Merge pull request #199930 from dknappettmsft/avd-mfa-app-id

v-stsavell · web-flow · commit 15eae7be7ca6 · 2022-05-31T10:51:03.000-05:00
AVD MFA updated intent and other updates for freshness
diff --git a/articles/virtual-desktop/TOC.yml b/articles/virtual-desktop/TOC.yml
@@ -187,7 +187,7 @@
     items:
       - name: Create a host pool using PowerShell or the Azure CLI
         href: create-host-pools-powershell.md
-      - name: Deploy an Azure AD joined session host
+      - name: Deploy an Azure AD-joined session host
         href: deploy-azure-ad-joined-vm.md
       - name: Deploy a Windows 7 virtual machine
         href: deploy-windows-7-virtual-machine.md
@@ -285,7 +285,7 @@
           href: app-attach-msixmgr.md
   - name: Use Microsoft Teams
     href: teams-on-avd.md
-  - name: Set up Azure AD multifactor authentication
+  - name: Enforce Azure AD MFA
     href: set-up-mfa.md
   - name: Configure AD FS single sign-on
     href: configure-adfs-sso.md
diff --git a/articles/virtual-desktop/authentication.md b/articles/virtual-desktop/authentication.md
@@ -39,9 +39,9 @@ Azure Virtual Desktop currently doesn't support [external identities](../active-
 
 To access Azure Virtual Desktop resources, you must first authenticate to the service by signing in to an Azure AD account. Authentication happens when subscribing to a workspace to retrieve your resources or every time you connect to apps or desktops. You can use [third-party identity providers](../active-directory/devices/azureadjoin-plan.md#federated-environment) as long as they federate with Azure AD.
 
-### Multifactor authentication
+### Multi-factor authentication
 
-Follow the instructions in [Set up multifactor authentication in Azure Virtual Desktop](set-up-mfa.md) to learn how to enable multifactor authentication (MFA) for your deployment. That article will also tell you how to configure how often your users are prompted to enter their credentials. When deploying Azure AD-joined VMs, follow the configuration guide in [Enabling MFA for Azure AD-joined VMs](deploy-azure-ad-joined-vm.md#enabling-mfa-for-azure-ad-joined-vms).
+Follow the instructions in [Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md) to learn how to enforce Azure AD Multi-Factor Authentication for your deployment. That article will also tell you how to configure how often your users are prompted to enter their credentials. When deploying Azure AD-joined VMs, note the extra steps for [Azure AD-joined session host VMs](set-up-mfa.md#azure-ad-joined-session-host-vms).
 
 ### Smart card authentication
 
diff --git a/articles/virtual-desktop/deploy-azure-ad-joined-vm.md b/articles/virtual-desktop/deploy-azure-ad-joined-vm.md
@@ -73,9 +73,9 @@ To enable access from Windows devices not joined to Azure AD, add **targetisaadj
 
 To access Azure AD-joined VMs using the web, Android, macOS and iOS clients, you must add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
 
-### Enabling MFA for Azure AD joined VMs
+### Enforcing Azure AD Multi-Factor Authentication for Azure AD-joined session VMs
 
-You can enable [multifactor authentication](set-up-mfa.md) for Azure AD-joined VMs by setting a Conditional Access policy on the Azure Virtual Desktop app. For connections to succeed, you must [disable the legacy per-user multifactor authentication](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required). If you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll also need to [exclude the Azure Windows VM Sign-In app](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required) from your Conditional Access policy.
+You can use Azure AD Multi-Factor Authentication with Azure AD-joined VMs. Follow the steps to [Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md) and note the extra steps for [Azure AD-joined session host VMs](set-up-mfa.md#azure-ad-joined-session-host-vms).
 
