Feb 01 2024 12:52 AM
Hello,
We are setting up windows11 EntraID joined personal sessionhosts in Azure virtual desktop, in microsoft docs it's recommended to assign 'Virtual Machine user login ' role to user group on resource group level https://learn.microsoft.com/en-us/azure/virtual-desktop/azure-ad-joined-session-hosts?source=recomme...
even if user assigned to individual session host, user can see all the vm's from azure portal and able to login to any machine as the 'vm user login' role is assigned to resource group level.
We can assign this role to individual VM as well, but it's a manual work everytime after spinning up a machine assign the user to that specific resource.
Similar recommendation was given for 'vm administrator login ' role, if you assign this role to resource group level, user can login to any machine that is visible from azure portal with admin login.
User usually wouldn't login to Azure portal, but still isn't it a security risk giving access to user to all resources, and I think the recommendation of giving access to resource groups level isn't convincing to me,
Does any one setup personal win11 entraID joined managed through intune and having recommendations around the RBAC design?
Thanks
Naveen. S
Jun 23 2024 11:02 PM
SolutionHi @NKC25,
Your concerns about assigning roles at the resource group level and the potential security risks are valid. Here are some recommendations to address these concerns while maintaining a secure and manageable environment.
To mitigate the security risks associated with assigning roles at the resource group level, consider these alternatives:
A. Dynamic Groups and Azure Policies:
B. Automation with Azure Functions and Logic Apps:
Ensure that only the necessary permissions are granted to users:
A. Custom Roles:
B. Conditional Access Policies:
Implement monitoring and auditing practices to track access and ensure compliance:
A. Azure Monitor and Log Analytics:
B. Azure Security Center:
Dynamic Groups:
Automation:
Custom Roles:
Conditional Access:
Monitoring and Alerts:
By implementing these recommendations, you can maintain a secure and efficient RBAC design for your Azure Virtual Desktop environment. These measures will help ensure that users have the necessary access without exposing other resources to potential risks.
I hope these suggestions help! Feel free to reach out if you have further questions or need additional assistance.
Best regards,
Daniel
Jul 14 2024 05:38 AM
Sep 03 2024 01:36 AM
Hi @DTB ,
Thank you for valuable suggestions, I have choosen the custom roles, where just action roles are added and visible roles are removed! for both user logins and admin logins.
Regards,
Naveen. S
Jun 23 2024 11:02 PM
SolutionHi @NKC25,
Your concerns about assigning roles at the resource group level and the potential security risks are valid. Here are some recommendations to address these concerns while maintaining a secure and manageable environment.
To mitigate the security risks associated with assigning roles at the resource group level, consider these alternatives:
A. Dynamic Groups and Azure Policies:
B. Automation with Azure Functions and Logic Apps:
Ensure that only the necessary permissions are granted to users:
A. Custom Roles:
B. Conditional Access Policies:
Implement monitoring and auditing practices to track access and ensure compliance:
A. Azure Monitor and Log Analytics:
B. Azure Security Center:
Dynamic Groups:
Automation:
Custom Roles:
Conditional Access:
Monitoring and Alerts:
By implementing these recommendations, you can maintain a secure and efficient RBAC design for your Azure Virtual Desktop environment. These measures will help ensure that users have the necessary access without exposing other resources to potential risks.
I hope these suggestions help! Feel free to reach out if you have further questions or need additional assistance.
Best regards,
Daniel