Merge pull request #96618 from SanDeo-MSFT/patch-39

Update howto-vm-sign-in-azure-ad-windows.md

Author: PRMerger12

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -31,8 +31,8 @@ There are many benefits of using Azure AD authentication to log in to Windows VM
 - Azure RBAC allows you to grant the appropriate access to VMs based on need and remove it when it is no longer needed.
 - Before allowing access to a VM, Azure AD Conditional Access can enforce additional requirements such as: 
    - Multi-factor authentication
-   - Sign-in risk
-- Automate and scale Azure AD join for Azure based Windows VMs.
+   - Sign-in risk check
+- Automate and scale Azure AD join of Azure Windows VMs that are part for your VDI deployments.
 
 ## Requirements
 
@@ -65,7 +65,7 @@ To use Azure AD login in for Windows VM in Azure, you need to first enable Azure
 There are multiple ways you can enable Azure AD login for your Windows VM:
 
 - Using the Azure portal experience when creating a Windows VM
-- Using the Azure Cloud Shell experience when creating a Windows VM or for an existing Windows VM
+- Using the Azure Cloud Shell experience when creating a Windows VM **or for an existing Windows VM**
 
 ### Using Azure portal create VM experience to enable Azure AD login
 
@@ -184,6 +184,14 @@ For more information on how to use RBAC to manage access to your Azure subscript
 - [Manage access to Azure resources using RBAC and the Azure portal](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal)
 - [Manage access to Azure resources using RBAC and Azure PowerShell](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-powershell).
 
+## Using Conditional Access
+
+You can enforce Conditional Access policies such as multi-factor authentication or user sign-in risk check before authorizing access to Windows VMs in Azure that are enabled with Azure AD sign in. To apply Conditional Access policy, you must select "Azure Windows VM Sign-In" app from the cloud apps or actions assignment option and then use Sign-in risk as a condition and/or 
+require multi-factor authentication as a grant access control. 
+
+> [!NOTE]
+> If you use "Require multi-factor authentication" as a grant access control for requesting access to "Azure Windows VM Sign-In" app, then you must supply multi-factor authentication claim as part of the client that initiates the RDP session to the target Windows VM in Azure. The only way to achieve this on a Windows 10 client is to use Windows Hello for Business PIN or biometric auth during RDP. Biometric auth for RDP is supported starting Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
+
 ## Log in using Azure AD credentials to a Windows VM
 
 > [!IMPORTANT]
@@ -334,7 +342,10 @@ If you see the following error message when you initiate a remote desktop connec
 
 ![The sign-in method you're trying to use isn't allowed.](./media/howto-vm-sign-in-azure-ad-windows/mfa-sign-in-method-required.png)
 
-If you have configured a Conditional Access policy that requires MFA to be done before you can access the RBAC resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the following error.
+If you have configured a Conditional Access policy that requires MFA to be done before you can access the RBAC resource, then you need to ensure that the Windows 10 PC initiating the remote desktop connection to your VM signs in using a strong authentication method such as Windows Hello. If you do not use a strong authentication method for your remote desktop connection, you will see the following error. If you have not deployed Windows Hello for Business and if that is not an option for now, you can exlcude MFA requirement by configuring Conditional Access policy that excludes "Azure Windows VM Sign-In" app from the list of cloud apps that require MFA. To learn more about Windows Hello for Business, see [Windows Hello for Business Overview] (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification).
+
+> [!NOTE]
+> Windows Hello for Business PIN auth during RDP has been supported for long now, however using Biometric auth for RDP is supported starting Windows 10 1809. Using Windows Hello for Business auth during RDP is only available for deployments that use cert trust model and currently not available for key trust model.
  
 ## Preview feedback