Conditional Access Policy is not blocking Azure Virtual Desktop when accessed from Microsoft Azure Virtual Desktop Client

Shanmugham, Sudha 21 Reputation points
2022-10-25T14:04:22.417+00:00

Hi All,
In our Conditional Access Policy we are trying to block "Azure Virtual Desktop".

This policy blocks the Azure VDI when accessed from browser. However when accessed from "Microsoft Azure Virtual Desktop Client", it is allowing to access the Azure VDI.

Could you please let me know what could be missed in the CAP to configure additionally? Should i be adding a condition on client app?

Kindly share any inputs ?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,505 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. rafalzak 3,231 Reputation points
    2022-10-25T17:31:18.667+00:00

    Hi @Shanmugham, Sudha ,

    There is a few apps you need to use in conditional access policies and it depends if you have AVD based on ARM or classic. Please verify you chose the correct app ids. You can look into this guide to compare with your settings:
    https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa

    Please upvote or accept as answer if it helped.

    0 comments No comments

  2. Luke Murray 11,241 Reputation points MVP
    2022-10-25T23:08:20.767+00:00

    I don't believe there is another 'client' to stop access from Web Browser/vs Client App.

    I wonder if the client app has cached the token somehow (https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime?WT.mc_id=AZ-MVP-5004796).

    What does the Conditional Access whatif say? https://learn.microsoft.com/azure/active-directory/conditional-access/what-if-tool?WT.mc_id=AZ-MVP-5004796

    0 comments No comments

  3. Bryan Kavanagh 1 Reputation point
    2022-11-24T18:08:58.857+00:00

    I have the same issue. I can set the conditional access to use the conditional access app control in Defender for cloud apps. I've set it to block browser and desktop apps but it only blocks the browser access.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.