Conditional Access for Windows 365

Copper Contributor

Hello All,

 

We are a 100% cloud-based startup in the process with no on-premises network to speak of and we are hiring remote developers. How do we ensure that the Azure AD credentials we provision for the developers can only sign into Windows 365 asssigned to them so they can do their work only within this provisioned environment and prevented from simply installing dev tools (such as VSCode, Visual Studio, etc) on their local computers and signing in on those tools directly (outside of the WIndows 365 environment), which can introduce all sorts of vulnerbilities into our code?

 

Also, any tips on extending Windows 365 to multiple monitors?

 

Thanks,

6 Replies
There is documentation for CAP for Windows 365 - https://learn.microsoft.com/en-us/windows-365/enterprise/set-conditional-access-policies. Make sure you perform WhatIF to see whether its giving you the desired outcome.

@techiegz - We also have an example of creating a Conditional Access policy to require that users access a specific AAD-based application from within their Cloud PC (in this case, Restrict Office 365 services to Cloud PCs), using the Filters control (currently in preview) in Azure AD Conditional Access. Let me know if those help!

I guess I answered my own question once users started reaching out that they could no longer access the environment on their personal computers after I configured a device-based conditional access with "Grant access" requiring the following, which prevented access from users' personal computers since they aren't AAD joined/owned/managed by the org hence will never be compliant:

 

In the device-based conditionl access settings, under "Control access enforcement to block or grant access.", select the following:

Grant access
MFA (no org should do without this)
Device marked as compliant (this is required for this purpose)
App protection policy (this is optional for this purpose but enabling it alone apparently prevented access too. I guess because the users' computers have to be able to have these policies executed, which isn't possible on computers not managed by the org)

And under "For multiple controls" select:
Require all the selected controls (if you require one, they can access just by having only MFA)

This restricts access to anything in the environment, including apps and even access to any web portal. And as long as you have Cloud PCs assigned to the users, they can access your environment there because they should meet these conditions.

 

Ans Cloud PCs can be configured to use multiple monitors by:

1. Opening remote desktop client downloaded from the Cloud PC portal for the PC in question.

2. In the Remote Desktop client, right-click the icon for the Cloud PC you're trying to access, then click Settings.

3. In the settings sidebar to the right, toggle off "Use default settings" to expose more options (see attached image).

4. Set you display settings s desired.

5. Under "Cloud apps or actions" in Require MFA for all users (if you have this enabled), exclude "Windows 365" (assuming you include "All cloud apps"), so it does not block the Remote Desktop app from connecting since it can't respond to MFA.

techiegz_0-1672406342872.png

 

techiegz_0-1672352482503.png

 
And here's my Cloud PC on 3 monitors via Remote Desktop app (reminds me that I still need to block the ability to capture screenshots...LOL).:
techiegz_10-1672355181074.png

Now, to figure out how to deploy Visual Studio and Visual Studio Code from Intune to Cloud PCs.

 

Thanks for the resource. I was able to figure it out with Device-based conditional policies as detailed below.
Thanks for the resource. I was able to figure it out with Device-based conditional policies as detailed below. What I did also worked for restricting access to anything in the environment, including apps and even access to any portal.