Welcome to this module on planning and implementing conditional access policies for connections to Azure Virtual Desktop based on requirements. In this module, we'll cover the following topics. What are the requirements to implement conditional access policies with Azure Virtual Desktop? We will then walk-through a demo to create a conditional access policy with session settings.

Let's start by discussing conditional access policy requirements for Azure Virtual Desktop. We need to ensure that the Microsoft 365 tenant has the relevant licensing which includes the conditional access feature. This is covered by the Azure AD P1 licenses and above. You then need to ensure you have a fully configured Azure Virtual Desktop environment, including a host pool and an application group. We will now complete a walk through demo of creating a conditional access policy with session settings.

As you can see, we are logged into the Azure Active Directory portal with an account that has Global Admin access. We now navigate to the Security option, and from here Conditional Access. We then select New policy, then create a new policy. Let's give the policy a name, in our example let's use AVD MFA. Under the Assignments section you need to select the group you want this policy to apply to. In our example, we are going to use an existing group called AVD-Users.

Moving on we click on Cloud apps or actions, then select apps. On the right-hand side we see a list of applications to choose from. If we start to type in the word Windows, we can now see Azure Virtual Desktop as an option. Click on this and then hit the select button. In our example we are not going to create any conditions, but I quickly want to highlight the types of conditions you are able to set. You can control MFA access to AVD based on the Device platform, for example is it an iOS device? Or you can put a condition based on location, for example you may wish to exempt a local office network from being prompted for MFA.

The other options you see are client apps, device state, or filter for devices. For our demo, we are going to leave all these options not configured and move onto access control. We need to select Grant. Because we want to enforce MFA, we select require multi-factor authentication. There are other options as we see here, where a device needs to be marked as compliant, or require that the device be Hybrid joined for example. 

Before we are ready to create the policy, we need to configure session control. If we click on this and now we see several options on the right-hand pane. For your example, we want to tick sign-in frequency which allows us to control the amount of time before a user needs to authenticate their MFA. If we look at Units first, we can select hours or days, and then we can enter the numerical value above that. In our example, we are going to configure seven days, but you should configure according to your organization's policies. Then, we can click on create and ensure the on option is selected. That concludes the demo.