AAD joined session hosts can be RDP'ed to directly

%3CLINGO-SUB%20id%3D%22lingo-sub-3371653%22%20slang%3D%22en-US%22%3EAAD%20joined%20session%20hosts%20can%20be%20RDP'ed%20to%20directly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3371653%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20recently%20setup%20AVD%20for%20a%20client%20and%20AAD%20joined%20their%20session%20hosts.%20When%20testing%20one%20of%20the%20user%20found%20an%20interesting%20issue%20-%20AAD%20Joined%20hosts%20require%20Virtual%20Machine%20User%20Login%20RBAC%20assigned%20at%20the%20resource%20group%20level%20to%20allow%20them%20to%20login.%20This%20also%20allows%20them%20to%20directly%20RDP%20from%20an%20on-prem%20network%20that%20has%20Site-to-Site%20connection%20outside%20of%20AVD%20brokers.%20This%20allows%20users%20to%20find%20the%20IP%20of%20a%20machine%20and%20just%20log%20in%20to%20it%2C%20which%20would%20essentially%20throw%20the%20algorithms.%20This%20sounds%20like%20a%20gap%20in%20the%20solution.%20This%20doesn't%20happen%20on%20AD%20joined%20machines%20unless%20an%20Administrator%20tries%20to%20RDP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20someone%20let%20me%20know%20if%20we're%20missing%20anything%20here%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We've recently setup AVD for a client and AAD joined their session hosts. When testing one of the user found an interesting issue - AAD Joined hosts require Virtual Machine User Login RBAC assigned at the resource group level to allow them to login. This also allows them to directly RDP from an on-prem network that has Site-to-Site connection outside of AVD brokers. This allows users to find the IP of a machine and just log in to it, which would essentially throw the algorithms. This sounds like a gap in the solution. This doesn't happen on AD joined machines unless an Administrator tries to RDP.

 

Can someone let me know if we're missing anything here?

Thanks!

0 Replies