Ransomware, Microsoft Corporation, Microsoft Azure, Computer security, Cloud computing Series 5: Episode 9 – AVD Zero to Hero: AVD Security
My name is shabaz dhan, as ever i am the it geek welcome to what is uh episode, nine, its the penultimate episode of the azure virtual desktop uh, zero to hero series and, as i have been throughout this series, i am joined once again by my good Friend, simon lee, hi, simon, hey survivors, how are we badminto? How are you doing good, just surviving this heat wave weve got in the uk at the moment it is absolutely sweltering today. I know its its dont get me wrong. Its been nice having some good weather, um Music, its nice to have some nice weather, but just needs to cool down, definitely especially at nighttime yeah, so yeah simon, so they said, were in episode, nine um and this this episode. I want to look at securing abd. Now i think i mentioned in the sort towards the end of last episode and just to recap, last last episode we did look at publishing applications its a very small episode, as this probably will be so um. What i want to look at specifically is securing the identity because, as i mentioned last episode, you know, avd is secure by nature. Its secure, yeah youve got you take away all the access to the broker on the gateway and which you would normally have on premises with rds dont have to worry about leaving out. You know the rds part open, not that rubbish its all taken away and yeah and its all very secure from a network perspective.
Obviously there are ways you can secure it more by putting in you know, firewalls or um. You know stuff like that or third party firewalls um, but its the identity piece, which i really want to look at securing so um. What im planning on today is showing you how to secure abd through creating a conditional access policy and forcing multi factor, authentication yeah. Now you know, you may think: oh thats, quite a standard thats standard, microsoft, 365, but in actual fact you actually create conditional access policies specific to wv or avd um. So you dont its, not just um. You know enabling mfa for all microsoft. 365 applications its specifically to avd now, so what well do is well jump into the portal, so well jump into azure ad and well take a look at those steps. Okay, cool lets go for it so simon, just before we move on with this episode and get on with doing our demo just wanted to do a quick shout out to the sponsor of our video and our entire series policy pack. So a massive thank you to our sponsor for this video series policy pack policy pack is a modern desktop management platform for the anywhere workforce policy pack provides a powerful policy creation management and deployment framework that extends the policy management, security, automation and reporting capabilities found within Windows, active directory, unified endpoint management solutions, mdm providers, virtualization platforms and cloud services. Polti pack comes with packs each of its own set of customizable policies that enables it and teams to solve todays.
Most significant desktop management challenges like remote work, windows, 10 management, gpu, sprawl, ransomware group policy management and more policy pack lowers it costs increased security, improves compliance, reduces gpos and puts the it admin back in charge. Policy pack has hundreds of customers over a million deployed seats. Is an inc 5000 recognized company and a g2 crowd high performer for more information visit www.policypart.com and follow them on their twitter page at policy pack, so yeah simon thats, just a bit about policy packet for those. You know if youre not following them on twitter youll get following them, have a look at our website um, but now lets get stuck into todays demo. So simon, here we are in the microsoft azure portal and we want to go to the azure. Active directory were back in the imit geek portal by the way so were going to create our um conditional access policy in there. So we want to get to the conditional access policy settings, so we go down to security, and here we click on conditional access. So we always want to create a new policy and well just give it a name so call it abd mfa because thats what its going to be used for and then we go to um assignments, now, look at assignments, uh. You know best practice recommendation and my own recommendation is that you create a group and you assign users to that group yeah and then that group is assigned to this yeah its just easier for management.
Um and again you can make that group specifically for for avd mfa so again for simplicitys sake and for the for the purpose of this demo im just going to click on all users. I mean it gives you a warning there, but were only going to be. Were going to be selecting a specific application, so we wont get locked out of our tenancy or anything like that um, so we can leave that as it is okay now next, when i go to cloud apps or action. So if i click on there here, what we need to do is again weve got options here, where we can go cloud, apps user actions, authentication context which is currently in preview were more concerned about cloud art cloud apps. So we want to leave it on cloud. Apps um, but what does one include specific applications so, rather than doing all cloud apps like we did all users, we want to select specific applications and heres where we can search for the specific applications now um in in for every reason, in my tendency, im sure Theres a reason for it theyll probably miss a step somewhere, but essentially theres. No, there should be two, or at least one as your virtual desktop application in here, for whatever reason, mine still has the old version. So if i type in windows its its there windows virtual desktop if youre typing, as your virtual desktop theres, nothing to be found um so outrageous, i know theyve just just not updated my tenancy or maybe ive, not yet i dont know, but essentially you youd probably See um something called uh as your virtual desktop, app or client yeah, or just as your virtual desktop, depending on, if youre, using the classic version or not um less just for arguments sake assume that says, as your virtual desktop we click on the tick box.
