Yes, I want to access AAD-joined AVD hosts from non AAD-joined Windows PCs (and web browsers etc).
Do you mean targetisaadjoined:i:1 ? This is the requirment according to the docs.
I have this set, and I'm using CAP to enforce MFA but it fails.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
There's some confusion with the requirement for a client machine to be AAD-joined/-registered to the same tenant as a AAD-joined AVD host.
Some documentation mentions this requirement, others don't.
It seems to me that this is a requirement, since trying to connect using MFA from a machine in another tenant fails with "The logon attempt failed".
My question is this... clearly MFA requirement is more acute from non AAD-joined/managed devices, so enabling the MFA functionality from ONLY those devices you control is arse-about-tit, as they say.
Can someone explain the reasoning/technical restraints behind this weird situation?
Also, what options do we have for our situation where we're offering a virtual desktop to people who don't want to use a corp laptop? Linux, Mac and external users.
Thanks.
Yes, I want to access AAD-joined AVD hosts from non AAD-joined Windows PCs (and web browsers etc).
Do you mean targetisaadjoined:i:1 ? This is the requirment according to the docs.
I have this set, and I'm using CAP to enforce MFA but it fails.
Are you just wanting to enable MFA when connecting to an AAD-joined Session Host/Pool from a non-joined machine?
If so this is supported via standard Conditional Access policies.
So if my user is on a non-AAD joined machine or a machine joined to another tenant. I should be able to enforce conditional access in this case.
Just add the Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07) Cloud App to the Cloud apps or actions, and set the Grant Access to Require MFA.
However, in order to connect to an AAD joined machine from a non-joined machine you will need to add the tennantisaadjoined:i:0 setting to the RDP properties of the host or it will fail to connect.
James