Lock M365 and Azure access to Azure VDI

Question

For security and compliance reasons, I would like to allow access to M365 and Azure services from Azure VDI only. Basically, block access if it is not Azure VDI.

Is this possible? Does conditional access help?

Answer 1

@Srinivas Rautwar Thanks for reaching out. This is not possible currently. the conditional access cannot allow access to office 365 just from Azure VDI.
You still have options to secure office 365 access by device state (Hybrid AAD joined and compliant devices), and approved apps from conditional access.

But if you are looking for particularly Azure VDI, no option as such.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

Answer 2

@JamesTran-MSFT This issue is not resolved.

Let me rephrase my question:

1. User should not be able to access any O365 Services from his personal or work PC except the Azure VD.
2. Only services that are allowed from personal or work PC are the authentication services

The instructions provided are generic conditional access policies and are not addressing my requirements. Please let me know if you need more details.

Answer 3

@Anonymous I didn’t get any help, but I was able to write my own conditional access policies.

It is working for all cases, but one. The user password change / MFA is also blocked when I applied the CA. I contacted MS for help, but no lock.

Apply the CA to All users and all apps to block except the Azure Virtual Desktop and Azure VD Sign in apps. Let me know if you have any questions or need help.

Answer 4

Great, thanks Srinivas. I will start with this approach, might take sometime as we have to start from scratch but now have some confidence that it can be done. Will let you know how I make out.