cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block Windows 365 portal-based Cloud PC sessions using Azure AD Conditional Access Policy

RavishankarN
Microsoft

‎Aug 30 2022 04:23 AM

‎Aug 30 2022 04:23 AM

Block Windows 365 portal-based Cloud PC sessions using Azure AD Conditional Access Policy

Disclaimer: This blog post is provided as-is without any support statements and is meant to be generic guidance on the scenario addressed here. It should not be taken as a prescriptive guidance. Please validate in your environment before configuring.

 

Windows 365 enables connectivity to Cloud PCs via a number of client applications that can be run in Windows, Android, iOS and Linux operating systems. Each client supports different features, as documented here Remote Desktop clients feature comparison | Microsoft Docs and depending on the application used, users might have different end user experience such as Teams audio-video optimization. Due this disparity, administrators might want to block access from certain clients to provide a consistent user experience across their user base.

 

In this article, we will take a look how to configure Azure Conditional Access to prevent users from connecting to their Cloud PC using in-browser RDP session, while allowing the users to login to the portal and use other capabilities such as restart, restore, rename etc.

 

This blog post uses the CA article here as reference Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Condition...

 

Create a conditional access policy with below configurations:

  1. User or workload identities – Include specific user(s) or group(s) for which the access needs to be blocked via HTML5 browser.
  2. Cloud apps or actions – Click on select under include view and search for Azure Virtual desktop (9cdead84-a844-4324-93f2-b2e6bb768d07) and add it. Click on exclude and add Windows 365 (0af06dc6-e4b5-4f28-818e-e78e62d137a5)
  3. Select Conditions, then Client Apps. In the Client Apps blade, set Configure to Yes and Select Browser option under Modern authentication clients list.
  4. Under Access controls section, select Grant and Block access

RavishankarN_0-1661581980137.png

 

Result

  • Users will be able to login to windows365.microsoft.com which allows them to perform actions such as restart but won’t be able to launch connection as shown below.

Windows 365 Web Portal

RavishankarN_1-1661581980163.png

When the user clicks the Open in browser option, they will the below screen in a new tab

RavishankarN_2-1661581980169.png

 

When the user launches the session from the RD Client, they will be able to successfully connect to the Cloud PC.

RavishankarN_3-1661581980177.png

 

RavishankarN_4-1661581980239.png

 

Labels:
3,201 Views
1 Like
2 Replies
Reply
2 Replies
_tricks

‎Aug 30 2022 10:38 AM

‎Aug 30 2022 10:38 AM

Re: Block Windows 365 portal-based Cloud PC sessions using Azure AD Conditional Access Policy

@RavishankarN, wow. you saved my life my friend or at least it is how it feels. Really wanted to provide users the ability to access that page and was afraid I was going to have to block it. Just tested it and it working beautifully. Hope soon there will be some changes to make it easier to sign user out of the w365 home/launch page. thanks again, this is great.
1 Like
Reply
RaMNerd73

‎Apr 16 2024 04:36 PM - edited ‎Apr 16 2024 06:22 PM

‎Apr 16 2024 04:36 PM - edited ‎Apr 16 2024 06:22 PM

Re: Block Windows 365 portal-based Cloud PC sessions using Azure AD Conditional Access Policy

@RavishankarN - I am getting a different result, I am completely blocked from accessing user action. Was this changed? Is there a way to access user action but block portal access?

 

RaMNerd73_0-1713316951477.png

 

 

 

 

Thanks

0 Likes
Reply