SOLVED

RBAC design for Azure virtual desktop personal session hosts Win11 EntraID joined

Brass Contributor

Hello,

We are setting up windows11 EntraID joined personal sessionhosts in Azure virtual desktop, in microsoft docs it's recommended to assign 'Virtual Machine user login ' role to user group on resource group level https://learn.microsoft.com/en-us/azure/virtual-desktop/azure-ad-joined-session-hosts?source=recomme... 

 

even if user assigned to individual session host, user can see all the vm's from azure portal and able to login to any machine as the 'vm user login' role is assigned to resource group level.

We can assign this role to individual VM as well, but it's a manual work everytime after spinning up a machine assign the user to that specific resource.

 

Similar recommendation was given for 'vm administrator login ' role, if you assign this role to resource group level, user can login to any machine that is visible from azure portal with admin login.

 

User usually wouldn't login to Azure portal, but still isn't it a security risk giving access to user to all resources, and I think the recommendation of giving access to resource groups level isn't convincing to me,

 

Does any one setup personal win11 entraID joined managed through intune and having recommendations around the RBAC design?

 

Thanks

Naveen. S

3 Replies
best response confirmed by NKC25 (Brass Contributor)
Solution

Hi @NKC25,

 

Your concerns about assigning roles at the resource group level and the potential security risks are valid. Here are some recommendations to address these concerns while maintaining a secure and manageable environment.

Current Concerns

  1. Visibility and Access: Assigning 'Virtual Machine user login' or 'Virtual Machine administrator login' roles at the resource group level allows users to see and potentially access all VMs within the resource group.
  2. Security Risks: Users could gain access to VMs they should not have permissions for, posing a security risk.

Recommendations

1. Fine-Grained Access Control

To mitigate the security risks associated with assigning roles at the resource group level, consider these alternatives:

A. Dynamic Groups and Azure Policies:

  • Dynamic User Groups: Use dynamic groups in EntraID to automatically add users to groups based on attributes. These groups can then be assigned the necessary roles at the individual VM level.
  • Azure Policies: Implement Azure policies to enforce role assignments. For example, a policy can be created to automatically assign the 'Virtual Machine user login' role to users for new VMs based on predefined criteria.

B. Automation with Azure Functions and Logic Apps:

  • Azure Functions: Create an Azure Function that runs whenever a new VM is created. This function can automatically assign the appropriate RBAC roles to the specific VM.
  • Logic Apps: Use Logic Apps to automate the process of role assignments based on triggers such as VM creation.

2. Secure Role Assignment

Ensure that only the necessary permissions are granted to users:

A. Custom Roles:

  • Create Custom Roles: Define custom roles with only the required permissions. For instance, create a custom role that allows login but restricts other actions.
  • Assign Custom Roles: Assign these custom roles to users at the VM level, ensuring they only have the permissions they need.

B. Conditional Access Policies:

  • Conditional Access: Implement conditional access policies to restrict access based on conditions such as user location, device compliance, and risk level.
  • Access Reviews: Regularly conduct access reviews to ensure that users only have the necessary permissions.

3. Monitoring and Auditing

Implement monitoring and auditing practices to track access and ensure compliance:

A. Azure Monitor and Log Analytics:

  • Monitor Access: Use Azure Monitor and Log Analytics to track login attempts and access patterns.
  • Alerts: Set up alerts for unusual or unauthorized access attempts.

B. Azure Security Center:

  • Security Recommendations: Utilize Azure Security Center to get security recommendations and alerts.
  • Compliance: Ensure compliance with your organization's security policies and regulatory requirements.

Practical Steps

  1. Dynamic Groups:

    • Configure dynamic groups in EntraID to automatically add users to appropriate groups based on their attributes.
  2. Automation:

    • Develop Azure Functions or Logic Apps to automate role assignments for new VMs.
  3. Custom Roles:

    • Define and assign custom roles with the minimum necessary permissions.
  4. Conditional Access:

    • Implement conditional access policies to enhance security.
  5. Monitoring and Alerts:

    • Set up Azure Monitor, Log Analytics, and Security Center to track and manage access.

