Archive | Azure Active Directory RSS feed for this section

Compliance Policy for Azure Virtual Desktop Session Host Virtual machine managed via Microsoft Intune

3 Feb

Microsoft Intune Compliance Policy can be used to manage the security and compliance of Azure Virtual Desktop (AVD) Session Host virtual machines. The policy can enforce specific configuration settings such as password complexity, security updates, and device encryption to ensure that the virtual machines meet the organization’s security and compliance requirements.

To set up an Intune Compliance Policy for an AVD Session Host virtual machine, the virtual machine must be enrolled with Intune. Then, the policy can be created in the Intune portal and assigned to the virtual machine. The policy settings will be enforced on the virtual machine and monitored for compliance.

Note: The Intune Compliance Policy is just one of the ways to manage the security and compliance of AVD Session Host virtual machines. Other tools such as Azure Security Center and Azure Policy can also be used.

Why create the azure virtual desktop session host compliance policy?

There are several reasons why organizations create Azure Virtual Desktop (AVD) Session Host Compliance Policies:

  1. Security: Compliance policies help ensure that the AVD Session Host virtual machines are configured with the necessary security measures to protect sensitive data and prevent unauthorized access. This includes enforcing encryption, password policies, and software updates.
  2. Compliance: Compliance policies help organizations meet regulatory requirements, such as HIPAA, PCI, and SOC, by ensuring that the AVD Session Host virtual machines are configured in accordance with these regulations.
  3. Consistency: Compliance policies help ensure that all AVD Session Host virtual machines are configured consistently and meet the same standards. This makes it easier for administrators to manage the environment and ensures that all users have a consistent and secure experience.
  4. Monitoring: Compliance policies provide ongoing monitoring of the AVD Session Host virtual machines, so administrators can quickly identify and address any deviations from the desired configuration.

By creating an AVD Session Host Compliance Policy, organizations can ensure that their virtual machines are secure, compliant, consistent, and properly monitored, which can help reduce the risk of security breaches and regulatory violations.

What compliance policies are supported with Azure Virtual Desktop?

The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs:

  • Minimum OS version
  • Maximum OS version
  • Valid operating system builds
  • Simple passwords
  • Password type
  • Minimum password length
  • Password Complexity
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • Microsoft Defender Antimalware
  • Microsoft Defender Antimalware security intelligence up-to-date
  • Firewall
  • Antivirus
  • Antispyware
  • Real-time protection
  • Microsoft Defender Antimalware minimum version
  • Defender ATP Risk score

Note in my sceanrio I am not using all of the above only a few based on the configuration of my environment. You will need a Azure AD device group containing all the session host for AVD to apply this policy.

What am I configuring?

I am only configuring two things. However, I urge if you to leverage Microsoft Defender and make sure you use the Antivirus and Antimalware settings (Another blog post later day for Defender integrations):

  • Minimum OS version – 10.0.22621.963
  • Firewall – Require

The above is not an extensive list, but I am trying to give you an idea here.

Create the compliance policy for AVD

Open the Microsoft Endpoint Manager admin center ( and navigate to Devices and Compliance Policies.

  • Click on Create Policy and Select Platform Windows 10 and later
  • Give the policy a name and description
  • Configure the above two parameters
  • An assignment is the most critical aspect, here, you want an Azure AD Dynamic Device Group that will make sure all the AVD Session hosts are covered.
  • My current AAD Dynamic Group query is as follows, I am working towards getting a more refine query to make it understand Multi-session(I have raised a query internally within MS)

Device Compliance (AVD Session Host VMs)

After waiting for 15 mins you will start noticing all your AVD Session host VM’s will now begin to show as compliant.

I hope you will find this helpful information for creating a compliance policy for your AVD Session host VMs. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Aresh Sarkari

Restrict Cloud Apps (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365) access to Windows 365 Cloud PC/Azure Virtual Desktop

15 Dec

A good security practice would restrict the access of business-critical applications only to trusted devices within the organizations. On personal and untrusted devices, there should deny access to business applications. This strategy helps in Data Loss Prevention and company information compromise, which is vital in today’s landscape.

In our scenario, we will allow Access to Cloud Apps – ServiceNow, GitHub & Atlassian Cloud only on the Windows 365 Cloud PC/Azure Virtual Desktop (AVD) and all other devices will block access. To achieve this outcome, we shall be using Azure Active Directory (AAD) Conditional Access Policies & further use device filtering on “Cloud PC”


  • You have Enterprise Apps integrated with Azure Active Directory (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365)
    • Make sure these applications are working with Azure AD credentials and assigned multi-factor authentication
  • Azure AD Group with end-users to whom you want to apply the restrictions
  • Necessary Azure AD P1 or P2 license

Portals on AAD Conditional Access Policy (CAP)

Following are all the portals where you can configure the CAP via different consoles. However, the outcome is going to be the same.

Microsoft Endpoint Manager admin Center (Microsoft Intune)

Azure Portal – Azure Active Directory – Security – Conditional Access

Microsoft Entra admin center

New Policy

Details of all the configurations we are entering within the policy and followed by screenshots:

  • Name of the CAP – Restrict CloudApps access to CPCs
  • Assignments
    • Users or workloads Identities – AAD group, called Win365-Users
    • Cloud apps or action
      • Include – Select – ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365
      • Exclude – Select – Windows 365, Azure Virtual Desktop and Microsoft Remote Desktop
    • Conditions – Filter for devices – We are selecting model ‘Cloud PC’
  • Access Controls – Block Access
  • Enable Policy – Report-only

AAD Group used for restrictions

Inlcude Cloud Apps (ServiceNow, GitHub Enterprise, Atlassian Cloud & Office 365)

Exclude Windows 365 and AVD

Conditions (Select Model Cloud PC)

Access Controls (Block Access)

Before rolling out in production at this phase, only use the report-only mode. Once satisfied with your testing, you can select Enable Policy – On. Final click on Create

Insights & Reporting

You can notice my user name shows the blocking policy is applying when I access the CloudApp -Office365 from a personal device.

I hope you will find this helpful information for restricting Cloud Apps access to only Cloud PC. Please let me know if I have missed any steps or details, and I will be happy to update the post.

Aresh Sarkari