Configure Conditional Access policies for Microsoft Dev Box
Conditional access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. Conditional access policies at their simplest are if-then statements. If a user wants to access a resource, then they must complete an action. Conditional access policies are a powerful tool for being able to keep your organization's devices secure and environments compliant.
This article provides examples of how organizations can use conditional access policies to manage access to dev boxes. For Microsoft Dev Box, it's common to configure conditional access policies to restrict who can access dev box, what from which locations they can access their dev boxes.
Device-based Conditional Access
- Microsoft Intune and Microsoft Entra ID work together to make sure only managed and compliant devices can Dev Box. Policies include Conditional Access based on network access control.
- Learn more about device-based Conditional Access with Intune
App-based Conditional Access
- Intune and Microsoft Entra ID work together to make sure only dev box users can access managed apps like the developer portal.
- Learn more about app-based Conditional Access with Intune.
Prerequisites
Provide access to Dev Box
Your organization might start with conditional access policies that, by default, allow nothing. You can set up a conditional access policy that allows your developers to access their dev boxes by specifying the conditions under which they can connect.
You can configure conditional access policies through Microsoft Intune, or through Microsoft Entra ID. Each path brings you to a configuration pane, an example of which is shown in the following screenshot:
Scenario 1: Allow access to dev boxes from trusted networks
You want to allow dev box access, but only from specified networks, like your office or a trusted vendor's location.
Define a location
Follow these steps:
Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Protection > Conditional Access > Named locations.
Choose the type of location to create.
- Countries location or IP ranges location.
Give your location a name.
Provide the IP ranges or select the Countries/Regions for the location you're specifying.
If you select IP ranges, you can optionally Mark as trusted > location.
If you choose Countries/Regions, you can optionally choose to include unknown areas.
Select Create
For more information, see, What is the location condition in Microsoft Entra Conditional Access.
Create new policy
Follow these steps:
Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Protection > Conditional Access > Policies.
Select New policy.
Give your policy a name. Use a meaningful naming convention for conditional access policies.
Under Assignments, select Users or workload identities.
a. Under Include, select All users.
b. Under Exclude, select Users and groups and choose your organization's emergency access accounts.
Under Target resources > Cloud apps > Include, select All cloud apps.
Under Network.
a. Set Configure to Yes
b. Under Exclude, select Selected networks and locations
c. Select the location you created for your organization.
d. Select Select.
Under Access controls > select Block Access and select Select.
Confirm your settings and set Enable policy to Report-only.
Select Create to create your policy.
Confirm that your policy works as expected by using Report-only mode. Confirm that the policy is working correctly, and then enable it.
For information on configuring conditional access policy to block access, see Conditional Access: Block access by location.
Scenario 2: Allow access to the developer portal
You want to allow developer access to the developer portal only. Developers should access and manage their dev boxes through the developer portal.
Create a new policy
Follow these steps:
Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Protection > Conditional Access > Policies.
Select New policy.
Give your policy a name. Use a meaningful naming convention for conditional access policies.
Under Assignments, select Users or workload identities.
a. Under Include, select Dev Box Users.
b. Under Exclude, select Users and groups and choose your organization's emergency access accounts.
Under Target resources > Cloud apps > Include, select Microsoft Developer Portal, Fidalgo dataplane public, Windows Azure Service Management API.
Under Access controls > select Allow Access, and select Select.
Confirm your settings and set Enable policy to Report-only.
Select Create to create to enable your policy.
Confirm that your policy works as expected by using Report-only mode. Confirm that the policy is working correctly, and then enable it.
Caution
Misconfiguration of a block policy can lead to organizations being locked out. You can configure accounts for emergency access to prevent tenant-wide account lockout. In the unlikely scenario all administrators are locked out of your tenant, your emergency-access administrative account can be used to log into the tenant to take steps to recover access.
Apps required for Dev Box
The following table describes the apps relevant for Microsoft Dev Box. You can customize conditional access policies to suit the needs of your organization by allowing or blocking these apps.
| App name | App ID | Description |
|---|---|---|
| Windows 365 | 0af06dc6-e4b5-4f28-818e-e78e62d137a5 | Used when Microsoft Remote Desktop is opened, to retrieve the list of resources for the user and when users initiate actions on their dev box like Restart. |
| Azure Virtual Desktop | 9cdead84-a844-4324-93f2-b2e6bb768d07 | Used to authenticate to the Gateway during the connection and when the client sends diagnostic information to the service. Might also appear as Windows Virtual Desktop. |
| Microsoft Remote Desktop | a4a365df-50f1-4397-bc59-1a1564b8bb9c | Used to authenticate users to the dev box. Only needed when you configure single sign-on in a provisioning policy. |
| Windows Cloud Login | 270efc09-cd0d-444b-a71f-39af4910ec45 | Used to authenticate users to the dev box. This app replaces the Microsoft Remote Desktop app. Only needed when you configure single sign-on in a provisioning policy. |
| Windows Azure Service Management API | 797f4846-ba00-4fd7-ba43-dac1f8f63013 | Used to query for DevCenter projects where the user can create dev boxes. |
| Fidalgo Dataplane Public | e526e72f-ffae-44a0-8dac-cf14b8bd40e2 | Used to manage dev boxes and other DevCenter resources via the DevCenter REST APIs, Azure CLI, or Dev Portal. |
| Microsoft Developer Portal | 0140a36d-95e1-4df5-918c-ca7ccd1fafc9 | Used to sign into the developer portal web app. |
You can allow apps based on your requirements. For example, you can allow Fidalgo Dataplane Public to allow dev box management by using the DevCenter REST APIs, Azure CLI, or Dev Portal. The following table lists the apps used in common scenarios.
| App | Log in to and manage dev boxes in developer portal | Dev box management (create/delete/stop etc.) | Connect through browser | Connect through Remote Desktop |
|---|---|---|---|---|
| Microsoft Developer Portal | 
|
|
|
|
| Fidalgo Dataplane Public |
|
|
|
|
| Windows Azure Service Management API |
|
|
|
|
| Windows 365 |
|
|
|
|
| Azure Virtual Desktop |
|
|
|
|
| Microsoft Remote Desktop |
|
|
|
|
For more information on configuring conditional access policies, see: Conditional Access: Users, groups, and workload identities.