By implementing these recommendations, you can maintain a secure and efficient RBAC design for your Azure Virtual Desktop environment. These measures will help ensure that users have the necessary access without exposing other resources to potential risks.

 

I hope these suggestions help! Feel free to reach out if you have further questions or need additional assistance.

 

Best regards,

Daniel

 

@NKC25 

 

You may consider RBAC, Intune plus conditional access 

Hi @DTB ,

 

Thank you for valuable suggestions, I have choosen the custom roles, where just action roles are added and visible roles are removed! for both user logins and admin logins.

 

Regards,

Naveen. S

1 best response

Accepted Solutions
best response confirmed by NKC25 (Brass Contributor)
Solution

Hi @NKC25,

 

Your concerns about assigning roles at the resource group level and the potential security risks are valid. Here are some recommendations to address these concerns while maintaining a secure and manageable environment.

Current Concerns

  1. Visibility and Access: Assigning 'Virtual Machine user login' or 'Virtual Machine administrator login' roles at the resource group level allows users to see and potentially access all VMs within the resource group.
  2. Security Risks: Users could gain access to VMs they should not have permissions for, posing a security risk.

Recommendations

1. Fine-Grained Access Control

To mitigate the security risks associated with assigning roles at the resource group level, consider these alternatives:

A. Dynamic Groups and Azure Policies:

  • Dynamic User Groups: Use dynamic groups in EntraID to automatically add users to groups based on attributes. These groups can then be assigned the necessary roles at the individual VM level.
  • Azure Policies: Implement Azure policies to enforce role assignments. For example, a policy can be created to automatically assign the 'Virtual Machine user login' role to users for new VMs based on predefined criteria.

B. Automation with Azure Functions and Logic Apps:

  • Azure Functions: Create an Azure Function that runs whenever a new VM is created. This function can automatically assign the appropriate RBAC roles to the specific VM.
  • Logic Apps: Use Logic Apps to automate the process of role assignments based on triggers such as VM creation.

2. Secure Role Assignment

Ensure that only the necessary permissions are granted to users:

A. Custom Roles:

  • Create Custom Roles: Define custom roles with only the required permissions. For instance, create a custom role that allows login but restricts other actions.
  • Assign Custom Roles: Assign these custom roles to users at the VM level, ensuring they only have the permissions they need.

B. Conditional Access Policies:

  • Conditional Access: Implement conditional access policies to restrict access based on conditions such as user location, device compliance, and risk level.
  • Access Reviews: Regularly conduct access reviews to ensure that users only have the necessary permissions.

3. Monitoring and Auditing

Implement monitoring and auditing practices to track access and ensure compliance:

A. Azure Monitor and Log Analytics:

  • Monitor Access: Use Azure Monitor and Log Analytics to track login attempts and access patterns.
  • Alerts: Set up alerts for unusual or unauthorized access attempts.

B. Azure Security Center:

  • Security Recommendations: Utilize Azure Security Center to get security recommendations and alerts.
  • Compliance: Ensure compliance with your organization's security policies and regulatory requirements.

Practical Steps

  1. Dynamic Groups:

    • Configure dynamic groups in EntraID to automatically add users to appropriate groups based on their attributes.
  2. Automation:

    • Develop Azure Functions or Logic Apps to automate role assignments for new VMs.
  3. Custom Roles:

    • Define and assign custom roles with the minimum necessary permissions.
  4. Conditional Access:

    • Implement conditional access policies to enhance security.
  5. Monitoring and Alerts:

    • Set up Azure Monitor, Log Analytics, and Security Center to track and manage access.

By implementing these recommendations, you can maintain a secure and efficient RBAC design for your Azure Virtual Desktop environment. These measures will help ensure that users have the necessary access without exposing other resources to potential risks.

 

I hope these suggestions help! Feel free to reach out if you have further questions or need additional assistance.

 

Best regards,

Daniel

 

View solution in original post