2023 Global Report: Ransomware Trends

Ransomware is a problem that everyone has but no one wants to talk about publicly. These are lessons learned from 1,200 victims.
7 Best Practices for Ransomware Recovery

Ransomware is the worst kind of disaster. That’s why reading this white paper on the seven best practices for ransomware is so critical to your organization.

Securing Azure Virtual Desktop with Azure Active Directory Conditional Access

Azure Virtual Desktop (AVD) is a Platform-as-a-Service (PaaS) to provide access to Windows 10 and Windows 11 desktops and applications virtually anywhere. It’s a solution hosted by Microsoft, which makes it secure by design, even though there is a lot of responsibility on the customer to ensure services are secure. In this article, I will explain how to secure Azure Virtual Desktop by focusing on Identity Access Management (IAM), which can be achieved using Azure Active Directory Conditional Access policies.

Security Aspects of Azure Virtual Desktop

In a traditional virtual desktop infrastructure (VDI) environment, for example, Windows Server Remote Desktop Services (RDS), which is hosted on-premises, ensuring that the RD Gateway and RD Broker services are secure can be challenging. And it requires additional infrastructure and configuration.

Security services and responsibilities

With Azure Virtual Desktop, this is all taken care of, which makes it secure by design. However, the following table shows the security services within AVD that are still the responsibility of the customer:

Security Service	Responsibility
IAM (Identity Access Management)	Customer
Devices	Customer
Application Security	Customer
Deployment	Customer
Session Host Operating System	Customer
Network management	Customer
Physical Hosts	Microsoft
Physical Network	Microsoft
Access to Datacentre	Microsoft
Control Pane	Microsoft

Table 1 – Security services and responsibilities

Before I explain how to use Azure AD Conditional Access to secure Azure Virtual Desktop, I want to highlight other security aspects of AVD.

Securing the Azure native services used by Azure Virtual desktop

To secure Azure Virtual Desktop, you’ll need to secure the Azure native services it uses such as Azure virtual machines, Azure Storage, and Azure Virtual Network (VNet)

Azure virtual machines: AVD is generally used with Windows 10 installed on session hosts, which means we can use any number of third-party endpoint protection tools. Microsoft Defender for Endpoint fully integrates with Windows 10, which means you can use it to protect the session hosts at the OS level.
Azure Storage: Managed disks and Azure File shares are used with Azure Virtual Desktop. We can protect managed disks by encrypting them, and we can protect Azure file shares by locking down network access and ensuring we back up the data that is stored on them.
Azure Virtual Network (VNet): We can protect virtual networks by ensuring we do not create unnecessary inbound rules to session hosts, as well as implementing an Azure Firewall or network virtual appliances (NVAs) in front of the VNet as perimeter network security.
Identity: We will discuss this as part of securing AVD with Conditional Access later

Let’s move on to discussing Conditional Access and how we can protect Azure Virtual Desktop by using Identity and Access Management.

Conditional Access policies overview

In essence, Conditional Access policies are if/then statements. So, if someone wants to access a resource or application, then they need to complete an action. This article focuses on an example where if a user wants to access Azure Virtual Desktop, then they are required to do multifactor authentication (MFA) before they can access it.

The following diagram shows the different aspects of Conditional Access including signals, verification, and the apps to which the user needs access:

Conditional Access MFA Logical view (Image credit: Microsoft)

As you can see in the diagram, from a Conditional Access aspect, users and locations, devices, applications, and real-time risk are referred to as signals. These signals allow access to resources within a cloud tenant. However, access needs to be verified.

Conditional Access will then either allow access, force the users to complete an MFA check, or block access. We can use Conditional Access policies to secure and control access to Azure Virtual Desktop in the same way, and we will discuss this in more detail now.

Securing Azure Virtual Desktop with Conditional Access

Before you can implement Conditional Access with Azure Virtual Desktop, you need to ensure the following prerequisite tasks are completed.

Assign the relevant license to the users (Azure AD P1 or P2)

Conditional Access can be implemented in certain scenarios with the free Azure Active Directory basic license. However, a premium Azure AD license is required for Azure Virtual Desktop integration. If you have an existing subscription that includes AVD such as Microsoft 365 Business Premium, the Azure AD Premium license is included.

Create an Azure Active Directory security group to which you can add your users

When you’ll create the Conditional Access policy, you’ll need to assign it to a user or group. Microsoft recommends assigning a security group to Conditional Access Policies as it is less management overhead.

Enable MFA for your Azure Virtual Desktop users in Azure Active Directory

Once the appropriate licensing is in place and users have been added as members of the relevant security group, you’ll need to ensure that MFA is enabled on our user accounts within Azure AD.

Configuring Conditional Access to secure Azure Virtual Desktop

Now that you have all the prerequisites in place, you can go ahead and configure your Conditional Access policy to force users to use MFA when connecting to Azure Virtual Desktop. However, you should consider the following key points.

Apply the policy to the relevant apps

As part of enforcing users to complete MFA verification when accessing Azure Virtual Desktop, you can also configure whether it applies to the web client, mobile apps, desktop clients, or all clients. As there are multiple methods to connect to AVD including web browsers, mobile apps, and desktop clients, it makes sense to configure all clients as part of your Conditional Access Policy.

Specify the frequency of re-authenticating

As part of the MFA configuration, you can specify how often users need to re-authenticate with MFA after the initial authentication. The default value for this is 14 days, however, you can set this to as low as 1 day and as high as 365 days.

Exempt specific network locations

Lastly, you can configure MFA to exempt specific CIDR IP ranges if you have corporate offices where your organization trusts the network, in case you don’t want users to authenticate with MFA.

Summary

In this article, we explained how to secure Azure Virtual Desktop with Conditional Access, which requires the creation of an Azure Active Directory security group and the configuration of multi-factor authentication for your users. Once your Conditional Access policy has been created, it will be quite straightforward to force your users to use MFA when connecting to Azure Virtual Desktop.

Table of contents

by Shabaz Darr
Feb 22, 2023

Shabaz Darr is currently a Master working at Netcompany based in the North of England. He has been working in the Tech industry for 15+ years with 8 of those in Cloud technologies. His main areas of focus are Azure Virtual Desktop, Azure IaaS, and En...

Microsoft Entra ID App Registration and Enterprise App Security Explained

Oct 19, 2023
Nov 10, 2023
How to Properly Secure and Govern Microsoft Entra ID Apps

Oct 19, 2023
Nov 09, 2023
How to Use Microsoft’s Hybrid Azure AD Connect Cloud Sync Software

Mar 27, 2023
Jul 17, 2023

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.

2023 Global Report: Ransomware Trends

7 Best Practices for Ransomware Recovery