 ## User profiles
 
diff --git a/articles/virtual-desktop/media/conditional-access-client-apps.png b/articles/virtual-desktop/media/conditional-access-client-apps.png
diff --git a/articles/virtual-desktop/set-up-mfa.md b/articles/virtual-desktop/set-up-mfa.md
@@ -1,90 +1,107 @@
 ---
-title: Azure multifactor authentication for Azure Virtual Desktop - Azure
-description: How to set up Azure multifactor authentication to make Azure Virtual Desktop more secure.
+title: Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access - Azure
+description: How to enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access to help make it more secure.
 author: Heidilohr
 ms.topic: how-to
-ms.date: 12/10/2020
+ms.date: 05/27/2022
 ms.author: helohr
 manager: femila
 ---
-# Enable Azure multifactor authentication for Azure Virtual Desktop
+# Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access
 
->[!IMPORTANT]
+> [!IMPORTANT]
 > If you're visiting this page from the Azure Virtual Desktop (classic) documentation, make sure to [return to the Azure Virtual Desktop (classic) documentation](./virtual-desktop-fall-2019/tenant-setup-azure-active-directory.md) once you're finished.
 
-The Windows client for Azure Virtual Desktop is an excellent option for integrating Azure Virtual Desktop with your local machine. However, when you configure your Azure Virtual Desktop account into the Windows Client, there are certain measures you'll need to take to keep yourself and your users safe.
+Users can sign into Azure Virtual Desktop from anywhere using different devices and clients. However, there are certain measures you should take to help keep yourself and your users safe. Using Azure Active Directory (AD) Multi-Factor Authentication with Azure Virtual Desktop prompts users during the sign-in process for an additional form of identification, in addition to their username and password. You can enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access and whether it applies for the web client or mobile apps and desktop clients, or both.
 
-When you first sign in, the client asks for your username, password, and Azure multifactor authentication. After that, the next time you sign in, the client will remember your token from your Azure Active Directory (AD) Enterprise Application. When you select **Remember me** on the prompt for credentials for the session host, your users can sign in after restarting the client without needing to reenter their credentials.
+How often a user is prompted to reauthenticate depends on [Azure AD session lifetime configuration settings](../active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md#azure-ad-session-lifetime-configuration-settings). For example, if their Windows client device is registered with Azure AD, it will receive a [Primary Refresh Token](../active-directory/devices/concept-primary-refresh-token.md) (PRT) to use single sign-on (SSO) across applications. Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device.
 
-While remembering credentials is convenient, it can also make deployments on Enterprise scenarios or personal devices less secure. To protect your users, you can make sure the client keeps asking for Azure multifactor authentication credentials more frequently. This article will show you how to configure the Conditional Access policy for Azure Virtual Desktop to enable this setting.
+While remembering credentials is convenient, it can also make deployments for Enterprise scenarios using personal devices less secure. To protect your users, you can make sure the client keeps asking for Azure AD Multi-Factor Authentication credentials more frequently. You can use Conditional Access to configure this behavior.
+
+Learn how to enforce Azure AD Multi-Factor Authentication for Azure Virtual Desktop and optionally configure sign-in frequency below.
 
 ## Prerequisites
 
 Here's what you'll need to get started:
 
-- Assign users a license that includes Azure Active Directory Premium P1 or P2.
-- An Azure Active Directory group with your users assigned as group members.
-- Enable Azure multifactor authentication for all your users. For more information about how to do that, see [How to require two-step verification for a user](../active-directory/authentication/howto-mfa-userstates.md#view-the-status-for-a-user).
-
-> [!NOTE]
-> The following setting also applies to the [Azure Virtual Desktop web client](https://rdweb.wvd.microsoft.com/arm/webclient/index.html).
+- Assign users a license that includes [Azure Active Directory Premium P1 or P2](../active-directory/authentication/concept-mfa-licensing.md).
+- An [Azure Active Directory group](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md) with your Azure Virtual Desktop users assigned as group members.
+- Enable Azure AD Multi-Factor Authentication for your users. For more information about how to do that, see [Enable Azure AD Multi-Factor Authentication](../active-directory/authentication/tutorial-enable-azure-mfa.md).
 
