Dec 11 2022 09:01 AM - edited Dec 11 2022 09:02 AM
Hello All,
We are a 100% cloud-based startup in the process with no on-premises network to speak of and we are hiring remote developers. How do we ensure that the Azure AD credentials we provision for the developers can only sign into Windows 365 asssigned to them so they can do their work only within this provisioned environment and prevented from simply installing dev tools (such as VSCode, Visual Studio, etc) on their local computers and signing in on those tools directly (outside of the WIndows 365 environment), which can introduce all sorts of vulnerbilities into our code?
Also, any tips on extending Windows 365 to multiple monitors?
Thanks,
Dec 12 2022 05:45 PM
Dec 14 2022 02:54 PM
@techiegz - We also have an example of creating a Conditional Access policy to require that users access a specific AAD-based application from within their Cloud PC (in this case, Restrict Office 365 services to Cloud PCs), using the Filters control (currently in preview) in Azure AD Conditional Access. Let me know if those help!
Dec 15 2022 12:15 AM
Dec 29 2022 07:11 AM - edited Dec 30 2022 05:19 AM
I guess I answered my own question once users started reaching out that they could no longer access the environment on their personal computers after I configured a device-based conditional access with "Grant access" requiring the following, which prevented access from users' personal computers since they aren't AAD joined/owned/managed by the org hence will never be compliant:
In the device-based conditionl access settings, under "Control access enforcement to block or grant access.", select the following:
Grant access
MFA (no org should do without this)
Device marked as compliant (this is required for this purpose)
App protection policy (this is optional for this purpose but enabling it alone apparently prevented access too. I guess because the users' computers have to be able to have these policies executed, which isn't possible on computers not managed by the org)
And under "For multiple controls" select:
Require all the selected controls (if you require one, they can access just by having only MFA)
This restricts access to anything in the environment, including apps and even access to any web portal. And as long as you have Cloud PCs assigned to the users, they can access your environment there because they should meet these conditions.
Ans Cloud PCs can be configured to use multiple monitors by:
1. Opening remote desktop client downloaded from the Cloud PC portal for the PC in question.
2. In the Remote Desktop client, right-click the icon for the Cloud PC you're trying to access, then click Settings.
3. In the settings sidebar to the right, toggle off "Use default settings" to expose more options (see attached image).
4. Set you display settings s desired.
5. Under "Cloud apps or actions" in Require MFA for all users (if you have this enabled), exclude "Windows 365" (assuming you include "All cloud apps"), so it does not block the Remote Desktop app from connecting since it can't respond to MFA.
Now, to figure out how to deploy Visual Studio and Visual Studio Code from Intune to Cloud PCs.
Dec 29 2022 07:47 AM
Dec 29 2022 07:50 AM