Forum Discussion
DavidBelanger
Microsoft
MicrosoftPUBLIC PREVIEW: Announcing public preview of Azure AD joined VMs
We are excited to announce the public preview of Azure AD joined VMs support for Azure Virtual Desktop. This feature allows customers to easily deploy Azure AD joined session hosts from the Azure por...
- End-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.
DavidBelanger perhaps need to highlight the users that this solution doesn't support MFA, which to me is major blocker. I had to disable MFA related CA Policies ( organisation wide) to leverage AAD joining and Intune enrolment at the time of deployment. Any advice on security?
- Nikonline You should be able to switch from the global setting "Require Multi-Factor Authentication to register or join devices with Azure AD" to a more recent approach based on a targeted CA policy for "Microsoft Intune Enrollment", that enforces MFA without scarifying security.
- As i mentioned had to disable CA Policies that involved MFA. How can we secure access to VMs without MFA? unless there is something that i am missing
- I am currently designing secure access to VMs this way:
1. Session VMs can't be accessed directly from Internet (e.g. using RDP, would be a bad security design, anyway)
2. Sign-in to VMs is excluded from MFA
3. Access to Azure Virtual Desktop requires MFA (AVD is the inbound gateway to session VMs)
I have inspected the sign-in logs in detail and behavior is as expected.
So overall MFA will be required first to get inside your virtual networks, but then inside the networks password authentication is enough.
Would this fit for the security level of your use case? Of course, to follow a strict Zero Trust approach, Microsoft needs to deliver enforced MFA for VM sign-in at a later stage. As of my understanding, this is in scope.
