you to choose the time period before a user must prove their identity again when accessing Microsoft Entra-based resources. This can help secure your environment and is especially important for personal devices, where the local OS may not require MFA or may not lock automatically after inactivity.
+
+Sign-in frequency policies will result in different behavior based on the Microsoft Entra app selected:
+- **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07)
+    - Enforces re-authentication when a user subscribes to Azure Virtual Desktop, manually refreshes their list of resources and authenticates to the Azure Virtual Desktop Gateway during a connection.
+    - Once the re-authentication period has passed, background feed refresh and diagnostics upload will silently fail, until a user completes their next interactive sign in to Microsoft Entra.
+-  **Microsoft Remote Desktop** (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c) and **Windows Cloud Login** (app ID 270efc09-cd0d-444b-a71f-39af4910ec45)
+    - Enforces re-authentication when a user signs in to a session host when [single sign-on](configure-single-sign-on.md) is enabled.
+    - Both apps should be configured together as the Azure Virtual Desktop clients will soon switch from using the Microsoft Remote Desktop app to the Windows Cloud Login app to authenticate to the session host.
+
+To configure the time period before a user is asked to sign-in again:
 
 1. Open the policy you created previously.
 1. Under **Access controls** > **Session**, select **0 controls selected**.
 1. On the new pane that opens, select **Sign-in frequency**.
-1. Select **Periodic reauthentication**.
-1. Set the value for the time period before a user is asked to sign-in again, and then select **Select**. For example, setting the value to **1** and the unit to **Hours**, will require multifactor authentication if a connection is launched over an hour after the last one.
+1. Select **Periodic reauthentication** or **Every time**.
+    - If you select Periodic reauthentication, set the value for the time period before a user is asked to sign-in again, and then select **Select**. For example, setting the value to **1** and the unit to **Hours**, will require multifactor authentication if a connection is launched over an hour after the last one.
+    - If you select Every time, users will be prompted to re-authenticate after a period or 10 to 15 minutes since the last time they authenticated.
 1. At the bottom of the page, under **Enable policy** select **Save**.
 
 > [!NOTE]
-> - If [single sign-on](configure-single-sign-on.md) is enabled, it's recommended to configure the sign-in frequency only on the **Microsoft Remote Desktop** and  **Windows Cloud Login** Entra ID apps and not the **Azure Virtual Desktop** Entra ID app. This will ensure that feed refresh and diagnostics upload continue working in the background as expected.
-> - Without single sign-on, sign-in frequency can be configured on the **Azure Virtual Desktop** Entra ID app.
+> - Re-authentication only happens when a user must authenticate to a resource. Once a connection is established, users will not be prompted even if the connection lasts longer than the sign-in frequency you've configured.
+> - Users will need to re-authenticate if there is a network disruption that forces the session to be re-established after the sign-in frequency you've configured. This could lead to more frequent authentication requests on unstable networks.
 
 <a name='azure-ad-joined-session-host-vms'></a>
 
