Onboard Azure Virtual Desktop session hosts to forensic evidence from Microsoft Purview Insider Risk Management
Forensic evidence is an opt-in add-on feature in Microsoft Purview Insider Risk Management that gives security teams visual insights into potential insider data security incidents. Forensic evidence includes customizable event triggers and built-in user privacy protection controls, enabling security teams to better investigate, understand and respond to potential insider data risks like unauthorized data exfiltration of sensitive data.
You set the right policies for your organization, including what risky events are the highest priority for capturing forensic evidence, what data is most sensitive, and whether users are notified when forensic capturing is activated.
When using Azure Virtual Desktop with forensic evidence, you can set policies to trigger recordings of desktop and RemoteApp sessions automatically. Forensic evidence capturing is off by default and policy creation requires dual authorization.
Prerequisites
Before you can use forensic evidence for Azure Virtual Desktop, you need:
A personal desktop host pool with direct assignment. Pooled host pools aren't supported.
Session hosts running Windows 11 Enterprise, version 23H2, and using a VM SKU with minimum of 8 vCPU and 16 GB memory, such as Standard D8as v5.
Session hosts must be Microsoft Entra ID-joined or Entra ID hybrid-joined and enrolled with Microsoft Intune.
Microsoft 365 E5 license, which contains both Intune and Insider Risk Management licenses.
Onboard session hosts to forensic evidence
To onboard your session hosts to forensic evidence:
Ensure a user is assigned to a personal desktop using direct assignment. Follow the steps in Configure direct assignment to assign a user to a personal desktop.
You need to onboard your session hosts to Purview. Follow the steps in Onboard Windows devices into Microsoft Purview to onboard your session hosts.
Install the Purview client and configure forensic evidence. Follow the steps in Get started with insider risk management forensic evidence to install the Purview client and configure forensic evidence.