 ## Create a Conditional Access policy
 
-Here's how to create a Conditional Access policy that requires multifactor authentication when connecting to Azure Virtual Desktop:
-
-1. Sign in to the **Azure portal** as a global administrator, security administrator, or Conditional Access administrator.
-2. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
-3. Select **New policy**.
-4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-5. Under **Assignments**, select **Users and groups**.
-6. Under **Include**, select **Select users and groups** > **Users and groups** > Choose the group you created in the [prerequisites](#prerequisites) stage.
-7. Select **Done**.
-8. Under **Cloud apps or actions** > **Include**, select **Select apps**.
-9. Select one of the following apps based on which version of Azure Virtual Desktop you're using.
+Here's how to create a Conditional Access policy that requires multi-factor authentication when connecting to Azure Virtual Desktop:
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator, security administrator, or Conditional Access administrator.
+1. In the search bar, type *Azure Active Directory* and select the matching service entry.
+1. Browse to **Security** > **Conditional Access**.
+1. Select **New policy** > **Create new policy**.
+1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
+1. Under **Assignments**, select **Users or workload entities**.
+1. Under the **Include** tab, select **Select users and groups** and tick **Users and groups**. On the right, search for and choose the group that contains your Azure Virtual Desktop users as group members.
+1. Select **Select**.
+1. Under **Assignments**, select **Cloud apps or actions**.
+1. Under the **Include** tab, select **Select apps**.
+1. On the right, select one of the following apps based on which version of Azure Virtual Desktop you're using.
    
-   - If you're using Azure Virtual Desktop (classic), choose these apps:
-       
-       - **Windows Virtual Desktop** (App ID 5a0aa725-4958-4b0c-80a9-34562e23f3b7)
-       - **Windows Virtual Desktop Client** (App ID fa4345a4-a730-4230-84a8-7d9651b86739), which will let you set policies on the web client
+   - If you're using Azure Virtual Desktop (based on Azure Resource Manager), choose this app:
        
-        After that, skip ahead to step 11.
+       -  **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07)
 
-   - If you're using Azure Virtual Desktop, choose this app instead:
+        > [!TIP]
+        > The app name was previously *Windows Virtual Desktop*. If you registered the *Microsoft.DesktopVirtualization* resource provider before the display name changed, the application will be named **Windows Virtual Desktop** with the same app ID as above.
+
+        After that, go to step 10.
+
+   - If you're using Azure Virtual Desktop (classic), choose these apps:
        
-       -  **Azure Virtual Desktop** (App ID 9cdead84-a844-4324-93f2-b2e6bb768d07)
+       - **Windows Virtual Desktop** (app ID 5a0aa725-4958-4b0c-80a9-34562e23f3b7)
+       - **Windows Virtual Desktop Client** (app ID fa4345a4-a730-4230-84a8-7d9651b86739), which will let you set policies on the web client
        
-        After that, go to step 10.
+        > [!TIP]
+        > If you're using Azure Virtual Desktop (classic) and if the Conditional Access policy blocks all access excluding Azure Virtual Desktop app IDs, you can fix this by also adding the **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07) to the policy. Not adding this app ID will block feed discovery of Azure Virtual Desktop (classic) resources.
 
-   >[!IMPORTANT]
-   > Don't select the app called Azure Virtual Desktop Azure Resource Manager Provider (50e95039-b200-4007-bc97-8d5790743a63). This app is only used for retrieving the user feed and shouldn't have multifactor authentication.
-   > 
-   > If you're using Azure Virtual Desktop (classic), if the Conditional Access policy blocks all access and only excludes Azure Virtual Desktop app IDs, you can fix this by adding the app ID 9cdead84-a844-4324-93f2-b2e6bb768d07 to the policy. Not adding this app ID will block feed discovery of Azure Virtual Desktop (classic) resources.
+        After that, skip ahead to step 11.
 
-10. Once you've selected your app, choose **Select**, and then select **Done**.
+   > [!IMPORTANT]
+   > Don't select the app called Azure Virtual Desktop Azure Resource Manager Provider (app ID 50e95039-b200-4007-bc97-8d5790743a63). This app is only used for retrieving the user feed and shouldn't have multi-factor authentication.   
 
