Security and governance

This article provides key design considerations and recommendations for security, governance, and compliance in Azure Virtual Desktop landing zones in accordance with Microsoft's Cloud Adoption Framework.

Review the following sections to find recommended security controls and governance for your Azure Virtual Desktop landing zone.

Identity

• Secure user access to Azure Virtual Desktop by establishing Microsoft Entra Conditional Access Policy with Microsoft Entra multifactor authentication or a partner multifactor authentication tool. Consider your users' locations, devices, and sign in behaviors, and add extra controls as needed based their access patterns. For more information on enabling Azure multifactor authentication for Azure Virtual Desktop, see Enable Azure multifactor authentication for Azure Virtual Desktop.

• Assign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration.

• Use Azure Managed Identity or service principal with certificate credentials for automation and services for Azure Virtual Desktop. Assign least privilege to the automation account and scope limited to Azure Virtual Desktop landing zone(s). You can use Azure Key Vault with Azure managed identities so that runtime environments (like an Azure Function) can retrieve automation credentials from the key vault.

• Ensure that you collect user and administrator activity logging for Microsoft Entra ID and Azure Virtual Desktop landing zone(s). Monitor these logs with your Security Information and Event Management (SIEM) tool. You can collect logs from various sources, such as:

  • Azure Activity Log
  • Microsoft Entra Activity Log
  • Microsoft Entra ID
  • Session hosts
  • Key Vault logs

• Use Microsoft Entra groups rather than individual users when assigning access to Azure Virtual Desktop application groups. Consider using existing security groups that map to business functions within your organization, which lets you reuse existing user provisioning and de-provisioning processes.

Networking

• Provision or reuse a dedicated virtual network for your Azure Virtual Desktop landing zone(s). Plan IP address space to accommodate the scale of your session hosts. Establish your baseline subnet size based on the minimum and maximum number of session hosts per host pool. Map your business unit requirements to your host pools.

• Use Network Security Groups (NSGs) and/or Azure Firewall (or third-party firewall appliance) to establish micro-segmentation. Use Azure Virtual Network service tags and application service groups (ASGs) to define network access controls on network security groups or an Azure Firewall configured for your Azure Virtual Desktop resources. Verify that the session host's outgoing access to required URLs is bypassed by proxy (if used within session hosts) and Azure Firewall (or third-party firewall appliance).

• Based on your applications and enterprise segmentation strategy, restrict traffic between your session hosts and internal resources through security group rules or Azure Firewall (or a third-party firewall appliance) at scale.

• Enable Azure DDoS standard protection for Azure Firewall (or a third-party firewall appliance) to help secure your Azure Virtual Desktop landing zone(s).

• If you use proxy for outbound internet access from your session hosts:

  • Configure proxy servers in the same geography as Azure Virtual Desktop session hosts and clients (if using cloud proxy providers).
  • Don't use TLS inspection. In Azure Virtual Desktop, traffic is encrypted in transit by default.
  • Avoid proxy configuration that requires user authentication. Azure Virtual Desktop components on the session host run in the context of their operating system, so they don't support proxy servers that require authentication. System-wide proxy must be enabled for you to configure the host level proxy on your session host.

• Verify your end-users have access to Azure Virtual Desktop client URLs. If proxy agent/configuration is used on your users' devices, make sure you bypass the Azure Virtual Desktop client URLs as well.

• Use Just-in-Time access for administration and troubleshooting your session hosts. Avoid granting direct RDP access to session hosts. AVD session hosts use Reverse Connect transport to establish remote sessions.

• Use Adaptive Network Hardening features in Microsoft Defender for Cloud to find network security group configurations that limit ports and source IPs with reference to external network traffic rules.

• Collect your Azure Firewall (or third-party firewall appliance) logs with Azure Monitor or a partner monitoring solution. You should also monitor logs by SIEM, using Azure Sentinel or a similar service.

• Only use a private endpoint for Azure files that are used for FSLogix Profile containers.

• Configure the RDP Shortpath to complement reverse connect transport.

