Increase the security of your AVD with this guide on security groups, permissions, and MFA authentication.
What we’ve covered so far
In our previous article, we addressed the security question everyone has when it comes to remote desktops – are remote desktops secure? The answer is ‘yes’, as long as you take the appropriate precautions.
Part one of this series got you started on setting up Azure Virtual Desktop with a virtual network, host pools, and resource groups. Continue reading to finalize the deployment of your AVD and enable Azure multi-factor authentication.
Create designated security groups in Azure AD
Creating security groups in Azure AD will help you secure Azure Virtual Desktop by applying a set of access controls to help manage a network.
Go to Azure AD portal -> Groups -> Click on the New Group button
In this example, we will create two security groups: 1) na-operations-avd-users, and 2) na-operations-avd-admins.
Configure the permissions in the AVD host pool
Before we enable Azure multi-factor authentication, we should set up the permissions in the host pool. To grant access to resources, add each user to the desired app group. Follow the instructions in Manage app groups to assign user access to apps and desktops. We recommend that you use user groups instead of individual users wherever you can to secure Azure Virtual Desktop as much as possible.
Go to the “na-op-ruby-hp“ host pool -> Application groups -> na-op-ruby-DAG Application group -> Manage –> Assignments
Click Add -> Search for and add the “na-operations-avd-users” and “na-operations-avd-admins” group.
Note: For Azure AD-joined VMs, you’ll need to do two extra things on top of the requirements for Active Directory or Azure Active Directory Domain Service-based deployments:
Assign your users to the Virtual Machine User Login role so they can sign in to the VMs.
Assign administrators who need local administrative privileges the Virtual Machine Administrator Login To grant users access to Azure AD-joined VMs, you must configure role assignments for the VM. You can assign the Virtual Machine User Login or Virtual Machine Administrator Login role to the VMs, the resource group containing the VMs, or the subscription. (We recommend assigning the Virtual Machine User Login role to the same user group that you used for the app group at the resource group level in order to apply to all the VMs in the host pool.)
Go to the resource group that contains this AVD host pool and switch to the Access Control (IAM)
Switch to the Role assignments Click Add –> Add role assignment
Search for Virtual Machine User Login. Select it and click on the Next button.
On the Members tab, click on the Select members
Search for and select the na-operations-avd-users group -> Select -> Review and Assign
Once again on the Role assignments tab, click Add –> Add role assignment.
Search for “Virtual Machine Administrator Login”, then select it and click on the Next
On the Members tab, click on the Select the Members Search for and select the “na-operations-avd-admins group“-> Select -> Review and Assign
Connect using other clients
To access Azure AD-joined VMs using the web, Android, or macOS and iOS clients, you must add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
Go to Host Pool -> RDP Properties tab -> Advanced tab
Add the targetisaadjoined:i:1 to the RDP properties list. Click
Enable Azure multi-factor authentication and enforce for Azure AD-joined session VMs
You can also use Azure AD multi-factor authentication with Azure AD-joined VMs to secure Azure Virtual Desktop. We’ve included the link to the full instructions below, but here are two things to know before you get started:
In order to sign into AVD VM, you’ll need to disable the legacy per-user enabled Azure AD multi-factor authentication setting. If not, the workaround is to sign in with the local account.
If you already have (and you should have it) a conditional policy that enforces 2FA for all users (standard and admins), creating a conditional policy dedicated to enforcing Azure Active Directory MFA for Azure Virtual Desktop using the Conditional Access policy is not needed – see how.
Whichever PC you’re using for your remote desktop connection (it must be Windows 10 or later) needs to use a secure authentication method if you want to enable Azure multi-factor authentication, i.e., Windows Hello. However, if you’re using the remote desktop app from an Azure AD-joined machine, you can skip Windows Hello.
Note: Since we want our end users to be able to access this AVD VM from any source OS, we will adjust our conditional policy-enforcing MFA and exclude the Azure Windows VM Sign-In.
Now that you’ve learned how to enable Azure multi-factor authentication, you need to make sure that VM OS has the correct time zone configured. The VM will sometimes catch the UTC time zone. The solution is to remote into VM and configure this from within or execute a simple Powershell script from the Azure Portal.
How to change the time zone from the VM
Remote into the VM and open the PowerShell console as Admin.
To check which time zone is currently configured on the VM, run: Get-TimeZone
To configure the PST time zone, run the following command: Set-TimeZone -Id “Pacific Standard Time”
Note: You can also set it to any other time zone that the client is in: Get-TimeZone -ListAvailable . You can also use GUI to check and set the right time zone.
How to Change the Time Zone from Azure Portal
In Azure portal, browse to the target VM.
Under Operations, click on the Run Command – RunPowerShellScript.
Run the following Powershell script to set make sure the time zone configured on a VM is PST:
Security is a top concern in the world of technology, and it’s up to ourselves and our practices to ensure that we’ve done our part in keeping our information safe. Features such as security groups and MFA are necessary for anyone wanting to keep themselves and their businesses protected.