Restricting Remote Access

%3CLINGO-SUB%20id%3D%22lingo-sub-995483%22%20slang%3D%22en-US%22%3ERestricting%20Remote%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-995483%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EOur%20current%20setup%20is%20with%20local%20RDS.%3C%2FP%3E%3CP%3EUsers%20can%20log%20into%20the%20gateway%2C%20but%20when%20they%20attempt%20to%20connection%20to%20a%20session%20host%20then%20either%3A%3C%2FP%3E%3CP%3E1)%20If%20they're%20on%20the%20local%20network%2C%20they%20can%20log%20straight%20in.%3C%2FP%3E%3CP%3E2)%20They're%20remote%20so%20have%20to%20use%20DUO%202FA%20to%20get%20in%20and%20only%20some%20users%20have%20DUO%20effectively%20prenting%20remote%20access%20for%20everyone%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20replicate%20this%20kind%20of%20setup%20with%20WVD%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-995483%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eremote%20access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1083717%22%20slang%3D%22en-US%22%3ERe%3A%20Restricting%20Remote%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1083717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F155489%22%20target%3D%22_blank%22%3E%40OffColour1972%3C%2FA%3E%26nbsp%3B%3A%20Based%20off%20your%20immediate%20description%2C%20you%20can%20likely%20solve%20this%20by%20using%20a%20two-step%20process%2C%20both%20of%20which%20use%20Azure%20AD%20Conditional%20Access%3A%3C%2FP%3E%0A%3CP%3E1.%20Require%20MFA%20for%20all%20connections%20to%20the%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3E%20Azure%20AD%20application.%3C%2FP%3E%0A%3CP%3E2.%20In%20that%20policy%2C%20make%20an%20exception%20for%20IP%20address%20coming%20from%20your%20corporate%20network.%20This%20specific%20article%20blocks%20based%20off%20IP%2C%20but%20is%20a%20good%20starter%20to%20get%20familiar%20with%20the%20policy%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-location%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-location%3C%2FA%3E)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

Our current setup is with local RDS.

Users can log into the gateway, but when they attempt to connection to a session host then either:

1) If they're on the local network, they can log straight in.

2) They're remote so have to use DUO 2FA to get in and only some users have DUO effectively prenting remote access for everyone else.

 

Is there any way to replicate this kind of setup with WVD?

1 Reply

@OffColour1972 : Based off your immediate description, you can likely solve this by using a two-step process, both of which use Azure AD Conditional Access:

1. Require MFA for all connections to the Windows Virtual Desktop Azure AD application.

2. In that policy, make an exception for IP address coming from your corporate network. This specific article blocks based off IP, but is a good starter to get familiar with the policy (https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-...)