Conditional Access Policy - Azure VDI\M365 - Require VDI Only

Phil M 60 Reputation points
2023-07-03T18:37:06.3966667+00:00

I am having a problem customizing a conditional access policy and I am either running into a bug or am doing something wrong.

GOAL:  The CAP must permit a group of users to access a VDI environment (a Windows virtual desktop), while denying them the ability to access any other Azure\M365 services, like the Office web portal, or logging into Microsoft Office apps with their tenant credentials.

 

CAP Details:

I have an Azure user named intune_pilot.  This user has access to a VDI.

I made a CAP with the following settings:

Users:  Applied only to ‘intune_pilot’ now

Cloud apps or actions:

I chose to include ‘All cloud apps’ and exclude ‘Azure Virtual Desktop Client’.  My belief here is that doing an ‘include all’ with specific ‘excludes’ would be the most secure deny-by-default.  I have also tried adding other applications like ‘Azure Virtual Desktop’ and ‘Microsoft Remote Desktop’.

Access Controls:  Block Access

 

As you can see from the above, my attempt is to block anything except connecting to the Azure VDIs via the Azure Virtual Desktop and\or the Microsoft Remote Desktop Windows App.

 

Failures:

When I apply the CAP, I get error messages indicating ‘You don’t have access to this’.  When I disable the CAP, the intune_pilot user can remote into the VDI just fine.

When I look at the sign-in activity, I see ‘Failures’ related to the ‘Azure Virtual Desktop Client’. 

The most interesting thing I can see is in the Conditional Access Policy details.  The ‘Application’ of ‘Azure Virtual Desktop Client’ is listed as a ‘Match’.  Since I excluded it from the CAP, I don’t believe this should be a match.  Perhaps you can interpret this and determine if this is a bug.

For #3, I have found some articles that others have been referencing.  In these cases, it seems that they needed to add up to 5 cloud apps to the CAP ‘exclude’.  However, for some reason, none of the 5 applications are searchable for me.  I simply don’t have them in my list.

Here is one such article:  https://stackoverflow.com/questions/74660627/microsoft-azure-conditional-access-how-would-i-enforce-intune-mdm-but-allow-av

 

Can you please help me with this strange activity?

P

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,890 questions
Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,536 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
417 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,699 questions
0 comments
Accepted answer
  1. Konstantinos Passadis 19,166 Reputation points MVP
    2023-07-06T22:52:49.51+00:00

    Hello @Phil M !

    I have tried the CAP with ALL Cloud Apps , and i find that it does not work well

    When i narrow down the Cloud Apps as per the instructons it worked smoothly

    You can also select all Management Portals

    User's image

    ALSO , very Important to save your time, as we read

    All cloud apps

    Applying a Conditional Access policy to All cloud apps results in the policy being enforced for all tokens issued to web sites and services. This option includes applications that aren't individually targetable in Conditional Access policy, such as Azure Active Directory.

    In some cases, an All cloud apps policy could inadvertently block user access. These cases are excluded from policy enforcement and include:

    • Services required to achieve the desired security posture. For example, device enrollment calls are excluded from compliant device policy targeted to All cloud apps.
    • Calls to Azure AD Graph and MS Graph, to access user profile, group membership and relationship information that is commonly used by applications excluded from policy. The excluded scopes are listed below. Consent is still required for apps to use these permissions.
      • For native clients: 
            - Azure AD Graph: email, offline_access, openid, profile, User.read

          - MS Graph: User.read, People.read, and UserProfile.read
        • For confidential / authenticated clients: 
                - Azure AD Graph: email, offline_access, openid, profile, User.read, User.read.all, and User.readbasic.all

            - MS Graph: User.read,User.read.all, User.read.All People.read, People.read.all, GroupMember.Read.All, Member.Read.Hidden, and UserProfile.read

    So , selecting ALL Cloud Apps is not suitable i beieve

    Finally , if you read from the link below you will see that you are quite safe to select the Proposed Apps, and have the CAP work smoothly !

    https://video2.skills-academy.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. risolis 8,721 Reputation points
    2023-07-05T03:24:51.0866667+00:00

    Hello @Phil M

    Thank you for posting this concern on this community.

    I am wondering if you have read the following articles down below:

    https://video2.skills-academy.com/en-us/azure/virtual-desktop/rbac

    https://video2.skills-academy.com/en-us/azure/virtual-desktop/create-application-group-workspace?tabs=portal

    I hope that can be useful for you.

    Looking forward to hearing from you

    Cheers,

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Konstantinos Passadis 19,166 Reputation points MVP
    2023-07-05T16:42:13.6733333+00:00

    Hello @Phil M !

    Welcome to Microsoft QnA!

    For the CAP deployement , i suggest to use the What IF option

    This allows you to test CA Policies without actually going live and see what to fix or not

    User's image

    Now , with the What IF In Place you can verif whats going on

    I think you dont need All Cloud Apps ....just Select O365 and Azure Management

    There is also in Preview Microsoft Management Portals you can try

    User's image

    User's image

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.