You are observing a behavior where as if the Device is registered in a VDI ( Virtual Desktop Infrastructure) machine for a user and if the same user tries to login from another VDI machine, MFA is not triggered. Is this expected behavior?

VIp Service

This is typically expected behavior in modern enterprise VDI environments (like those using Microsoft Entra/Azure AD with FSLogix or Citrix Profile Management).

Here is why a User is not prompted for MFA on the second machine:

1. Roaming Identities (The PRT)

When a user registers a device in a VDI environment, a Primary Refresh Token (PRT) is issued. This token is tied to the user's identity and the "device" status.

• In modern VDI, administrators use Profile Containers (like FSLogix). These containers save the user's entire profile (including hidden identity tokens) into a virtual disk.

• When the user logs out of Machine A and into Machine B, their Profile Container is "attached" to Machine B.

• Machine B now sees the valid, already-authenticated PRT. Because the "Device Registration" state is stored within that profile, the system believes the "device" is already known and the session is still valid.

2. Persistent vs. Non-Persistent VDI

• Non-Persistent: If your VDI is set up to wipe itself every time, but you use profile roaming, the identity persists even if the hardware changes. The system prioritizes the "User + Registered State" over the specific virtual hardware ID.

• Single Sign-On (SSO): If SSO is enabled, once the user has satisfied MFA for the "VDI Service" itself, that "MFA Claim" is passed into the desktop session.

3. Conditional Access Policies

• GCP or Azure/Entra ID policies often have a Sign-in Frequency or MFA Session Requirement. If User1 satisfies MFA on Machine A at 9:00 AM, and the policy allows for an 8-hour window, logging into Machine B at 10:00 AM will not trigger a new prompt because the user's "MFA session" is still active in their roamed profile.