What’s up, everyone!
Last week I’ve got a question which I thought was nice to share with everyone. In this case a company was looking to implement Windows 365 Cloud PCs for contractors but they wanted to make sure that contractors need to sign into the Cloud PC every single time. Even when they have a disconnected session or even when they recently signed in and satisfied the MFA requirements.
First ideas... that didn't work!
My first thought immediately went to Conditional Access. Why not create a conditional access rule that is scoped to a single user (for testing purposes) and target the Windows 365 and Azure Virtual Desktop apps. That would look something like this:
Next go to Access Controls and select Require multifactor authentication.
And finish up with configuring the Sign-in frequency in the session controls. You just have to select the Every time radio button… Right?
Well, nope. Windows 365 and Azure Virtual Desktop do not support this. So if you want to use Conditional Access in this scenario, you’ll have to use Periodic reauthentication where 1 hour is the lowest interval. And that is not the question we are trying to answer. Alright, so that obviously didn’t work.
So my next idea was to use an Authentication Strength. What would happen if a contractor would use a FIDO2 token which you can find in the Phishing-resistant MFA authentication strength, or require passwordless MFA such as using the Microsoft Authenticator app?
Well, in that case the contractor would be authenticated if they open the Windows 365 App or sign into the Webclient and they can sign into their Cloud PC. If they disconnect, they are still authenticated and they can sign in to their Cloud PC and that is something we are trying to prevent. Alright, obviously it was time for a coffee.
Sometimes the easiest solution works best
So while enjoying a nice coffee I got the feeling that I was making this way too difficult. If you sign into the Windows 365 App or the Webclient, you’ll see the Cloud PCs that are assigned to you. So you authenticate to the control plane but you aren’t signed into the Cloud PC itself. And that’s actually where the simple solution to this problem is. Once you click on the Cloud PC, you most likely will sign into the Cloud PC using Single Sign-On. And that’s something that’s configured in the Provisioning Policy; the checkbox next to Use Microsoft Entra single sign-on (preview).
If you have a provisioning policy just for the contractors, then all you have to do is uncheck this box and reprovision the Cloud PC. If the contractor signs into the Windows 365 App, they will see the Cloud PC that is assigned to them. If they try to sign into the Cloud PC, they will have to enter their credentials again. Even if the Cloud PC is in a disconnected state.
And that is all there is to it!