Session hosts

• Create a dedicated Organization Unit(s) (OU) in the Active Directory for the Azure Virtual Desktop session hosts. Apply dedicated Group Policy to your session hosts to manage controls such as:

  • Enable screen capture protection to you prevent sensitive screen information from being captured on the client endpoints.
  • Set maximum inactive/disconnection time policies and screen locks.
  • Hide local and remote drive mappings in Windows Explorer.
  • Optionally, configuration parameters for FSLogix Profile Containers and FSLogix Cloud Cache.

• Control device redirection for your session hosts. Commonly disabled devices include local hard drive access and USB or port restrictions. Limiting camera redirection and remote printing can help protect your organization's data. Disable clipboard redirection to prevent remote content from being copied to endpoints.

• Enable next-generation antivirus Endpoint Protection like Microsoft Defender for Endpoint on your session hosts. If you use a partner endpoint solution, ensure that Microsoft Defender for Cloud is able to verify its state. You should also include antivirus exclusions FSLogix Profile Container. Microsoft Defender for Endpoint directly integrates with multiple Microsoft Defender solutions, including:

  • Microsoft Defender for Cloud
  • Microsoft Sentinel
  • Intune

• Enable threat and vulnerability management assessments. Integrate Microsoft Defender for Endpoint's threat and vulnerability management solution with Microsoft Defender for Cloud or a third-party vulnerability management solution). Microsoft Defender for Cloud natively integrates with Qualys vulnerability assessment solution.

• Use application control through Windows Defender Application Control (WDAC) or AppLocker to ensure applications are trustworthy before execution. Application control policies can also block unsigned scripts and MSIs and restrict Windows PowerShell to run in Constrained Language Mode.

• Enable Trusted launch for Gen2 Azure virtual machines to enable features such as Secure Boot, vTPM and Virtualization-based security (VBS). Microsoft Defender for Cloud can monitor session hosts configured with trusted launch.

• Randomize local administrator passwords using Windows LAPS to protect against pass-the-hash and lateral traversal attacks.

• Verify that your session hosts are monitored by Azure Monitor or a partner monitoring solution via Event Hubs.

• Establish a patch management strategy for your session hosts. Microsoft Endpoint Configuration Manager enables Azure Virtual Desktop session hosts to receive updates automatically. You should patch base images at minimum at least once every 30 days. Consider using Azure Image Builder (AIB) to establish your own imaging pipeline for Azure Virtual Desktop base image.

For more information on best practices for Azure Virtual Desktop session host security, see Session host security best practices.

For a detailed list of best practices for Azure VM security, see Security recommendations for virtual machines in Azure.

Data protection

• Microsoft Azure encrypts data-at-rest to protect it from ‘out of band’ attacks, such as attempts to access underlying storage. This encryption helps ensure that attackers can't easily read or modify your data. Microsoft’s approach to enabling two layers of encryption for data at rest involves:

  • Disk encryption using customer-managed keys. Users provide their own key for disk encryption. They can bring their own keys to their Key Vault (a practice known as BYOK – Bring Your Own Key), or generate new keys in Azure Key Vault to encrypt the desired resources (including session host disks).
  • Infrastructure encryption using platform-managed keys. By default, disks are automatically encrypted at rest through platform-managed encryption keys.
  • Encryption at the VM host (Azure server that your VM is allocated to). Each virtual machine's temporary disk and OS/data disk cache data are stored on the VM host. When encryption at the VM host is enabled, that data is encrypted at rest and flows encrypted to the Storage service to be persisted.

• Deploy an information protection solution like Microsoft Purview Information Protection or a third party solution, which makes sure sensitive information gets stored, processed, and transmitted securely by your organization's technology systems.

• Use the Security Policy Advisor for Microsoft 365 Apps for enterprise to improve Office deployment security. This tool identifies policies you can apply to your deployment for more security, and also recommends policies based on their effects on your security and productivity.

• Configure identity-based authentication for Azure Files used for FSLogix User Profiles through on-premises Active Directory Domain Services (AD DS) and Microsoft Entra Domain Services. Configure NTFS permissions so authorized users can access your Azure Files.

Cost management

• Use Azure Tags to organize costs for creating, managing, and deploying Azure Virtual Desktop resources. To identify Azure Virtual Desktop's associated compute cost, tag all your host pools and virtual machines. Tag Azure Files or Azure NetApp Files resources to track the storage cost associated with FSLogix User Profile Containers, custom OS images, and MSIX app attach (if used).