Then we select it okay, then we want to go down to our condition, which is uh a moment: got zero in it. So again, weve got options here. On device platforms, locations, client, apps device state filters. Now we wan na specify the client applications. This is going to essentially be for so we click on configure click. Yes, now they all get ticked by default. But look at the bottom there legacy, authentication, clients exchange has nothing to do with abd authentication, so we can untick that we dont need that other clients as well. You know theres only theres, only two ways of connecting to avd, either through the browser or through the mobile app and the the desktop app so again in our case, lets just assume were not going to be using the browser. Well, just leave it at mobile apps. On desktop clients, click on done and now before we can go ahead and configure it. We need to make sure we grant that access control, so click on control grant access is already ticked, but we want to take require multi factor, authentication yeah. So, according to this now all our users, but lets just assume there was a group there called avd mfa. Everyone in that group would have to do multi factor authentication if and when they try and connect to azure, virtual desktop and again here and when were enabling the policy we can either leave it in report mode on our after were going to click ours on and Lets click create thats going to create that policy now so the next time we get a user whos trying to connect to avd theyll, be prompted that if theyve not registered before theyll have to register mfa if theyve already registered theyll, obviously theyll just go through that Whole process again: yeah um, just like the normal mfa process, when you, you know when youre connecting to azure or microsoft, 365 portal yeah.
So again, this is another very short video mate, like i said there are other ways to secure um. As your virtual desktop time. You know you can put in, like i said i mentioned earlier in the the episode you can put in extra network controls and stuff this. This securing through mfa is, if not a common, its its its a, must have for me personally, its, not something that should be uh optional, um, when, if you are ever um designing a avd solution – and you know mfa has especially in in the world – we live In where weve got people connecting from random devices from different locations, you know a lot of us are working from home um not in the office as much so were connected from our own personal devices as well. So its key that you, you have that multi factor authentication for your avd solutions, all right, yeah, so thats kind of what i wanted to show you so again, its already a short short video um. Just before we do go mate again lets have a quick chat and let people remind people around the competition that were having simon that thats todays short and sweet episode. Dont just like to do a few minutes on um on probably just random. Just a few minutes. Just about really just on uh how to secure avd through conditional access in mfa, theres, obviously a lot more. You can do with that conditional access.
You can, you could actually um configure it. So you know users who are using it. They cant download or move any any data, any content out of the session um so again that thats definitely a good good solution. If youre trying to secure your data, make sure users cant migrate, any data away from um abd or via avd um. So before we do finish, lets give a quick reminder to our viewers. Whoever is watching that youve probably seen on our social medias. We do have a competition, so i have the t shirt behind me as ive shown the last couple of episodes so thats the t shirt that you can win so its rmit geek and then the hashtag at the bottom abd zero to hero and then its got. The hashtag at the back as well rmit, geek, very nice, so yeah you can win those and to enter the competition. You simply need to um, obviously be a subscriber to the channel um and then comment on your favorite video uh. Just say this is my favorite video hashtag avd zero to hero and again uh well pick 10 random winners and were looking to announce that, probably just after around the first week of august, so again keeping our eye out on our twitter feed and well give you The exact date when it finishes and when were going to announce it so simon before we go, do you have any questions around what ive shown you in this episode? No um.
I think its ive done some conditional access stuff right here already around like office 365. So yeah same principle and like you say, i think it should be montreal out of the box um just that extra bit of peace of mind yeah. I agree as it should be for all for accessing any applications in 365 or as you should. You know admins and users should have a mfa, so excellent well again, simon. Thank you very much, um its going to be a tearful one. Next episode, man thats the last one of the series – episode 10. um, so the last episode is just going to be around um configuring, some monitoring again there are a lot of different solutions you can use for monitoring and i think ive mentioned them plenty of times On this on this series, but nerdy or if youre, not if youre, not if youre not looked at nerdy already, anyone whos watching definitely go watch nerdio and go have a look at what theyve got to offer because they do some great integration with azure monitoring and Third party monitoring um again what i try to show you again its going to be because weve done a lot of the time consuming stuff. These sort of episodes are a bit more uh short and sweeter im just going to show you how to integrate. As your monitor and log analytics with avd um, so yeah stay tuned for that.