1. Azure Virtual Desktop Security – Introduction
Security is a very big area with a very big scope for COVID. And we will not cover all the security aspects in this course because this one is specialized in the Windows Virtual Desktop and not security in general. However, we will of course cover the security topics that Microsoft focuses on when it comes to the Windows Virtual Desktop environments, and those are the same topics that you will find also listed in the Microsoft exam as well. So in this section, we will focus on the security concerns and the identity and access management for the Windows Virtual Desktop. Also, I wanted to explain to you how the public cloud providers see security. So there is an important term that is called “security is a shared responsibility.” So in one slide only, I want you to understand this and why it is important for you to know about security and how to secure your workloads.
As a result, Microsoft, Azure, and any other public cloud provider are responsible for the physical datacenters, network infrastructure, availability, and so on. But this doesn’t mean that you don’t have to take care of securing your own data and applications. A public cloud provider such as Azure, Amazon Web Services, and so on assumes it is the customer’s responsibility to protect their data and their applications using the services provided by them. I mean the cloud provider, of course, or a third-party product. On the slide, you can see that there are two circles. There is Microsoft, and there is you, Microsoft. I mean Microsoft Azure, of course. And security is a shared responsibility between you and them. In this area, you can see that the security of your Microsoft cloud service is a partnership between you and Microsoft. So this is why security is a concern, and it is something that, of course, we need to cover in this course.
2. Azure AD and AD Plans – Explained
Azure active directory What exactly is it and what does it do? And what are the Azure subscription plans or tiers available from Microsoft Azure? If you are already familiar with the Azure Active Directory and know about it and the plans available, please feel free to skip this lecture. Azure Active Directory, as defined by Microsoft, is the company’s cloud-based identity and access management service, which helps your employees sign in and access resources in two different categories. The first is external resources such as Microsoft 365, the Azure Portal, and thousands of other SaaS applications. The second one is internal resources such as apps on the corporate network and intranet, along with any cloud apps developed by the organization.
So Azure Active Directory is the Identity as a Service service, which provides you with identity management capabilities and functionalities. Take a look at this adorable diagram. Users, data, devices, and apps are common components of on-premises systems. And your identity management system will take care of everything. If you want your on-premises system to deal with cloud applications or SAS services, it’s going to look something like that for you and your system. It is decentralized. It’s a mess. You have many applications; they don’t talk to each other, and you use different identities for different kinds of applications. But if you use the Azure Active Directory from Microsoft, this will actually transform into this form.
You can see right now that it is centralized. Your system or your on-premises identity system communicates with the Microsoft Azure Active Directory, and it will provide a centralised identity management system for everything you would like to access on the cloud. It is easier, more organized, more secure, and more simple. So, the way I like to tell my students to think about Azure Active Directory is that it is not a replacement for their on-premises identity system. It is rather an extension of your on-premises directory. I want you to think of it and imagine your organisation as a person who reaches out to the sky and to the clouds. So this is the idea behind the Microsoft Azure Active Directory.
You can synchronise and copy your users from your on premises system to the Azure Active Directory to give them access to the cloud using great features as well like single sign on. Now that we know what the idea behind the Azure Active Directory is and why Microsoft has provided this service for us, Identity as a Service from Microsoft Azure, it is important to note that there are different plans or TS provided by Microsoft Azure. There is the free one, which is provided by default. Once you purchase any Azure subscription, you will have access to the free tier of the Azure advertising plan. It is a great one; it provides user and group management on premises, directory synchronization, basic reports, and self-service passwords for the cloud users, so your cloud users can actually reset their passwords, but only the cloud users with the free one. And you have some basic functionality for single sign-on, where you can use one identity to access multiple applications, including Microsoft 365 and Manipulators. Now, this is the free one. There are two other tiers or plans. They’re known as the Azure Ad Premium Plan.
