Overview
In this article, we will discuss how to allow remote users on personal devices to access Azure Virtual Desktop (AVD) and Windows 365 (W365) while blocking access to all other cloud applications and organizational data.
Securing Azure Virtual Desktop (AVD) is crucial for maintaining a secure and compliant environment, especially when enabling remote access for users on BYOD (Bring Your Own Device) devices. Leveraging Microsoft’s suite of security tools, such as Microsoft Intune, Microsoft Defender for Endpoint, Microsoft Entra ID P2, and Conditional Access policies, can ensure a robust security posture for your AVD deployment.
1. Remote Access Configuration
To securely enable remote access to AVD from BYOD devices, follow these steps:
Conditional Access Policy:
- Target Resources: Include all Cloud Apps and exclude “Azure Virtual Desktop and Windows Cloud Login.”
- Access Control: Set to “Block” to prevent users from accessing corporate data on personal devices, applicable to remote users on BYOD.
2. Intune Compliance Policy for AVD
Configure an Intune compliance policy tailored for AVD to enforce security requirements:
- Bitlocker: Set to Required (if AVD supports TPM).
- Secure Boot: Set to Required.
- Firewall: Set to Required.
- TPM (Trusted Platform Module): Set to Required.
- Antivirus: Set to Required.
- Antispyware: Set to Required.
- Microsoft Defender Antimalware: Set to Required.
- Real-time Protection: Set to Required.
- Microsoft Defender Antimalware Security Intelligence: Ensure it is up to date.
- Device Risk Score: Enforce that devices must be at or below the risk score “Low” to be compliant.
3. Microsoft Defender for Endpoint Security Configuration
Enhance AVD security using Microsoft Defender for Endpoint by configuring the following:
- Antivirus Policy: Ensure that a comprehensive antivirus policy is in place.
- Firewall Application Control for Business: Implement firewall application controls to restrict unauthorized applications.
- Attack Surface Reduction: Configure real-time monitoring to prevent compromises and control potential ransomware threats.
4. Identity and Access Management Policies
To strengthen identity security and access management within AVD:
- MFA and SSPR: Ensure Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) are enabled.
- Identity Protection: Utilize User Risk and Sign-In Risk features to enforce MFA based on risk levels.
- Conditional Access Policy: Allow users to register MFA only from trusted locations.
- Password Protection: Implement policies to prevent the use of common and easily guessable passwords.
- Just-In-Time Access: Use Just-In-Time (JIT) access through Microsoft Defender for Cloud Apps to secure AVD resources.
5. Application Management
Deploy all necessary applications through Intune to ensure they are compliant and secure:
- Ensure that only managed and compliant applications are deployed to AVD sessions.
6. User Data Profile Management
To manage user data profiles securely:
- For Entra ID-joined AVD: Enforce the use of OneDrive for Business for storing user profiles instead of relying on FSLogix. This approach ensures data security and compliance while simplifying profile management.
Summary
By implementing these guidelines, you can secure Azure Virtual Desktop and Windows 365 environments against potential threats and ensure compliance with corporate security policies. This comprehensive strategy utilizes Microsoft Intune, Microsoft Defender for Endpoint, Microsoft Entra ID, and Conditional Access policies to deliver a secure and resilient AVD deployment.
info@ngcloudsecurity.com
