A good security practice would restrict the access of business-critical applications only to trusted devices within the organizations. On personal and untrusted devices, there should deny access to business applications. This strategy helps in Data Loss Prevention and company information compromise, which is vital in today’s landscape.
In our scenario, we will allow Access to Cloud Apps – ServiceNow, GitHub & Atlassian Cloud only on the Windows 365 Cloud PC/Azure Virtual Desktop (AVD) and all other devices will block access. To achieve this outcome, we shall be using Azure Active Directory (AAD) Conditional Access Policies & further use device filtering on “Cloud PC”
- You have Enterprise Apps integrated with Azure Active Directory (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365)
- Make sure these applications are working with Azure AD credentials and assigned multi-factor authentication
- Azure AD Group with end-users to whom you want to apply the restrictions
- Necessary Azure AD P1 or P2 license
Portals on AAD Conditional Access Policy (CAP)
Following are all the portals where you can configure the CAP via different consoles. However, the outcome is going to be the same.
Microsoft Endpoint Manager admin Center (Microsoft Intune)
Azure Portal – Azure Active Directory – Security – Conditional Access
Microsoft Entra admin center
Details of all the configurations we are entering within the policy and followed by screenshots:
- Name of the CAP – Restrict CloudApps access to CPCs
- Users or workloads Identities – AAD group, called Win365-Users
- Cloud apps or action
- Include – Select – ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365
- Exclude – Select – Windows 365, Azure Virtual Desktop and Microsoft Remote Desktop
- Conditions – Filter for devices – We are selecting model ‘Cloud PC’
- Access Controls – Block Access
- Enable Policy – Report-only
AAD Group used for restrictions
Inlcude Cloud Apps (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365)
Exclude Windows 365 and AVD
Conditions (Select Model Cloud PC)
Access Controls (Block Access)
Before rolling out in production at this phase, only use the report-only mode. Once satisfied with your testing, you can select Enable Policy – On. Final click on Create
Insights & Reporting
You can notice my user name shows the blocking policy is applying when I access the CloudApp -Office365 from a personal device.
I hope you will find this helpful information for restricting Cloud Apps access to only Cloud PC. Please let me know if I have missed any steps or details, and I will be happy to update the post.