Azure Virtual Desktop with Azure AD (Active Directory) only

In the case of working with Azure Virtual Desktop, you may be wondering how to keep operational expenditures low while also maintaining best security and data protection practices. The good news is that you don’t have to compromise – this article provides the steps and information you need to secure Azure virtual desktop and keep those costs down.

Note: In case you’re wondering about installing apps for AVD, check out our blog post here.

Are virtual desktops secure?

The quick answer is yes, as long as they’re properly managed. VD’s and VDI’s help with security because of the fact that these virtual environments are managed centrally. This central management means that security gets streamlined: all VD’s can be updated simultaneously, data never leaves the data center, and risks can be addressed and mitigated with much more ease and speed than having independent desktops.

While this doesn’t imply that VD’s are without risk, it does emphasize the importance of the security capabilities of your VD service. Azure Virtual Desktop has many features to enhance security, but we do recommend that you check out their article on security best practices to see how you can also secure Azure Virtual Desktop with good habits.

AVD prerequisites

Before we guide you through how to secure Azure Virtual Desktop, there are a couple things to note:

• Besides an active Azure account subscription, the end user should have at least an Azure Active Directory (AD) P1 and the MS 365 Business Premium license or an external license (if you’re not familiar already, Azure Active Directory is an identity management service based in the cloud).
• You also need to have the ability to configure MFA through conditional access policies. We can disable the MFA only for accessing the AVD machines.

For complete details and the list of supported operating systems, click here.

Setting up Azure AD-joined virtual machines in Azure Virtual Desktop

To secure Azure Virtual Desktop, the first step will be deploying your Azure AD-joined virtual machines in the AVD. Take note, however, that this is recommended specifically for users that only need access to things located in the cloud or Azure AD-based authentication. Follow the instructions below to get started.

If it doesn’t already exist, create a designated resource group.

If you can’t see it on the landing page in portal.azure.com, type “Resource Group” in the search bar and click on it in the results (see image below).

1. On the resource group page, click Create
2. Chose the correct subscription, add a meaningful name for that resource group, and choose the region in which you want this resource group’s metadata to reside.

Create a virtual network for the AVD machines

1. In the search bar, type ‘Virtual Networks’ and click on it in the results (make sure not to choose the ‘classic’ option).

2. Click on the Create Virtual Network button and go through the wizard.
   • We will keep all AVD resources under the same resource group, even though that is not mandatory. However, make sure you place this virtual network in the same region that your VM’s will reside.

3. Switch to IP addresses tab.
   • We will leave the default 10.0.0.0/16 IP address space, but we want to change the subnet name from ‘default’ to ‘na-operations-sub’.
4. Click on the default link and change the subnet name in the ‘Edit Subnet’ form. Click Save

• • It is ok to have the default subnet address range, but you can also change that here if needed. Everything can stay disabled on the security tab.
    

5. Add tags if needed, then click on the review and create Create your network.

Create a new host pool with Azure AD-Joined VM in it

1. In the search bar, type “Azure Virtual Desktop” and click on it in the results.
   • Please make sure not to opt for the Azure Virtual Desktop Classic – that version does not support the Azure AD-joined AVD VM.

2. Click on the Create Host Pool

3. Once again, place the host pool into the designated AVD group, give it a meaningful name, and put it in the region where you’ve put the virtual network.
4. If this option is not already chosen, click ‘no’ on the validation environment.

5. Switch to the Virtual Machines tab.
6. Select ‘yes’ for Add Azure virtual machines.

7. Scroll down to Domain to join and choose ‘Azure Active Directory’.
8. Input a VM local administrator account username and password.

9. Switch to the Workspace tab and choose or create the target workspace.

10. Review and create the host pool, VM, and workspace.
    • When the VM is successfully deployed, you will be able to see it in the Azure AD Portal under Devices as Azure AD Joined machine.

Secure Azure Virtual Desktop Summary

With the increase of virtual desktops and remote work, ensuring that your database is secure is a necessary endeavor. Now that you’ve gotten started by creating a host pool and resource group, you should be ready to move onto part two of this article series where we’ll guide you through creating security groups, configuring permissions, and more. We hope that this article has been helpful in keeping your Azure VD secure.