Secure Windows 365 with Azure MFA

By | December 10, 2021

It is essential to secure identities and environments from hackers in today’s world, and Windows 365 is no exception. Azure Multi-factor Authentication (MFA) In combination with conditional Access, makes securing your Windows 365 environment even easier and more manageable.

Licens Requirements

The users, of course, need a Windows 365 license. Using Conditional Access requires at least an Azure AD Premium P1 license for each user using the service. This license also has the Azure MFA licensing plan.

Secure Webaccess and Remote Desktop client

Users can access their CloudPC from the Windows 365 User Experience Portal or the Remote Desktop Client. This is the same client that can give access to Azure Virtual Desktop.

Both endpoints have a cloud app in Azure Active Directory. Therefore, we need to choose both cloud apps when creating the Conditional Access policy.

Windows 365 User Experience Portal cloud app is called: Windows 365
Remote Desktop Client cloud app is called: Windows Virtual Desktop

Creating the Conditional Access Policy

Start by login into the Azure Portal or the AAD Portal, Both portals works to create and manage Conditional Access policies. Once logged in, click on the Azure Active Directory in the menu bar to the left.

Find and click on Security under the Manage menu to the left.

Now choose Conditional Access under protect to the left.

In the Policies menu, click on New policy on the top and choose Create new policy.

You can, of course, modify an existing policy with the Windows 365 & Azure Virtual Desktop Cloud apps.

Give the new policy a name. Under the Users or Workload, identities choose which users should be included in this policy.

It’s always a good idea to target a small subset of users to test the exact behavior before enabling it on all users.

Under Cloud apps or actions, select both Windows 365 and Windows Virtual Desktop.

In the Grant, section, select Require multi-factor authentication and enable the policy. Finally, click on create, and we are ready to test it.

I choose not to exclude any locations from this policy, but it can be done under the Conditions and then Locations.

Windows 365 Webportal MFA Test

Go to Windows 365 User Experience Portal, and try to log in. You should now be prompted for Azure MFA.

Remote Desktop Client MFA Test

If you don’t have the client installed it can be downloaded from here. Open the Remote Desktop Client on the computer and try to log in. You should now be prompted for Azure MFA.

Leave a Reply

Your email address will not be published.