question

KavinduAsangaDayananda-1079 avatar image
0 Votes"
KavinduAsangaDayananda-1079 asked SimonBurbery-5684 answered

Exclude MFA for Office applicaions inside WVD

Hi,

We have a requirement to exclude MFA while accessing Office applications inside WVD while users are logging from our cooperate network .

I know that we can exclude WVD app/trusted locations from conditional access, and when we configure it like that ,it will not prompt MFA for WVD but will prompt for office applications inside. Our requirement is when users logging to WVD from their cooperate network , they should not get MFA prompt for any Office applications inside WVD session.

All the session hosts have only private static IPs. Public IP (Internet) is dynamic.

Please advise.

Regards,
Kavindu

azure-virtual-desktopazure-ad-multi-factor-authenticationazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
0 Votes"
MarileeTurscak-MSFT answered

You should be able to set up conditional access to exclude users from certain locations from the MFA policy while they are accessing certain applications using the steps in this article.

The conditional access policies allow you to include or exclude users and allow you to select "mobile apps and desktop clients" based on locations. Is that what you are looking for?

If it needs to be more granular than the options in that article, this may require a feature request in User Voice.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VclavKonekSC-2488 avatar image
0 Votes"
VclavKonekSC-2488 answered VclavKonekSC-2488 published

Exclude place is for static IPs. But WVD has Public IP (Internet) dynamic.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonBurbery-9608 avatar image
0 Votes"
SimonBurbery-9608 answered VclavKonekSC-2488 commented

You can add an outbound NAT gateway to the network your AVD hosts are in. That gives you a known outbound IP you can then exclude from your MFA policy.

https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-nat-gateway

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Correct, working.
Trouble is price, for this solution start on 40€ monthly for small AVD host.
Do you know any other solution?

0 Votes 0 ·
SimonBurbery-5684 avatar image
0 Votes"
SimonBurbery-5684 answered

Maybe you could get an intune device license for the host? Then make sure it is compliant and you can exclude compliant devices from your MFA policy. I am not sure what cost that would be in your region, but it should be closer to 10 than 40.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.