Deployment Overview
This document describes how to set up multi-factor authentication for Windows Virtual Desktop with the AuthPoint agent for Windows. Windows Virtual Desktop must already be configured and deployed before you set up MFA with AuthPoint.
This integration was tested with Windows Virtual Desktop Spring 2020 Release.
Before You Begin
Before you begin these procedures, make sure that:
- You have an Azure Active Directory global administrator account within the Azure Active Directory tenant
- You have an active Azure subscription
- You have an Azure Directory tenant associated with your Azure subscription
- You have an Azure Active Directory user account
- A token is assigned to a user in AuthPoint
Configure Windows Virtual Desktop
To configure Windows Virtual Desktop, you must:
- Create a host pool with the Azure portal for a Windows Virtual Desktop environment.
- Create a resource group with VMs in an Azure subscription.
- Join the VMs to your Azure Active Directory domain.
- Register the VMs with Windows Virtual Desktop.
For instructions to configure Windows Virtual Desktop, see the Microsoft documentation.
Configure AuthPoint
You must add a Logon app resource in AuthPoint and create an authentication policy for that resource or add the Logon app resource to your existing authentication policies. You must also install the agent for Windows on the Windows Virtual Desktop that you want to protect.
For detailed steps to configure a resource and install the agent, see Configure MFA for a Computer or Server.
Sync Users to AuthPoint from Azure Active Directory
You must create AuthPoint user accounts for your users. To sync users from Azure Active Directory, you must add an Azure AD external identity.
In AuthPoint, Azure AD external identities represent external user databases. They connect to user databases to get user account information and validate passwords. The queries you add to an external identity specify which users to sync from your Azure Active Directory. They pull user information and create AuthPoint user accounts for the users that are found.
For detailed instructions to sync users from Azure Active Directory, see Sync Users from Azure Active Directory.
Test the Integration
To log in to a Windows Virtual machine with the Logon app installed, you can authenticate with a mobile token on your mobile device. You can choose any method (one-time password, QR code, or push).
In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).
Access the Windows Virtual Machine with RDP
- Log in to the Azure portal as a global administrator.
- Navigate to Virtual machines.
- Click the name of the Virtual machine that you created and registered in the host pool.
- Select Connect > RDP.
- Click Download RDP File.
- Double-click the downloaded RDP File.
- Click connect.
- In the User name text box, type your user name.
- In the Password text box, type your password.
- Click OK. Then click Yes.
- Click Send Push.
- Approve the authentication request that is sent to your mobile device.
You are logged in to the Windows virtual machine.
Access the Windows Virtual Machine with Bastion
Before you can use bastion, you must create a bastion host in the Azure portal. For more information, see Create a bastion host from VM settings.
- Log in to the Azure portal as a global administrator.
- Navigate to Virtual machines.
- Click the name of the Virtual machine that you created and registered in the host pool.
- Select Connect > Bastion.
- In the User name text box, type your user name.
- In the Password text box, type your password.
- Click Connect.
You see the AuthPoint authentication screen.
- Click Send Push.
- Approve the authentication request that is sent to your mobile device.
You are logged in to Windows virtual machine.