Planning and Implementing Conditional Access Policies for Connections to Azure Virtual Desktop
Planning and Implementing Conditional Access Policies for Connections to Azure Virtual Desktop

This course will help you manage security on your Azure Virtual Desktop and allow you to understand how it integrates with the other Azure services. It covers understanding conditional access policies, multi-factor authentication, integrating with Microsoft Defender for Cloud, and deploying antivirus onto session hosts.

Learning Objectives

  • Plan and implement conditional access policies for connection to Azure Virtual Desktop
  • Plan and implement Multi-Factor Authentication in Azure Virtual Desktop
  • Manage security by using Microsoft Defender for Cloud
  • Configure Microsoft Defender Antivirus for session hosts

Intended Audience

This course is intended for anyone who wants to become an Azure Virtual Desktop Specialist or anyone preparing to take the AZ-140 exam.


If you wish to get the most out of this course, you should have a good understanding of Azure administration, however, this is not essential.


Welcome to this module on planning and implementing conditional access policies for connections to Azure Virtual Desktop based on requirements. In this module, we'll cover the following topics. What are the requirements to implement conditional access policies with Azure Virtual Desktop? We will then walk-through a demo to create a conditional access policy with session settings.

Let's start by discussing conditional access policy requirements for Azure Virtual Desktop. We need to ensure that the Microsoft 365 tenant has the relevant licensing which includes the conditional access feature. This is covered by the Azure AD P1 licenses and above. You then need to ensure you have a fully configured Azure Virtual Desktop environment, including a host pool and an application group. We will now complete a walk through demo of creating a conditional access policy with session settings.

As you can see, we are logged into the Azure Active Directory portal with an account that has Global Admin access. We now navigate to the Security option, and from here Conditional Access. We then select New policy, then create a new policy. Let's give the policy a name, in our example let's use AVD MFA. Under the Assignments section you need to select the group you want this policy to apply to. In our example, we are going to use an existing group called AVD-Users.

Moving on we click on Cloud apps or actions, then select apps. On the right-hand side we see a list of applications to choose from. If we start to type in the word Windows, we can now see Azure Virtual Desktop as an option. Click on this and then hit the select button. In our example we are not going to create any conditions, but I quickly want to highlight the types of conditions you are able to set. You can control MFA access to AVD based on the Device platform, for example is it an iOS device? Or you can put a condition based on location, for example you may wish to exempt a local office network from being prompted for MFA.

The other options you see are client apps, device state, or filter for devices. For our demo, we are going to leave all these options not configured and move onto access control. We need to select Grant. Because we want to enforce MFA, we select require multi-factor authentication. There are other options as we see here, where a device needs to be marked as compliant, or require that the device be Hybrid joined for example. 

Before we are ready to create the policy, we need to configure session control. If we click on this and now we see several options on the right-hand pane. For your example, we want to tick sign-in frequency which allows us to control the amount of time before a user needs to authenticate their MFA. If we look at Units first, we can select hours or days, and then we can enter the numerical value above that. In our example, we are going to configure seven days, but you should configure according to your organization's policies. Then, we can click on create and ensure the on option is selected. That concludes the demo.

About the Author

Shabaz Darr is a Senior Infrastructure Specialist at Netcompany based in the UK. He has 15 years plus experience working in the IT industry, 7 of those he has spent working with Microsoft Cloud Technologies in general, with a focus on MEM and IaaS. Shabaz is a Microsoft MVP in Enterprise Mobility with certifications in Azure Administration and Azure Virtual Desktop. During his time working with Microsoft Cloud, Shabaz has helped multiple public and private sector clients in the UK with designing and implementing secure Azure Virtual Desktop environments.