SOLVED

What Conditional Access controls for WVD with staff on secondment?

%3CLINGO-SUB%20id%3D%22lingo-sub-1821061%22%20slang%3D%22en-US%22%3EWhat%20Conditional%20Access%20controls%20for%20WVD%20with%20staff%20on%20secondment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1821061%22%20slang%3D%22en-US%22%3E%3CP%3EWhat's%20the%20ideal%20pattern%20for%20this%20scenario%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22as-is%22%20-%20All%20my%20users%20at%20contoso.com%20have%20hybrid%20domain-joined%20Windows%2010%20laptops.%20All%20Cloud%20apps%20are%20protected%20by%20multiple%20Conditional%20Access%20rules.%20One%20of%20these%20is%20a%20block%20rule%20unless%20the%20device%20is%20hybrid%20Azure%20AD%20joined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22to-be%22%20-%20users%20are%20seconded%20to%20fabrikam.com%20and%20I%20want%20them%20to%20use%20Windows%20Virtual%20Desktop%20from%20within%20an%20Edge%20browser%20running%20on%20that%20organisation's%20W10%20laptops.%3C%2FP%3E%3CP%3EI%20want%20to%20have%20Conditional%20Access%20that%20allows%20my%20staff%20to%20get%20to%20the%20WVD%20and%20start%20a%20pooled%20desktop%20when%20working%20in%20fabrikam.com%20%3CEM%3Ebut%3C%2FEM%3E%20I%20don't%20want%20them%20using%20WVD%20from%20home%20PC%2Finternet%20cafe%20etc.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20far%2C%20the%20only%20solution%20I've%20come%20up%20with%20is%20to%20exclude%20Windows%20Virtual%20Desktop%20app%20from%20the%20'Block'%20on%20unknown%20device%20CA%20rule%20and%20have%20an%20'allow'%20rule%20for%20the%20WVD%20app%20when%20the%20connecting%20IP%20address%20is%20in%20the%20public%20IP%20range%20of%26nbsp%3Bfabrikam.com.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20more%20elegant%20solution%3F%3F%3F%20TIA!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Calum_L1_0-1603750902996.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F229414iFC53D550907658F3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Calum_L1_0-1603750902996.png%22%20alt%3D%22Calum_L1_0-1603750902996.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1821061%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWVD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1840023%22%20slang%3D%22en-US%22%3ERe%3A%20What%20Conditional%20Access%20controls%20for%20WVD%20with%20staff%20on%20secondment%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1840023%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F244740%22%20target%3D%22_blank%22%3E%40Calum_L1%3C%2FA%3E%26nbsp%3BIf%20you%20had%20only%201%20domain%2C%20it%20might%20be%20easier%20to%20jsut%20do%20an%20%22allow%22%20on%20managed%20devices.%20Not%20sure%20if%20all%20the%20devices%20are%20managed%20under%20the%20same%20AAD%20tenant.%20If%20they%20are%2C%20do%20try%20that%20out.%20If%20they%20are%20not%2C%20you%20are%20right%20about%20there%20not%20being%20a%20more%20elegant%20approach%20-%20your%20approach%20is%20the%20only%20one%20I%20can%20think%20of%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

What's the ideal pattern for this scenario -

 

"as-is" - All my users at contoso.com have hybrid domain-joined Windows 10 laptops. All Cloud apps are protected by multiple Conditional Access rules. One of these is a block rule unless the device is hybrid Azure AD joined.

 

"to-be" - users are seconded to fabrikam.com and I want them to use Windows Virtual Desktop from within an Edge browser running on that organisation's W10 laptops.

I want to have Conditional Access that allows my staff to get to the WVD and start a pooled desktop when working in fabrikam.com but I don't want them using WVD from home PC/internet cafe etc. 

 

So far, the only solution I've come up with is to exclude Windows Virtual Desktop app from the 'Block' on unknown device CA rule and have an 'allow' rule for the WVD app when the connecting IP address is in the public IP range of fabrikam.com.

 

Is there a more elegant solution??? TIA!

 

Calum_L1_0-1603750902996.png

 

1 Reply
best response confirmed by Eva Seydl (Microsoft)
Solution

@Calum_L1 If you had only 1 domain, it might be easier to jsut do an "allow" on managed devices. Not sure if all the devices are managed under the same AAD tenant. If they are, do try that out. If they are not, you are right about there not being a more elegant approach - your approach is the only one I can think of too.