Conditional Access per HostPool or RDP properties conditional on clients

%3CLINGO-SUB%20id%3D%22lingo-sub-2700838%22%20slang%3D%22en-US%22%3EConditional%20Access%20per%20HostPool%20or%20RDP%20properties%20conditional%20on%20clients%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2700838%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20day%20all%2C%3C%2FP%3E%3CP%3EI%20am%20struggling%20with%20the%20RDP%20properties%20of%20our%20different%20host%20pools.%20Corporate%20policy%20states%20that%20nothing%20should%20be%20able%20to%20be%20redirected%20from%20the%20local%20device.%20Which%20is%20fine%20and%20for%20the%20Full%20Desktop%20publishing%20we%20have%20configured%20this%20so%20on%20the%20host%20pool%20in%20RDP%20properties.%20However%2C%20now%20we%20have%20a%20separate%20host%20pool%20for%20a%20remote%20app.%20This%20remote%20I%20would%20only%20like%20to%20be%20able%20to%20connect%20to%20from%20the%20desktop%20host%20pool%20(nested)%20and%20not%20from%20the%20local%20device.%20As%20this%20is%20a%20Remote%20App%20the%20users%20need%20to%20interact%20with%20this%20application%20with%20the%20clipboard.%26nbsp%3B%3CBR%20%2F%3ESo%20I%20want%20to%20know%20if%20there%20is%20a%20method%2C%20and%20if%20not%2C%20request%20a%20feature%20to%20make%20this%20possible.%26nbsp%3B%3CBR%20%2F%3EWith%20kind%20regards%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2700838%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Virtual%20Desktop%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERDP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2701470%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20per%20HostPool%20or%20RDP%20properties%20conditional%20on%20clients%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2701470%22%20slang%3D%22en-US%22%3ENot%20currently%20supported%20at%20all%2C%20and%20(at%20least%20from%20whenever%20we've%20asked%20support%2F%20TAM%2F%20other%20contacts%20about%20this%20exact%20functionality%20over%20the%20past%20few%20months)%20doesn't%20seem%20like%20it's%20going%20to%20be%20a%20platform%20feature%20anytime%20soon.%20We%20have%20a%20very%20similar%20use%20case%20-%20would%20really%2C%20really%20like%20to%20be%20able%20to%20allow%20certain%20redirections%20if%20accessing%20AVD%20from%20a%20corporate%2FIntune-compliant%20device%20and%20blanket%20deny%20otherwise.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20running%20into%20a%20number%20of%20compliance%20considerations%20which%20start%20to%20become%20really%20hard%20to%20accommodate%20in%20a%20larger%2C%20more%20mixed%2C%20environment%20related%20to%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EAVD%20seems%20like%20it%20would%20be%20prime%20use%20case%20for%20the%20new%20AAD%20Conditional%20Access%20Authentication%20Context%20functionality%20that's%20been%20in%20public%20preview%20for%20a%20few%20months%20...%20haven't%20seen%20or%20heard%20anything%20about%20if%20there's%20any%20plans%20for%20AVD%20to%20support%20that%20any%20time%20soon.%3C%2FLINGO-BODY%3E
Occasional Contributor

Good day all,

I am struggling with the RDP properties of our different host pools. Corporate policy states that nothing should be able to be redirected from the local device. Which is fine and for the Full Desktop publishing we have configured this so on the host pool in RDP properties. However, now we have a separate host pool for a remote app. This remote I would only like to be able to connect to from the desktop host pool (nested) and not from the local device. As this is a Remote App the users need to interact with this application with the clipboard. 
So I want to know if there is a method, and if not, request a feature to make this possible. 
With kind regards,

1 Reply
Not currently supported at all, and (at least from whenever we've asked support/ TAM/ other contacts about this exact functionality over the past few months) doesn't seem like it's going to be a platform feature anytime soon. We have a very similar use case - would really, really like to be able to allow certain redirections if accessing AVD from a corporate/Intune-compliant device and blanket deny otherwise.

We are running into a number of compliance considerations which start to become really hard to accommodate in a larger, more mixed, environment related to this.

AVD seems like it would be prime use case for the new AAD Conditional Access Authentication Context functionality that's been in public preview for a few months ... haven't seen or heard anything about if there's any plans for AVD to support that any time soon.