May 07 2024 03:31 AM
Hi all,
From my understanding AVD uses port 443 (HTTPS) to connect users to their virtualized environment. However, I have noticed that AVD automatically adds users to the Remote Desktop Users Group, which is meant originally for port 3389 (RDP). I spoke with a Microsoft Support Specialist regarding this and it was mentioned this was used as a break-glass method in case users cannot connect through 443. My question is then, is it necessary to have users added to the Remote Desktop Users Group? And is there any way we could stop the automation in adding users to that group?
Best Regards
Xerxes
May 07 2024 01:23 PM
@XerxesH Just tested on an Azure Virtual Desktop host pool Entra ID join and you are right.
But my RDP direct access is also working without being part of Remote Desktop Users Group, as soon my Entra ID user is having the Virtual Machine User Login role on the AVD VMs
Why do you want to remove that automation mechanism ?
Security purpose ?
May 07 2024 01:57 PM
Hi @jlou65535
Yes correct! Thanks for verifying! When a user receives a session by opening remote app or virtual desktop, they are automatically added into that group, giving them RDP access. In my opinion they should not be added to the group as normal users should not have direct RDP to the session hosts as it does pose as a security risk.
Best Regards
Xerxes Hansen
May 07 2024 05:58 PM
May 07 2024 11:53 PM
Hi @Kidd_Ip,
Absolutely. I was thinking Just-In-Time Access and/or restriction through firewall, but just wondering why that automatic procedure was there in the first place x) I find it weird to have to have a solution/work-around on something not in use (unless it is proven that it is). Thanks for the answers tho!
Best Regards
Xerxes