You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-desktop/set-up-mfa.md
+4-6Lines changed: 4 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,7 +3,7 @@ title: Enforce Microsoft Entra multifactor authentication for Azure Virtual Desk
3
3
description: How to enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access to help make it more secure.
4
4
author: dknappettmsft
5
5
ms.topic: how-to
6
-
ms.date: 03/28/2025
6
+
ms.date: 04/02/2025
7
7
ms.author: daknappe
8
8
ms.custom: docs_inherited
9
9
---
@@ -17,9 +17,7 @@ Users can sign into Azure Virtual Desktop from anywhere using different devices
17
17
18
18
When a user connects to a remote session, they need to authenticate to the Azure Virtual Desktop service and the session host. If MFA is enabled, it's used when connecting to the Azure Virtual Desktop service and the user is prompted for their user account and a second form of authentication, in the same way as accessing other services. When a user starts a remote session, a username and password is required for the session host, but this is seamless to the user if single sign-on (SSO) is enabled. For more information, see [Authentication methods](authentication.md#authentication-methods).
19
19
20
-
How often a user is prompted to reauthenticate depends on [Microsoft Entra session lifetime configuration settings](../active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md#azure-ad-session-lifetime-configuration-settings). For example, if their Windows client device is registered with Microsoft Entra ID, it receives a [Primary Refresh Token (PRT)](../active-directory/devices/concept-primary-refresh-token.md) to use for single sign-on (SSO) across applications. Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device.
21
-
22
-
While remembering credentials is convenient, it can also make deployments for Enterprise scenarios using personal devices less secure. To protect your users, you can make sure the client keeps asking for Microsoft Entra multifactor authentication credentials more frequently. You can use Conditional Access to configure this behavior.
20
+
How often a user is prompted to reauthenticate depends on [Microsoft Entra Conditional Access adaptive session lifetime policies](/entra/identity/conditional-access/concept-session-lifetime). While remembering credentials is convenient, it can also make deployments using personal devices less secure. To protect your users, you can make sure the client asks for Microsoft Entra multi-factor authentication credentials more frequently. You can use Conditional Access sign-in frequency to configure this behavior.
23
21
24
22
Learn how to enforce MFA for Azure Virtual Desktop and optionally configure sign-in frequency in the following sections.
25
23
@@ -107,7 +105,7 @@ Here's how to create a Conditional Access policy that requires multifactor authe
107
105
108
106
## Configure sign-in frequency
109
107
110
-
Sign-in frequency policies let you configure how often users are required to sign-in when accessing Microsoft Entra-based resources. This can help secure your environment and is especially important for personal devices, where the local OS may not require MFA or may not lock automatically after inactivity. Users are prompted to authenticate only when a new access token is requested from Microsoft Entra ID when accessing a resource.
108
+
[Sign-in frequency policies](/entra/identity/conditional-access/concept-session-lifetime) let you configure how often users are required to sign-in when accessing Microsoft Entra-based resources. This can help secure your environment and is especially important for personal devices, where the local OS may not require MFA or may not lock automatically after inactivity. Users are prompted to authenticate only when a new access token is requested from Microsoft Entra ID when accessing a resource.
111
109
112
110
Sign-in frequency policies result in different behavior based on the Microsoft Entra app selected:
113
111
@@ -123,7 +121,7 @@ To configure the time period after which a user is asked to sign-in again:
123
121
1. In the **Session** pane, select **Sign-in frequency**.
124
122
1. Select **Periodic reauthentication** or **Every time**.
125
123
- If you select **Periodic reauthentication**, set the value for the time period after which a user is asked to sign-in again when performing an action that requires a new access token, and then select **Select**. For example, setting the value to **1** and the unit to **Hours**, requires multifactor authentication if a connection is launched more than an hour after the last user authentication.
126
-
- The **Every time** option is only supported when applied to the **Microsoft Remote Desktop** and **Windows Cloud Login** apps when single sign-on is enabled for your host pool. If you select **Every time**, users are prompted to reauthenticate when launching a new connection after a period of 5 to 10 minutes since their last authentication.
124
+
- The [**Every time**](/entra/identity/conditional-access/concept-session-lifetime#require-reauthentication-every-time) option is only supported when applied to the **Microsoft Remote Desktop** and **Windows Cloud Login** apps when single sign-on is enabled for your host pool. If you select **Every time**, users are prompted to reauthenticate when launching a new connection after a period of 5 to 10 minutes since their last authentication.
0 commit comments