Apply Zero Trust principles to an Azure Virtual Desktop deployment

This article provides steps to apply the principles of Zero Trust to an Azure Virtual Desktop deployment in the following ways:

Zero Trust principle	Definition	Met by
Verify explicitly	Always authenticate and authorize based on all available data points.	Verify the identities and endpoints of Azure Virtual Desktop users and secure access to session hosts.
Use least privileged access	Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.	Confine access to session hosts and their data. Storage: Protect data in all three modes: data at rest, data in transit, data in use. Virtual networks (VNets): Specify allowed network traffic flows between hub and spoke VNets with Azure Firewall. Virtual machines: Use Role Based Access Control (RBAC).
Assume breach	Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.	Isolate the components of an Azure Virtual Desktop deployment. Storage: Use Defender for Storage for automated threat detection and protection. VNets: Prevent traffic flows between workloads with Azure Firewall. Virtual machines: Use double encryption for end-to-end encryption, enable encryption at host, secure maintenance for virtual machines, and Microsoft Defender for Servers for threat detection. Azure Virtual Desktop: Use Azure Virtual Desktop security, governance, management, and monitoring features to improve defenses and collect session host analytics.

For more information about how to apply the principles of Zero Trust across an Azure IaaS environment, see the Apply Zero Trust principles to Azure IaaS overview.

Reference architecture

In this article, we use the following reference architecture for Hub and Spoke to demonstrate a commonly deployed environment and how to apply the principles of Zero Trust for Azure Virtual Desktop with users’ access over the Internet. Azure Virtual WAN architecture is also supported in addition to private access over a managed network with RDP Shortpath for Azure Virtual Desktop.

The Azure environment for Azure Virtual Desktop includes:

Component	Description
A	Azure Storage Services for Azure Virtual Desktop user profiles.
B	A connectivity hub VNet.
C	A spoke VNet with Azure Virtual Desktop session host virtual machine-based workloads.
D	An Azure Virtual Desktop Control Plane.
E	An Azure Virtual Desktop Management Plane.
F	Dependent PaaS services including Microsoft Entra ID, Microsoft Defender for Cloud, role-based access control (RBAC), and Azure Monitor.
G	Azure Compute Gallery.

Users or admins that access the Azure environment can originate from the internet, office locations, or on-premises datacenters.

The reference architecture aligns to the architecture described in the Enterprise-scale landing zone for Azure Virtual Desktop Cloud Adoption Framework.

Logical architecture

In this diagram, the Azure infrastructure for an Azure Virtual Desktop deployment is contained within an Entra ID tenant.

The elements of the logical architecture are:

• Azure subscription for your Azure Virtual Desktop

  You can distribute the resources in more than one subscription, where each subscription may hold different roles, such as network subscription, or security subscription. This is described in Cloud Adoption Framework and Azure Landing Zone. The different subscriptions may also hold different environments, such as production, development, and tests environments. It depends on how you want to separate your environment and the number of resources you have in each. One or more subscriptions can be managed together using a Management Group. This gives you the ability to apply permissions with RBAC and Azure policies to a group of subscriptions instead of setting up each subscription individually.

• Azure Virtual Desktop resource group

  An Azure Virtual Desktop resource group isolates Key Vaults, Azure Virtual Desktop service objects and private endpoints.

• Storage resource group

  A storage resource group isolates Azure Files service private endpoints and data sets.

• Session host virtual machines resource group

  A dedicated resource group isolates the virtual machines for their session hosts Virtual Machines, Disk Encryption Set and an Application Security Group.

• Spoke VNet resource group

  A dedicated resource group isolates the spoke VNet resources and a Network Security Group, which networking specialists in your organization can manage.

What’s in this article?

This article walks through the steps to apply the principles of Zero Trust across the Azure Virtual Desktop reference architecture.

Step	Task	Zero Trust principle(s) applied
1	Secure your identities with Zero Trust.	Verify explicitly
2	Secure your endpoints with Zero Trust.	Verify explicitly
3	Apply Zero Trust principles to Azure Virtual Desktop storage resources.	Verify explicitly Use least privileged access Assume breach
4	Apply Zero Trust principles to hub and spoke Azure Virtual Desktop VNets.	Verify explicitly Use least privileged access Assume breach
5	Apply Zero Trust principles to Azure Virtual Desktop session host.	Verify explicitly Use least privileged access Assume breach
6	Deploy security, governance, and compliance to Azure Virtual Desktop.	Assume breach
7	Deploy secure management and monitoring to Azure Virtual Desktop.	Assume breach

Step 1: Secure your identities with Zero Trust

To apply Zero Trust principles to the identities used in Azure Virtual Desktop:

• Azure Virtual Desktop supports different types of identities. Use the information in Securing identity with Zero Trust to ensure that your chosen identity types adhere to Zero Trust principles.
• Create a dedicated user account with least privileges to join session hosts to a Microsoft Entra Domain Services or AD DS domain during session host deployment.

Step 2: Secure your endpoints with Zero Trust

Endpoints are the devices through which users access the Azure Virtual Desktop environment and session host virtual machines. Use the instructions in the Endpoint integration overview and use Microsoft Defender for Endpoint and Microsoft Endpoint Manager to ensure that your endpoints adhere to your security and compliance requirements.

Step 3: Apply Zero Trust principles to Azure Virtual Desktop storage resources

Implement the steps in Apply Zero Trust principles to Storage in Azure for the storage resources being used in your Azure Virtual Desktop deployment. These steps ensure that you:

• Secure your Azure Virtual Desktop data at rest, in transit, and in use.
• Verify users and control access to storage data with the least privileges.
• Implement private endpoints for storage accounts.
• Logically separate critical data with network controls. Such as separate storage accounts for different host pools and other purposes such as with MSIX app attach file shares.
• Use Defender for Storage for automated threat protection.

