Windows Virtual Desktop Integration with AuthPoint

Deployment Overview

This document describes how to set up multi-factor authentication for Windows Virtual Desktop with the AuthPoint agent for Windows. Windows Virtual Desktop must already be configured and deployed before you set up MFA with AuthPoint.

This integration was tested with Windows Virtual Desktop Spring 2020 Release.

Before You Begin

Before you begin these procedures, make sure that:

  • You have an Azure Active Directory global administrator account within the Azure Active Directory tenant
  • You have an active Azure subscription
  • You have an Azure Directory tenant associated with your Azure subscription
  • You have an Azure Active Directory user account
  • A token is assigned to a user in AuthPoint

Configure Windows Virtual Desktop

To configure Windows Virtual Desktop, you must:

  • Create a host pool with the Azure portal for a Windows Virtual Desktop environment.
  • Create a resource group with VMs in an Azure subscription.
  • Join the VMs to your Azure Active Directory domain.
  • Register the VMs with Windows Virtual Desktop.

For instructions to configure Windows Virtual Desktop, see the Microsoft documentation.

Configure AuthPoint

You must add a Logon app resource in AuthPoint and assign an access policy for that resource to the user group(s) that must authenticate to log in. You must also install the agent for Windows on the Windows Virtual Desktop that you want to protect.

For detailed steps to configure a resource and install the agent, see Configure MFA for a Computer or Server.

Sync Users to AuthPoint from Azure Active Directory

You must create AuthPoint user accounts for your users. To sync users from Azure Active Directory, you must add an Azure AD external identity.

In AuthPoint, Azure AD external identities represent external user databases. They connect to user databases to get user account information and validate passwords. The queries you add to an external identity specify which users to sync from your Azure Active Directory. They pull user information and create AuthPoint user accounts for the users that are found.

For detailed instructions to sync users from Azure Active Directory, see Sync Users from Azure Active Directory.

Test the Integration

To log in to a Windows Virtual machine with the Logon app installed, you can authenticate with a mobile token on your mobile device. You can choose any method (one-time password, QR code, or push).

In this example, we show the push authentication method (users receive a push notification in the mobile app that they must approve to authenticate).

Access the Windows Virtual Machine with RDP

  1. Log in to the Azure portal as a global administrator.
  2. Navigate to Virtual machines.
  3. Click the name of the Virtual machine that you created and registered in the host pool.

Screen shot of Azure, picture1

  1. Select Connect > RDP.

Screen shot of Azure, picture2

  1. Click Download RDP File.

Screen shot of Azure, picture3

  1. Double-click the downloaded RDP File.
  2. Click connect.
  3. In the User name text box, type your user name.
  4. In the Password text box, type your password.
  5. Click OK. Then click Yes.
  6. Click Send Push.
  7. Approve the authentication request that is sent to your mobile device.
    You are logged in to the Windows virtual machine.

Access the Windows Virtual Machine with Bastion

Before you can use bastion, you must create a bastion host in the Azure portal. For more information, see Create a bastion host from VM settings.

  1. Log in to the Azure portal as a global administrator.
  2. Navigate to Virtual machines.
  3. Click the name of the Virtual machine that you created and registered in the host pool.
  4. Select Connect > Bastion.
  5. In the User name text box, type your user name.
  6. In the Password text box, type your password.

Screen shot of Azure, picture4

  1. Click Connect.
    You see the AuthPoint authentication screen.

Screen shot of Azure, picture5

  1. Click Send Push.
  2. Approve the authentication request that is sent to your mobile device.
    You are logged in to Windows virtual machine.