Secure Windows Virtual Desktop with Conditional Access

Currently a lot of organizations are using Windows Virtual Desktop. A lot of security administrators asks questions how to secure Windows Virtual Desktop as this feature is public accessible. I’ve already implemented some conditional access policies regarding Windows Virtual Desktop. Examples are: Block access when a user is outside the network and his/her device is not compliant in Microsoft Intune, require MFA when a user is outside the corporate network, etc. This blogpost shows you how to require MFA and an Intune Compliant device when a user connects outside your corporate network.

Create a named location

The first step is to configure a named location where you include all your public IP addresses of your corporate network. You can also include the Public IP address of your VPN solution when all your traffic is routed through the VPN.

Browse to the Conditional Access Blade and click on Named locations:

Create a new named location:

Give your named location a name and add your Public IP addresses:

Now I’ve created the named location we can start creating our Conditional Access Policy. Switch back towards policies and click on “+ New Policy”:

Give your policy a name and include your users. I’ve selected “All users” and excluded my adm account. In a production environment it’s best practice to implement the policies for pilot users or by using the Report-only mode:

Select the Windows Virtual Desktop applications:

I’ve selected Windows as Device Platform, however you can also select other device platforms. In our test tenant we only use Windows devices to connect towards Windows Virtual Desktop. I’ve created another policy to block iOS, Android and macOS for Windows Virtual Desktop:

This policy applies to all locations except when a user is connecting from the internal network. Therefore add your named location in the exclusion list:

A user can use a browser or the Windows Virtual Desktop RDP Client to connect towards Windows Virtual Desktop therefore I’ve included Browser and mobile apps and desktop clients as client apps:

This policy grants access if a user succeeds the MFA request and his/her device is compliant in Microsoft Intune:

I’ve also included a sign-in frequency this requires that a user needs to re-authenticate every 4 hours:

What if scenario

You can use the What if function (next to the + New policy button) to verify your conditional access policy. The first example shows you what happens when a user connects towards Windows Virtual Desktop outside the corporate network when he/she is using the web browser. Note that the user must pass the MFA request and that his/her device needs to be compliant in Microsoft Intune:

The next example shows you what happens when a user connects to Windows Virtual Desktop using a browser when he/she is connected towards the corporate network. Note that the newly created policy does not apply because the location is in the exclusion list of the policy:

Published by jordyblommaert

My passion is the cloud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: