Windows 365 SSO. Anyone know how to make it less effective? Hear me out. Windows App (new RDP client) does Entra Auth. Hours later you can still SSO into remote desktops without further MFA or password. Users disconnect but leave Windows App running and others can hop in. #windows365 @jeftek.com - ThreadSky

alexmags.bsky.social • 103 days ago

Windows 365 SSO. Anyone know how to make it less effective? Hear me out. Windows App (new RDP client) does Entra Auth. Hours later you can still SSO into remote desktops without further MFA or password. Users disconnect but leave Windows App running and others can hop in. #windows365 @jeftek.com

Comments

jeftek.com•103 days ago

Is this an Idle session time out scenario? That you want the connection to be cut if it goes idle, and then force re-auth with MFA if they connect again?

alexmags.bsky.social•103 days ago

Hi Jef. Got idle session timeout. But missing re-auth if they or someone else tries to reconnect.

jeftek.com•103 days ago

Do you have the SIF policy scoped to all the AppIds you need? See https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on

alexmags.bsky.social•102 days ago

Thanks @jeftek.com . Your doc recommendation guided me to the Windows Cloud Login app. This was the one I was missing to make sure users MFA on reconnect if Windows App session is left running. Don't need to disable SSO. 🙏

jeftek.com•102 days ago

Glad it worked out!

alexmags.bsky.social•103 days ago

Thanks for the link. I'll dig in further to this.
https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on#enable-microsoft-entra-authentication-for-rdp

nathanmcnulty.com•103 days ago

You're looking for Sign In Frequency, and your options are 5 minutes (every time) or 1 hours increments

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session#sign-in-frequency

alexmags.bsky.social•103 days ago

Hi Nathan. Have CA policy set to every time for Win365 cloud app. If you restart Windows app or hit refresh in Windows App to get latest list of desktops you have to reauth. But connect (RDP) gets you in without reauth.

nathanmcnulty.com•103 days ago

So I believe the Windows app is getting tokens for the Remote Desktop app in Entra, and then it's using those to sign into RDP hosts

It sounds like you are wanting it on each session and/or it's saving a token from the host that isn't affected by SIF?

alexmags.bsky.social•103 days ago

If I disconnect, leave Windows app running, and come back hours later I can still SSO into remote desktop without password or MFA. Not sure how the RDP connection is authenticated. Haven't spotted interaction with entra in sign-in logs when you connect. RDP is Kerberos to the Windows desktop?

nathanmcnulty.com•103 days ago

There's a bunch of apps, technically, behind some of the services like AVD/W365

If the host is using Kerberos, then you are looking at 10 hour lifetime

We have this same issue with SAML and apps in Entra that issue their own cookies where SIF doesn't affect those tokens

alexmags.bsky.social•102 days ago

Update-It was Windows Cloud Login app registration I needed in every time SIF policy. Device filter on device ownership so only applies to byod.

Comments

Posting Rules

Reply