Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Conditional Access – AVD SSO for SharePoint from Trusted Locations while enforcing MFA for All Cloud Apps
Cleon Russell
45
Reputation points
Hi all,
Question
Hi all, I’m looking for some guidance on Conditional Access policy design in an Azure Virtual Desktop (AVD) environment. We currently enforce MFA for “All cloud apps”, which is working as expected from a security perspective. However, we are trying to improve the user experience when accessing SharePoint Online from within AVD sessions.Requirement
We would like to achieve the following:- ✅ Enforce MFA for all cloud apps
- ✅ Allow seamless SSO for SharePoint Online when users are accessing from trusted office locations
- ✅ Ensure users are still prompted for MFA when accessing SharePoint externally
- ✅ Prevent users from having to re-authenticate for SharePoint after signing into AVD
Scenario
- Users sign into AVD (with MFA)
- From within the AVD session, they access SharePoint Online
- Despite already being authenticated, they are prompted again for credentials/MFA
- Trusted office locations are already configured in Entra ID (Named Locations)
Proposed Approach
We are considering the following design:- Modify the existing “All cloud apps” policy:
- Keep “All cloud apps” selected
- Exclude: Office 365 SharePoint Online
- Create a new Conditional Access policy for SharePoint:
- Cloud app: Office 365 SharePoint Online
- Conditions:
- Include: Any location
- Exclude: Trusted office locations (Named Locations)
- Grant control:
- Require MFA
Questions
- Is this the recommended approach to achieve SSO for SharePoint within AVD sessions while still enforcing MFA externally?
- Are there any risks or best practices when excluding SharePoint from an “All cloud apps” policy?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sridevi Machavarapu 30,110 Reputation points Microsoft External Staff Moderator2026-05-14T18:18:18.9966667+00:00 Hello Cleon Russell,
Yes, your proposed design is valid and is a common approach for this requirement.
- Exclude Office 365 SharePoint Online from the existing “All cloud apps” MFA policy
- Create a separate Conditional Access policy for SharePoint Online:
- Include: Any location
- Exclude: Trusted Named Locations
- Grant control: Require MFA
This allows users connecting from trusted office locations to access SharePoint without additional MFA prompts, while external access will still require MFA.
The additional prompt occurs because SharePoint evaluates Conditional Access separately from the AVD sign-in.
Also verify:
- AVD session hosts are Entra joined or Hybrid joined
- WAM and FSLogix are configured properly for SSO
- No Sign-in Frequency policy is forcing reauthentication
Excluding SharePoint from the “All cloud apps” policy is generally acceptable as long as SharePoint is protected by its own Conditional Access policy.
-
Cleon Russell 45 Reputation points
2026-05-15T19:27:21.5833333+00:00 Is this possible for Azure Virtual Desktop?
-
Sridevi Machavarapu 30,110 Reputation points Microsoft External Staff Moderator
2026-05-15T21:01:38.76+00:00 Hello Cleon Russell,
Yes, this is possible with Azure Virtual Desktop if SSO and Conditional Access are configured correctly.
- Exclude Office 365 SharePoint Online from the “All cloud apps” MFA policy
- Create a separate SharePoint policy:
- Include: Any location
- Exclude: Trusted Named Locations
- Grant: Require MFA
This allows seamless SharePoint access from trusted locations while still enforcing MFA externally.
Also ensure AVD hosts are Entra joined or Hybrid joined and SSO components like WAM/FSLogix are configured properly.
-
Cleon Russell 45 Reputation points
2026-05-15T21:18:59.92+00:00 How would I test it with one user on a test avd?
-
Sridevi Machavarapu 30,110 Reputation points Microsoft External Staff Moderator
2026-05-15T21:54:38.9766667+00:00 Hello Cleon Russell,
You can test this with a single user and a test AVD host before applying it more broadly.
Create a test Conditional Access policy and assign it only to the test user and SharePoint Online. Exclude your Trusted Named Location and configure the policy to require MFA.
Then test from both trusted and external locations. From a trusted location, sign in to AVD and access SharePoint. The user should not receive another MFA prompt. From an external location, the user should be prompted for MFA.
You can confirm the behavior in the Entra sign-in logs under the Conditional Access tab to see which policy was applied.
-
Cleon Russell 45 Reputation points
2026-05-15T23:16:48.35+00:00 So when they log into AVD will they still be prompted to login at loginonline?
-
Sridevi Machavarapu 30,110 Reputation points Microsoft External Staff Moderator
2026-05-15T23:49:22.0533333+00:00 Hello Cleon Russell,
Yes, users may still see a sign-in prompt from
login.microsoftonline.comduring the initial session, depending on the AVD SSO configuration.If SSO is configured correctly in Azure Virtual Desktop, users should sign in to AVD once and then access SharePoint without another MFA prompt from trusted locations.
If SSO is not fully configured, SharePoint or other Microsoft 365 apps inside the AVD session may still prompt for authentication.
Sign in to comment
Sign in to answer