Note

In some designs, Azure NetApp files is the storage service of choice for FSLogix profiles for Azure Virtual Desktop via an SMB share. Azure NetApp Files provides built-in security features that include delegated subnets and security benchmarks.

Step 4: Apply Zero Trust principles to hub and spoke Azure Virtual Desktop VNets

A hub VNet is a central point of connectivity for multiple spoke virtual networks. Implement the steps in Apply Zero Trust principles to a hub virtual network in Azure for the hub VNet being used to filter outbound traffic from your session hosts.

A spoke VNet isolates the Azure Virtual Desktop workload and contains the session host virtual machines. Implement the steps in Apply Zero Trust principles to spoke virtual network in Azure for the spoke VNet that contains the session host/virtual machines.

Isolate different host pools on separate VNets using NSG with the required URL necessary for Azure Virtual Desktop for each subnet. When deploying the private endpoints place them in the appropriate subnet in the VNet based on their role.

Azure Firewall or a network virtual appliance (NVA) firewall can be used to control and restrict outbound traffic Azure Virtual Desktop session hosts. Use the instructions here for Azure Firewall to protect session hosts. Force the traffic through the firewall with User-Defined Routes (UDRs) linked to the host pool subnet. Review the full list of required Azure Virtual Desktop URLs to configure your firewall. Azure Firewall provides an Azure Virtual Desktop FQDN Tag to simplify this configuration.

Step 5: Apply Zero Trust principles to Azure Virtual Desktop session hosts

Session hosts are virtual machines that run inside a spoke VNet. Implement the steps in Apply Zero Trust principles to virtual machines in Azure for the virtual machines being created for your session hosts.

Host pools should have separated organizational units (OUs) if managed by group policies on Active Directory Domain Services (AD DS).

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. You can use Microsoft Defender for Endpoint for session hosts. for more information, see virtual desktop infrastructure (VDI) devices.

Step 6: Deploy security, governance, and compliance to Azure Virtual Desktop

Azure Virtual Desktop service allow you to use Azure Private Link to privately connect to your resources by creating private endpoints.

Azure Virtual Desktop has built-in advanced security features to protect session hosts. However, see the following articles to improve the security defenses of your Azure Virtual Desktop environment and session hosts:

• Azure Virtual Desktop security best practices
• Azure security baseline for Azure Virtual Desktop

In addition, see the key design considerations and recommendations for security, governance, and compliance in Azure Virtual Desktop landing zones in accordance with Microsoft's Cloud Adoption Framework.

Step 7: Deploy secure management and monitoring to Azure Virtual Desktop

Management and continuous monitoring are important to ensure that your Azure Virtual Desktop environment is not engaging in malicious behavior. Use Azure Virtual Desktop Insights to log data and report diagnostic and usage data.

See these additional articles:

• Review recommendations from Azure Advisor for Azure Virtual Desktop.
• Use Microsoft Intune for granular policy management or group policy management.
• Review and set RDP Properties for granular settings on a host pool level.

Recommended training

Secure an Azure Virtual Desktop deployment

Training	Secure an Azure Virtual Desktop deployment
	Learn about the Microsoft security capabilities that help keep your applications and data secure in your Microsoft Azure Virtual Desktop deployment.

Start >

Protect your Azure Virtual Desktop deployment by using Azure

Training	Protect your Azure Virtual Desktop deployment by using Azure
	Deploy Azure Firewall, route all network traffic through Azure Firewall, and configure rules. Route the outbound network traffic from the Azure Virtual Desktop host pool to the service through Azure Firewall.

Start >

Manage access and security for Azure Virtual Desktop

Training	Manage access and security for Azure Virtual Desktop
	Learn how to plan and implement Azure roles for Azure Virtual Desktop and implement Conditional Access policies for remote connections. This learning path aligns with exam AZ-140: Configuring and Operating Microsoft Azure Virtual Desktop.

Start >

Design for user identities and profiles

Training	Design for user identities and profiles
	Your users require access to those applications both on-premises and in the cloud. You use the Remote Desktop client for Windows Desktop to access Windows apps and desktops remotely from a different Windows device.

Start >

For more training on security in Azure, see these resources in the Microsoft catalog:
Security in Azure

Next Steps

See these additional articles for applying Zero Trust principles to Azure:

• Azure IaaS overview
  • Azure storage
  • Virtual machines
  • Spoke virtual networks
  • Spoke virtual networks with Azure PaaS services
  • Hub virtual networks
• Azure Virtual WAN
• IaaS applications in Amazon Web Services
• Microsoft Sentinel and Microsoft Defender XDR

Technical illustrations

You can download the illustrations used in this article. Use the Visio file to modify these illustrations for your own use.

PDF | Visio

For additional technical illustrations, click here.

References

Refer to the links below to learn about the various services and technologies mentioned in this article.

• What is Azure - Microsoft Cloud Services
• Azure Infrastructure as a Service (IaaS)
• Virtual Machines (VMs) for Linux and Windows
• Introduction to Azure Storage - Cloud storage on Azure
• Azure Virtual Network
• Introduction to Azure security
• Zero Trust implementation guidance
• Overview of the Microsoft cloud security benchmark
• Security baselines for Azure overview
• Building the first layer of defense with Azure security services - Azure Architecture Center
• Microsoft Cybersecurity Reference Architectures - Security documentation