And we’ll start with the P-1 plan. And in addition to the free features in the P One plan, you will also have the capability to manage hybrid user access so they can access both on-premises and cloud resources. It also supports advanced administration such as dynamic groups, self-services, group management, and Microsoft Identity Manager. It gives you the option for cloud writeback capabilities, which will allow for self-service password reset for your on-premises users as well. Not only cloud users but also Premium P1 users can take advantage of the Azure AD Conditional Access feature. And you can use it to prevent users from using multifactor authentication by using conditional access during certain scenarios or events that fit your business requirements. And this leaves us with the third plan, which is the B Two.
And with the B two premium. In addition to the Free and P1 features, B2 also offers Azure Active Directory Identity Protection to help provide risk-based conditional access. So it expands on the conditional access provided by the Pre One functionality. It adds the risk-based condition, so it assesses the risk of a login attempt, gives it a degree of priority, and uses it for conditional access to your apps and to critical company data. Also, it provides privileged identity management to help discover, restrict, and monitor administrators, your own administrators, and their access to the resources so you can provide just-in-time access when needed. Only it comes with some more advanced features, like advanced access reviews and entitlement management. So this is the Azure AD and the AD Active Directory. These are the plans that are visible and accessible through the Azure Microsoft Cloud. You have the free version, as well as the premium B1 and B2 versions, which you can buy to gain access to the additional functionality provided by these plants.
3. Azure Role Based Access Control (RBAC)
Azure role-based access control, or Azure RBAC This term or concept was introduced by Microsoft to help you to first manage who has access to your Azure resources, specify what they can do with those resources and what areas they have access to. So Microsoft provides you with this Azure role-based access control, so you can give a role to a specific user. And based on this role, Azure will understand what this user can do and what it can do with its resources. There are three main roles, or built-in roles, because you can have the built-in roles from Microsoft or you can build your own custom ones.
But the three main roles provided by Microsoft are called “Owner,” “Contributor,” and “Reader.” There are variations, but the main idea behind each and every one of them with the owner role is the same. This will give the user who has been assigned the owner role full access. And it grants them full access to manage all the resources, including the ability to assign roles to other users. So if you give it at the resource group level, for example, they can manage the resources in that resource group, and they can give access to other users as well.
As for the contributor role, it grants full access to manage all resources, but users cannot assign access to other users. So this is the difference between the contributor and the owner. As for the reader, they can view all the resources but cannot make any changes. They can only read; as you can see in the diagram as well, the access is inherited, which means if you assign the role to a specific user on the subscription level, they will have the same access to the resource group under this subscription and also to the resources under the resource group. If you give them access to the resource group level, they will have access to the resources. But if you give them access only at a specific resource level, they will have it at that level. And this is how it works. So let’s just see how this looks in the Azure Portal. So let’s go to the Azure Portal.
So this is the Azure Portal; let’s go to the resource groups. Let’s select, like any resource group, the session host resource group. And let’s assume we want to give access at the resource group level, not to a specific resource. The way you do that is whenever you access any resource, you get, you know, the Azure Blade, where it shows the information about that resource group or resource or whatever. From the left navigation pane you go to Access Controland it’s the same way for everything on Azure.
As a result, you must locate the access control. You click on it, and then you will find the same things that you see here. Check access, roles, assignment roles, and so on. So what if you want to assign access to a specific resource? Let’s say the session host is also the host also.
Let’s close this one. I will get into the details in a minute, but let’s go this time to the Windows Virtual Desktop. Let us proceed to the host poles. Let’s select one of the host poles. and again, you can see the same option. As I told you in the left navigation pane, It’s called access control. Let’s see what we have. You can see my access, so you can check the level of access you have. If I click here, it’s going to tell me I’m the owner of the resource and of the subscription. You can also check access for other users. You simply search by name. And the important thing I want to show you is that you can deny access. You can see the roles that you have for the modern and the classic Azure, but the actions are taken here in the role assignment. You can see what roles you have already assigned on the resource level, and you can add role assignments.
So let’s see what we can do here. We can specify a user. So let’s see, for example, which kind of hospital we want Chris to have access to. And this is role-based access control. You can see what role you want to assign. And these are the three main ones—owner, contributor, and reader—as we have explained them previously. And you can see the variations—application, group contributor, desktop, virtualization contributor, the reader, and so on. You have many of these. Now it is important to know that these are also built-in roles. So Microsoft has different built-in roles for different kinds of resources. So these are related to the Windows virtual desktop rules. So you can select one of them.
