Lock M365 and Azure access to Azure VDI

Question

Lock M365 and Azure access to Azure VDI

Srinivas Rautwar 1

For security and compliance reasons, I would like to allow access to M365 and Azure services from Azure VDI only. Basically, block access if it is not Azure VDI.

Is this possible? Does conditional access help?

Answer 1

VipulSparsh-MSFT 15,986

@Srinivas Rautwar Thanks for reaching out. This is not possible currently. the conditional access cannot allow access to office 365 just from Azure VDI.
You still have options to secure office 365 access by device state (Hybrid AAD joined and compliant devices), and approved apps from conditional access.

But if you are looking for particularly Azure VDI, no option as such.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

Srinivas Rautwar 1 Reputation point

2021-07-02T00:38:08.467+00:00

Thanks for your reply.

I created a Conditional Access Policy to secure O365 apps, but the use could login setup an account without the Compliant device. User was blocked from MFA and other pages.

Use Case: User should be able login to Azure VD using his personal device, but everything else must be blocked on personal device. Can you guide me on how to setup CA policy for this?
VipulSparsh-MSFT 15,986 Reputation points

2021-07-02T12:51:08.773+00:00

@Srinivas Rautwar By everything else if you mean Office 365 service, you can use something like this :

1) Create one policy for Azure virtual Desktop like this : https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa#create-a-conditional-access-policy
2) To block office 365 services on personal device, you can use this :

Select Office 365 in Apps option and select compliant device under grant :
JamesTran-MSFT 27,511 Reputation points Microsoft Employee

2021-07-08T00:01:48.997+00:00

@Srinivas Rautwar
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

Srinivas Rautwar 1

@JamesTran-MSFT This issue is not resolved.

Let me rephrase my question:

User should not be able to access any O365 Services from his personal or work PC except the Azure VD.
Only services that are allowed from personal or work PC are the authentication services

The instructions provided are generic conditional access policies and are not addressing my requirements. Please let me know if you need more details.

Rahman Khaleel 1 Reputation point

2022-02-04T05:52:32.747+00:00
Hello Srinivas,
I need something similar for the conditional access, did you get any satisfactory response on this?

If not can someone please help with this?
my requirement:

Users should not be able to access Windows365 services from their personal PCs except from Azure Virtual desktop,

Users will login to Azure VD from anywhere in US using Azure AD authentication with MFA and access Outlook/Teams etc

Thanks

Answer 3

@Rahman Khaleel I didn’t get any help, but I was able to write my own conditional access policies.

It is working for all cases, but one. The user password change / MFA is also blocked when I applied the CA. I contacted MS for help, but no lock.

Apply the CA to All users and all apps to block except the Azure Virtual Desktop and Azure VD Sign in apps. Let me know if you have any questions or need help.

Answer 4

Rahman Khaleel 1

Great, thanks Srinivas. I will start with this approach, might take sometime as we have to start from scratch but now have some confidence that it can be done. Will let you know how I make out.

Lock M365 and Azure access to Azure VDI

4 answers

Activity