question

YY-3792 avatar image
0 Votes"
YY-3792 asked YY-3792 commented

Conditional Access per Hostpool

We would like to create a AVD farm that consists of a number of hostpool for different user access (e.g., internal users, partners, and etc...).

How can we apply IP-whitelisting for a hostpool that only allows internal users to access from their office network? And, setup another hostpool for partners that can be accessed from internet?

Thanks.

azure-virtual-desktopazure-ad-conditional-access
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipullag-MSFT avatar image
0 Votes"
vipullag-MSFT answered YY-3792 commented

@YY-3792

Apologies in delayed response.
Based on your requirement, the only option here is to use AAD conditional access policies.

Please refer this document for more details on this.

Hope that helps.
Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @vipullag-MSFT, we know that AAD conditional access policies is for users group only. How can we apply this to AVD Hostpool?

For instance, below are the scenario that we would like to achieve for multiple parties within the company:

AVD Hostpool 001
- only for accessing remote app A within that pool.
- only for internal user.
- only allow access from authorized IP (IP-whitelisting).

AVD Hostpool 002
- only for accessing remote app B within that pool.
- for internal user and partner.
- allow access from public internet.

0 Votes 0 ·

@YY-3792

You can apply a CA policy to the group of internal users and restrict access to AVD only when they are on corporate network.
Another CA policy can be created and targeted to the group of partner users that should have access to AVD via the Internet. As long as those 2 groups don't need access to the same host pool, it is achievable.


Currently not possible is to target CA policies based on specific host pools.

Hope that helps.

0 Votes 0 ·
YY-3792 avatar image YY-3792 vipullag-MSFT ·

Hi @vipullag-MSFT, thanks and the CA you means using Certificate Authority issuing the device certificate, am I right?

That means, when they brought their laptop back home, they can access like internal.

So, are there any roadmap or planning to implement host pools level access control as I do think most of the organizations would target to assign various host pools to different usage or different level of access. If my understanding correct, even AWS can define their workspace pools per account such that they can create different accounts hosting different workspace pools for different users or groups. This is especially useful for Remote App within the AVD.

Thanks.

0 Votes 0 ·