Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,703 questions
Persistent RDP Session Behavior in AVD
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 59%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Senthil Prabhu Thangavelu
0
Reputation points
Here’s a professional support ticket email you can send to Microsoft:
Subject: Support Case – Persistent RDP Session Behavior in AVD
Dear Microsoft Support Team,
We are experiencing an issue with the RDP client used for Azure Virtual Desktop (AVD) sessions, where sessions persist even after a network change, without forcing user re-authentication. Below is a detailed description of the issue:
Issue Description
The issue occurs when a user is connected to an isolated network where users can access AVD only via a wired LAN connection. The expected behavior is that when users disconnect from the remote network (by removing the LAN cable) and switch to a different network (e.g., Corporate Wi-Fi), they should be required to re-authenticate. However, we have observed that the RDP session remains persistent, and users can continue accessing AVD without re-authentication.
Observed Behavior
- Even after disconnecting from the wired network and switching to Wi-Fi, the RDP session persists.
- The end-user is not prompted to re-authenticate when reconnecting via a different network.
- Even if the RDP client is closed by the user, the session persists when reopened.
- This behavior appears to be related to the workspace subscription process in the RDP client, which maintains session persistence.
Security Concern
While we understand that Microsoft may have implemented this behavior to enhance user experience, it poses a security risk for our organization. We need to determine if there is a way to modify this behavior to enforce re-authentication when a network change occurs.
Request for Assistance
Could you please confirm:
- If this persistent session behavior is expected for AVD RDP clients?
- Whether this is controlled by a token or another mechanism?
- If there are configuration settings or policies available to force re-authentication when a user switches networks?
https://www.anoopcnair.com/azure-virtual-desktop-rd-client-subscription/
We appreciate your guidance in resolving this issue. Please let us know if any additional logs or details are required.
Best regards,
Prabhu
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 38%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Markapuram Sudheer Reddy 1,165 Reputation points Microsoft External Staff2025-03-06T20:28:34.81+00:00 Thank You for reaching out to Microsoft Q&A forum.
Can you please provide details:
Are there any Single Sign-On (SSO) configured? https://learn.microsoft.com/en-us/azure/virtual-desktop/authentication#single-sign-on-sso
Are any Microsoft Entra Conditional Access policies in place, and if present, what conditions were configured (e.g., sign-in frequency)?
Meanwhile, please ensure that users are prompted to re-authenticate based on the Microsoft Entra session lifetime configuration settings. https://learn.microsoft.com/en-us/entra/identity/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime#azure-ad-session-lifetime-configuration-settings
To protect your users, you can make sure the client asks for Microsoft Entra multi-factor authentication credentials more frequently. You can use Conditional Access sign-in frequency to configure this behavior. https://learn.microsoft.com/en-us/entra/identity/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime#recommended-settings
Please check below documentation for more information:
https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd
If you find the information is helpful, please click on "Upvote"
If you have any queries, please do let us know, we will help you.
-
Senthil Prabhu Thangavelu 0 Reputation points
2025-03-07T07:14:11.4466667+00:00 Sudheer,
Thanks for your reply. We use EntraID authentication but no SSO. There are few policies in EntraID. I will go through the link that you provided. However is there any specific policy to reauthenticate when network changes?
Prabhu
-
Markapuram Sudheer Reddy 1,165 Reputation points Microsoft External Staff
2025-03-10T18:05:38.4066667+00:00 Thank You for the response.
Currently, Microsoft Entra ID does not have a specific Conditional Access policy that directly detects changes in network connectivity to prompt users for re-authentication. You can try leveraging reauthentication by enforcing with different policies named locations, countries and selected networks and locations etc.
Please use below documentation for more information:
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network
If you find the information is helpful, please click on "Upvote"
If you have any queries, please do let us know, we will help you.
-
Markapuram Sudheer Reddy 1,165 Reputation points Microsoft External Staff
2025-03-12T00:18:37.7366667+00:00 I just wanted to check about the information shared above is useful. If it is helpful, please click "Upvote"
If you have any queries, please do let us know, we will help you.
Sign in to comment
Sign in to answer