Azure Virtual Desktop MFA requirements

Question

There's some confusion with the requirement for a client machine to be AAD-joined/-registered to the same tenant as a AAD-joined AVD host.
Some documentation mentions this requirement, others don't.

It seems to me that this is a requirement, since trying to connect using MFA from a machine in another tenant fails with "The logon attempt failed".

My question is this... clearly MFA requirement is more acute from non AAD-joined/managed devices, so enabling the MFA functionality from ONLY those devices you control is arse-about-tit, as they say.

Can someone explain the reasoning/technical restraints behind this weird situation?
Also, what options do we have for our situation where we're offering a virtual desktop to people who don't want to use a corp laptop? Linux, Mac and external users.

Thanks.

Answer 1

Are you just wanting to enable MFA when connecting to an AAD-joined Session Host/Pool from a non-joined machine?

If so this is supported via standard Conditional Access policies.

So if my user is on a non-AAD joined machine or a machine joined to another tenant. I should be able to enforce conditional access in this case.

Just add the Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07) Cloud App to the Cloud apps or actions, and set the Grant Access to Require MFA.

However, in order to connect to an AAD joined machine from a non-joined machine you will need to add the tennantisaadjoined:i:0 setting to the RDP properties of the host or it will fail to connect.

James

Answer 2

Yes, I want to access AAD-joined AVD hosts from non AAD-joined Windows PCs (and web browsers etc).

Do you mean targetisaadjoined:i:1 ? This is the requirment according to the docs.

I have this set, and I'm using CAP to enforce MFA but it fails.