Restrict access to dev boxes by using conditional access policies in Microsoft Intune

In this article, you learn how to configure conditional access policies in Microsoft Intune to control access to dev boxes. For Dev Box, it’s common to configure conditional access policies to restrict who can access dev box, what they can do, and where they can access from. To configure conditional access policies, you can use Microsoft Intune to create dynamic device groups and conditional access policies.

Some usage scenarios for conditional access in Microsoft Dev Box include:

• Restricting access to dev box to only managed devices
• Restricting the ability to copy/paste from the dev box
• Restricting access to dev box from only certain geographies

Conditional access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. Conditional access policies at their simplest are if-then statements. If a user wants to access a resource, then they must complete an action. Conditional access policies are a powerful tool for being able to keep your organization’s devices secure and environments compliant.

Prerequisites

• Microsoft Intune subscription.
• Permission to add and manage groups in Microsoft Intune.

Create a dynamic device group

A dynamic group uses rules to determine group membership based on user or device properties. This section shows how to set up a rule for a dynamic group in Microsoft Intune.

To create a conditional access policy that targets dev box devices, you first need to create a dynamic device group that contains your dev boxes. You can create a dynamic security device group that includes all dev boxes by identifying them using keywords specified in the device model of the machine.

1. Sign in to the Microsoft Intune admin center.

2. Select Groups.

   

3. Select New Group.

   

4. Provide a name for the new group.

   

5. Optionally, add a description.

6. Set Membership Type to Dynamic Device.

7. Select Add dynamic query to specify rules for the group.

   

8. In Property, select deviceModel.

9. In Operator, select Starts With.

10. In Value enter Microsoft Dev Box.

    All dev boxes list the Manufacturer as "Microsoft Corporation" and the Model as "Microsoft Dev Box 8vCPU/32GB/1024GB", where the specs will reflect the VM SKU chosen for that dev box.

11. Validate the group and select Create.

12. After creating your dynamic device group, you can view and manage existing groups on the Groups pane of the Microsoft Intune admin center.

Create a conditional access policy

After creating your device group and validated your dev box devices are members, you can move on to create a conditional access policy for your scenario. In this example, you create a conditional access policy to restrict connections outside of specified geographic regions.

Important

Thoroughly test conditional access policies before putting them into production using the Report-Only feature. Conditional access policies have the potential to restrict all access to your dev boxes if misconfigured.

1. Sign in to the Microsoft Intune admin center.

2. Select Endpoint Security > Conditional access > Create new policy.

3. Enter a Name for your conditional access policy.

4. Under Users, select the device group you created in the previous section.

5. Under Cloud apps or actions, select No cloud apps, actions, or authentication contexts selected.

6. Select Cloud apps > Include > Select apps > None (under Select).

7. In the Select pane, search for and select the apps you require for your scenario:

   App name	App ID	Description
   Windows 365	0af06dc6-e4b5-4f28-818e-e78e62d137a5	Used when retrieving the list of resources for the user and when users initiate actions on their dev box like Restart.
   Azure Virtual Desktop	9cdead84-a844-4324-93f2-b2e6bb768d07	Used to authenticate to the Gateway during the connection and when the client sends diagnostic information to the service. Might also appear as Windows Virtual Desktop.
   Microsoft Remote Desktop	a4a365df-50f1-4397-bc59-1a1564b8bb9c	Used to authenticate users to the dev box. Only needed when you configure single sign-on in a provisioning policy.

8. You should match your conditional access policies between these apps, which ensures that the policy applies to the developer portal, the connection to the Gateway, and the dev box for a consistent experience. If you want to exclude apps, you must also choose all of these apps.

9. Under Conditions > Locations > Excluded > select the locations where users are allowed to connect from.

10. Under Grant, select Block Access.

11. Under Session, select 0 controls selected.

12. To test the conditional access policy, use the Report-Only feature under Enable Policy.

13. Select Create to create the policy.

14. After creating your conditional access policy, you can view and manage existing policies in the Conditional Access - Policies pane of the Microsoft Intune admin center.

Related content

• Dynamic membership rules for groups in Microsoft Entra ID
• Learn about Conditional Access and Intune