Forum Discussion
DavidBelanger
Microsoft
MicrosoftPUBLIC PREVIEW: Announcing public preview of Azure AD joined VMs
We are excited to announce the public preview of Azure AD joined VMs support for Azure Virtual Desktop. This feature allows customers to easily deploy Azure AD joined session hosts from the Azure por...
- End-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.
Nikonline You should be able to switch from the global setting "Require Multi-Factor Authentication to register or join devices with Azure AD" to a more recent approach based on a targeted CA policy for "Microsoft Intune Enrollment", that enforces MFA without scarifying security.
As i mentioned had to disable CA Policies that involved MFA. How can we secure access to VMs without MFA? unless there is something that i am missing
- I am currently designing secure access to VMs this way:
1. Session VMs can't be accessed directly from Internet (e.g. using RDP, would be a bad security design, anyway)
2. Sign-in to VMs is excluded from MFA
3. Access to Azure Virtual Desktop requires MFA (AVD is the inbound gateway to session VMs)
I have inspected the sign-in logs in detail and behavior is as expected.
So overall MFA will be required first to get inside your virtual networks, but then inside the networks password authentication is enough.
Would this fit for the security level of your use case? Of course, to follow a strict Zero Trust approach, Microsoft needs to deliver enforced MFA for VM sign-in at a later stage. As of my understanding, this is in scope.- That is a good summary Peter.
Just to make you aware for Point 2, instead of using "Sign-in to VM's is excluded from MFA" you could directly exclude the Azure AD Computer Object instead. Useful in situations like this where you need it to apply to only the VM's you want to access through the Web Client, but not every VM you have in Azure.- RobHyde This sounds promising. You mean, it is possible to exclude the managed identity of a VM (as "cloud app") from CA policy requiring MFA? In my first test this does not work out: If I exclude a VM (managed identity) from cloud apps, sign-in is not possible, if I assign MFA to a specific VM same way, sign still works (expectation: fails because of MFA requirement).
Can you elaborate on the procedure you have in mind? Thanks a lot!
