Categories
Windows 365

Conditional access and Windows 365

Securing the access to Windows 365 could is important. Today, MFA something everyone should use and you should definitely use it to access your Cloud PCs!

Given that you have Azure AD Premium P1 or P2 (it’s included in at least the Enterprise SKU of M365), you are able to use Conditional Access (CA) to enforce MFA. It’s a great idea to always require MFA for all cloud services.

Windows 365 is like you might have guessed a cloud service, which will in that case get the MFA requirement.

But what if you want to add other conditions that are specific to Windows 365 and Cloud PCs? Making sure that these are only accessed from e.g. your managed devices. There are some caveats to this however what I’ve noticed, like for example if you have added the Cloud PC to the Remote Desktop app it will only evaluate the CA rules when adding the account, but if you are using the browser the policy hits each time.

If you set up the CA rules prior to getting your users going however, you will be able to control this in a much better way.

Creating the policy

To create the Conditional Access policy, you must first of have the correct role to do so (e.g. Security Administrator, Conditional Access Administrator, or Global Administrator).

Next up, in Microsoft Endpoint Manager, navigate to Devices > Conditional Access and press “+ New Policy”.

Start by giving your new policy a name.

Next step is to select what users to include in this CA rule. In this example I’m assigning this to all users.

We now have to select what cloud apps are included in this CA rule by going to “Cloud apps or actions”.

Choose “Selected apps” as included, search and add “Windows 365” and “Azure Virtual Desktop” to make sure that your rules applies to all your cloud PCs.

Once you have selected the apps, go to Conditions.

Here we will add Any Device under “Device platforms”.

And also Browser and Mobile apps and desktop clients under “Client apps”.

Once you have added these, move further to Grant under Access control and add your requirements for granting access.

In this example, I’m only allowing compliant devices to sign in to the service, which means devices which are marked as compliant in Microsoft Endpoint Manager, which means that they are managed and healthy devices. You can also add additional requirements here and have it set to require to fulfill only one of the requirements, e.g. complaint OR require MFA. You can of course also set it to require both being compliant AND require MFA, this is controlled under the “For multiple controls” section. In this case, I’ve left it to it’s default value.

Once you have added all your settings, make sure to set the “Enable policy” switch to ON instead of “Report-only” to activate the policy. However, be aware that you could potentially look your self out by doing a faulty CA rule.

Click create at the bottom of the screen and your policy will take effect within minutes!

The experience

So what happens when this Conditional Access rule hits?

For the Remote Desktop app, it will only take affect when adding a new account. So if you already have an account added, nothing will really happen.

But when you try to add a new account, it will not grant you access unless you meet the requirements set in the policy.

For the browser, when accessing your Cloud PC through the Windows 365 portal (https://windows365.microsoft.com) you will also be met by a message not granting you access. This message is however a bit more cryptic and doesn’t really tell you what’s wrong. But

Conclusion

That is a quick guide how to get started with controlling the access to your Cloud PCs using Conditional Access. You could do a lot of cool stuff with this based on your scenarios and needs. You could also throw some session control into this or only granting specific user roles access to this combined with a few more policies to create a cloud based Privileged Access Workstation (PAW).

You could also compliment the policy with a session control to control how often it needs to be re-evaluated.

This configuration I didn’t doesn’t really support the “work from any device” concept, but I just wanted to show what was possible!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.