-    > [!div class="mx-imgBorder"]
-    > ![A screenshot of the Cloud apps or actions page. The Azure Virtual Desktop and Azure Virtual Desktop Client apps are highlighted in red.](media/cloud-apps-enterprise.png)
+1. Once you've selected your app, select **Select**.
 
-    >[!NOTE]
-    >To find the App ID of the app you want to select, go to **Enterprise Applications** and select **Microsoft Applications** from the application type drop-down menu.
-    
-11. Go to **Conditions** > **Client apps**. In **Configure**, select **Yes**, and then select where to apply the policy:
+    > [!div class="mx-imgBorder"]
+    > ![A screenshot of the Conditional Access Cloud apps or actions page. The Azure Virtual Desktop app is shown.](media/cloud-apps-enterprise.png)
     
+1. Under **Assignments**, select **Conditions** > **Client apps**. On the right, for **Configure**, select **Yes**, and then select the client apps this policy will apply to:
+
+    - Select both check boxes if you want to apply the policy to all clients.    
     - Select **Browser** if you want the policy to apply to the web client.
     - Select **Mobile apps and desktop clients** if you want to apply the policy to other clients.
-    - Select both check boxes if you want to apply the policy to all clients.
+    - Deselect values for legacy authentication clients.
    
     > [!div class="mx-imgBorder"]
-    > ![A screenshot of the Client apps page. The user has selected the mobile apps and desktop clients check box.](media/select-apply.png)
+    > ![A screenshot of the Conditional Access Client apps page. The user has selected the mobile apps and desktop clients, and browser check boxes.](media/conditional-access-client-apps.png)
+
+1. Once you've selected the client apps this policy will apply to, select **Done**.
+1. Under **Assignments**, select **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and then select **Select**.
+1. At the bottom of the page, set **Enable policy** to **On** and select **Create**.
+
+> [!NOTE]
+> When you use the web client to sign in to Azure Virtual Desktop through your browser, the log will list the client app ID as a85cf173-4192-42f8-81fa-777a763e6e2c (Azure Virtual Desktop client). This is because the client app is internally linked to the server app ID where the conditional access policy was set.
+
+> [!TIP]
+> Some users may see a prompt titled *Stay signed in to all your apps* if the Windows device they're using is not already registered with Azure AD. If they deselect **Allow my organization to manage my device** and select **No, sign in to this app only**, this may reappear frequently.
+
+## Configure sign-in frequency
+
+To optionally configure the time period before a user is asked to sign-in again:
+
+1. Open the policy you created previously.
+1. Under **Assignments**, select **Access controls** > **Session**. On the right, select **Sign-in frequency**. Set the value for the time period before a user is asked to sign-in again, and then select **Select**. For example, setting the value to **1** and the unit to **Hours**, will require multi-factor authentication if a connection is launched over an hour after the last one.
+1. At the bottom of the page, under **Enable policy** select **Save**.
 
-12. Under **Access controls** > **Grant**, select **Grant access**, **Require multi-factor authentication**, and then **Select**.
-13. Under **Access controls** > **Session**, select **Sign-in frequency**, set the value to the time you want between prompts, and then select **Select**. For example, setting the value to **1** and the unit to **Hours**, will require multifactor authentication if a connection is launched an hour after the last one.
-14. Confirm your settings and set **Enable policy** to **On**.
-15. Select **Create** to enable your policy.
+## Azure AD joined session host VMs
 
->[!NOTE]
->When you use the web client to sign in to Azure Virtual Desktop through your browser, the log will list the client app ID as a85cf173-4192-42f8-81fa-777a763e6e2c (Azure Virtual Desktop client). This is because the client app is internally linked to the server app ID where the conditional access policy was set. 
+For connections to succeed, you must [disable the legacy per-user multi-factor authentication sign-in method](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required). If you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll also need to [exclude the Azure Windows VM Sign-In app](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required) from your Conditional Access policy.
 
 ## Next steps
 
diff --git a/articles/virtual-desktop/troubleshoot-azure-ad-connections.md b/articles/virtual-desktop/troubleshoot-azure-ad-connections.md
