Conditional Access for Windows 365

I guess I answered my own question once users started reaching out that they could no longer access the environment on their personal computers after I configured a device-based conditional access with "Grant access" requiring the following, which prevented access from users' personal computers since they aren't AAD joined/owned/managed by the org hence will never be compliant:

In the device-based conditionl access settings, under "Control access enforcement to block or grant access.", select the following:

Grant access
MFA (no org should do without this)
Device marked as compliant (this is required for this purpose)
App protection policy (this is optional for this purpose but enabling it alone apparently prevented access too. I guess because the users' computers have to be able to have these policies executed, which isn't possible on computers not managed by the org)

And under "For multiple controls" select:
Require all the selected controls (if you require one, they can access just by having only MFA)

This restricts access to anything in the environment, including apps and even access to any web portal. And as long as you have Cloud PCs assigned to the users, they can access your environment there because they should meet these conditions.

Ans Cloud PCs can be configured to use multiple monitors by:

1. Opening remote desktop client downloaded from the Cloud PC portal for the PC in question.

2. In the Remote Desktop client, right-click the icon for the Cloud PC you're trying to access, then click Settings.

3. In the settings sidebar to the right, toggle off "Use default settings" to expose more options (see attached image).

4. Set you display settings s desired.

5. Under "Cloud apps or actions" in Require MFA for all users (if you have this enabled), exclude "Windows 365" (assuming you include "All cloud apps"), so it does not block the Remote Desktop app from connecting since it can't respond to MFA.