• Define the minimum suggested tags to be set across all your Azure Virtual Desktop resources. You can set Azure tags during deployment or after provisioning. Consider using Azure Policy built-in definitions to enforce tagging rules.

• Set budget(s) in Azure Cost Management to proactively manage Azure usage costs. When budget thresholds you've created are exceeded, notifications are triggered.

• Create Azure Cost Management alerts to monitor Azure usage and spending against Azure Virtual Desktop Landing zone.

• Configure the Start VM on Connect feature to save costs by allowing end users to turn on their VMs only when they need them.

• Deploy scaling solutions for pooled session hosts through Azure Automation or Autoscale feature(preview)

Resource consistency

• Use Intune for Azure Virtual Desktop personal session hosts to apply existing or create new configurations and secure your VMs with compliance policy and conditional access. Intune management doesn't depend on or interfere with Azure Virtual Desktop management of the same virtual machine.

• Multi-session session hosts management with Intune allows you to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Intune admin center, just as you can manage a shared Windows 10 or Windows 11 client device. When managing such virtual machines (VMs), can use both device-based configuration targeted to devices or user-based configuration targeted to users.

• Audit and configure the hardening of your session hosts' operating system by using Azure Policy guest configuration. Use the Windows security baselines as a starting point for securing your Windows operating system.

• Use Azure Policy built-in definitions to configure the diagnostics settings for Azure Virtual Desktop resources like workspaces, application groups, and host pools.

Review the security best practices for Azure Virtual Desktop as a starting point for security within your environment.

Compliance

Nearly all organizations must comply with various government or industry regulatory policies. Review any such policies with your compliance team and implement the correct controls for your particular Azure Virtual Desktop landing zone. For example, you should consider controls for specific policies like the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) if your organization follows their frameworks.

• Use Microsoft Defender for Cloud to apply extra compliance standards to Azure Virtual Desktop Landing zones if necessary. Microsoft Defender for Cloud helps streamline your process for meeting regulatory compliance requirements through its regulatory compliance dashboard. You can add built-in or customized compliancy standards to the dashboard. Already-built-in regulatory standards that you can add include:

  • PCI-DSS v3.2.1:2018
  • SOC TSP
  • NIST SP 800-53 R4
  • NIST SP 800 171 R2
  • UK OFFICIAL and UK NHS
  • Canada Federal PBMM
  • Azure CIS 1.1.0
  • HIPAA/HITRUST
  • SWIFT CSP CSCF v2020
  • ISO 27001:2013
  • New Zealand ISM Restricted
  • CMMC Level 3
  • Azure CIS 1.3.0
  • NIST SP 800-53 R5
  • FedRAMP H
  • FedRAMP M

• If your organization is bound by data residency requirements, consider limiting deployment of Azure Virtual Desktop resources (workspaces, application groups and host pools) to the following geographies:

  • United States
  • Europe
  • United Kingdom
  • Canada

  Limiting deployment to these geographies can help you ensure that Azure Virtual Desktop metadata is stored in the region of Azure Virtual Desktop resource geography, since your session hosts can be deployed worldwide to accommodate your user base.

• Use group policy and device management tools like Intune and Microsoft Endpoint Configuration Manager to maintain a thorough security and compliance practice for your session hosts.

• Configure alerts and automated responses in Microsoft Defender for Cloud to ensure the overall compliance of Azure Virtual Desktop landing zones.

• Review the Microsoft Secure Score to measure overall organization security posture across the following products:

  • Microsoft 365 (including Exchange Online)
  • Microsoft Entra ID
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Defender for Cloud Apps
  • Microsoft Teams

• Review Microsoft Defender for Cloud Secure Score to improve the overall security compliance of your Azure Virtual Landing Zones.

Recommended security best practices and baselines

• Azure Virtual Desktop recommended security practices
• Security baseline for Azure Virtual Desktop based on Azure Security Benchmark
• Apply Zero Trust principles to an Azure Virtual Desktop deployment

Next steps

Learn about platform automation and DevOps for an Azure Virtual Desktop enterprise-scale scenario.

Platform automation and DevOps