Planning and Implementing Multi-Factor Authentication in Azure Virtual Desktop
Start course

This course will help you manage security on your Azure Virtual Desktop and allow you to understand how it integrates with the other Azure services. It covers understanding conditional access policies, multi-factor authentication, integrating with Microsoft Defender for Cloud, and deploying antivirus onto session hosts.

Learning Objectives

  • Plan and implement conditional access policies for connection to Azure Virtual Desktop
  • Plan and implement Multi-Factor Authentication in Azure Virtual Desktop
  • Manage security by using Microsoft Defender for Cloud
  • Configure Microsoft Defender Antivirus for session hosts

Intended Audience

This course is intended for anyone who wants to become an Azure Virtual Desktop Specialist or anyone preparing to take the AZ-140 exam.


If you wish to get the most out of this course, you should have a good understanding of Azure administration, however, this is not essential.


Welcome to this module on planning and implementing multi-factor authentication in Azure Virtual Desktop. In this module, we'll cover the following topics. We'll look at what is required to integrate Azure Virtual Desktop with Multi-Factor Authentication, better known as MFA. We will complete this lecture by doing a walk-through demo of how to implement MFA settings.

Let's initially take a look at some of the requirements to implement multi-factor authentication with AVD. Like most Microsoft 365, services you need to ensure you have the relevant license in place. Now although MFA can be configured with the basic Azure AD subscription, this is only with security baselines in place. In order to integrate it with Azure Virtual Desktop, you require a minimum of Azure AD P1. You also need to ensure you have an existing Azure Virtual Desktop environment, including a host pool and application group.

Finally, you need to ensure you have a conditional access policy in place to enable MFA for Azure Virtual Desktop. As we saw in the demo for the last lecture, MFA is configured via a Conditional access policy. We have already seen a demo on how to configure a conditional access policy to enable MFA in the last lecture. In this demo, we are going to look at MFA settings in Azure. Here we are in the Azure AD portal, and we initially want to navigate to security and then MFA.

Here we have a number of options we can configure, including Account lockout, Fraud alerts, and look at activity reports. If we take a closer look at account lockout settings, we can customize three different settings. The number of MFA denials that will trigger an account lockout. The number of minutes until an account lockout counter is reset. And finally, the number of minutes until an account is automatically unlocked. With the fraud alert settings, it is turned off by default, therefore you have the ability to enable this. This will automatically turn on the setting to automatically block users who report fraud.

Finally, you can set a specific code which signifies a fraud report. The default setting is zero. The final setting I mentioned was activity reports, which allow you to review which users have been completing MFA authentication, the time, the app that was being used, as well as the authentication method, among other details. These three settings as well as many others can be implemented to give your organization a much better experience and add additional layers of security for your AVD environment.

About the Author

Shabaz Darr is a Senior Infrastructure Specialist at Netcompany based in the UK. He has 15 years plus experience working in the IT industry, 7 of those he has spent working with Microsoft Cloud Technologies in general, with a focus on MEM and IaaS. Shabaz is a Microsoft MVP in Enterprise Mobility with certifications in Azure Administration and Azure Virtual Desktop. During his time working with Microsoft Cloud, Shabaz has helped multiple public and private sector clients in the UK with designing and implementing secure Azure Virtual Desktop environments.