For example, I want him to be a contributor. I want Chris to be a contributor, which means he can manage things, but he cannot manage the access to these things. And yes, I selected the user and clicked save. And this is how you add a role assignment. Of course, you can remove one by checking the box next to him and then unchecking it. This is how you deal with role-based access. Again, you can do it at the resource group level. It’s going to be passed down to the resources in that resource group. You can do it on the resource level, and you can do it on the subscription level even. Just to wrap up this lecture, you need to know about the components built into the Windows Virtual Desktop because this is the topic of this course. So I will provide this in the resources section of this lecture.
So you can go to the link from there. And it is actually recommended that you go through this documentation from Microsoft. It simply explains what the roles are that we have seen while doing the role assignment for the host pool. So you can see that this is an example of a role called “Desktop Virtualization Contributor.” And it says, “What is this about? What is this role about?” And it gives you what actions they can do.
So simply, I’ll break it down for you so you can understand all these actions and know what each role is capable of doing. You just need to understand that this symbol means it’s a wild card. So it means everything in this category. So, for example, a distal Virtualization contributor can manage everything under the desktop virtualization; they can only read the resource group properties; and they can do all kinds of deployments. But when it comes to authorization, again, they cannot assign security roles to other users. So everything under authorization they can only read, and so on and so forth. So this rule applies to everything they can read. They are only able to read. This means this is the reader, and again, the hospital contributor, and so on. So you can find all of these rules. It’s a good thing that you go through this documentation from Microsoft to familiarize yourself with the built-in security roles from Microsoft for the Windows virtual desktop.
4. MFA – Multifactor Authentication for Azure Virtual Desktop
Multifactor authentication is the process where a user is prompted during the sign-in process for an additional form of identification, for example, to enter a code on their cellphone or to provide a fingerprint scan. Azure Multifactor Authentication works by requiring two or more of the following authentication methods: something you know, and this is properly your password.
So you go to the login page, you enter your username, your password, something you have (such as a trusted device that is easily duplicated like a phone or hardware key), and something you are (like a fingerprint or a fist scan). So it’s basically biometrics. To understand more, what is multifactor authentication? Let’s assume on the left side of this slide you are trying to enter your Office 365 portal or your Azure portal. For example, if you have MFA set up for your username, it will ask you to verify your identity after you enter your username and password and give you multiple options. So you can see on the left-side image that it says, “Verify your identity by approving a request on your Microsoft Authenticator app, using a verification code from your mobile app, receiving a text on your mobile number, or receiving a call, for example.” So let’s assume you go with option two, which is the user verification code from the mobile app.
So if you go with option two, you will have to open the Microsoft Authenticator app or any authenticator app you have downloaded on your mobile phone, for example, and you will have to enter the code that you can see on the right side of the screen, on the right image of the screen. In this case, the right image is a screenshot of the mobile device, or in this example, a code that you can enter. So you can have access to the Microsoft 365 portal or the Azure portal, and hence the name “multifactor authentication.” So it’s not only one factor as the password; it’s more than one factor. So this is how it works in this slide: I will explain something important for you as well, which is some of the great functionalities that you have when it comes to multifactor authentication. I will explain three functionalities. The first one is called fraud alerts. This allows the users to report fraud if they receive multifactor authentication requests that they didn’t initiate.
So, let’s assume your user was leaving and received a call on his mobile asking for him to verify himself, which means somebody else was trying to enter the username and password and actually knew the username and password. But this is a fraud trial, right? So you can allow the users to report that to you as an admin, and then you can have the option to block the reporting user in an automated fashion. So you can say to Azure, “Hey, if we receive any cases like this, just block the user immediately.” As a result, you have the option to enable the throat alert functionality. And you can also tell Azure to notify the users if you receive such an alert. The second functionality is called “one-time bypass.” So this is in case you have a user who is having any issues for any reason and you know the user—maybe you verified him like you called him, he’s your friend, you know his voice, and so on. He’s having issues, and you just want him to bypass them for one time. You don’t want him to input the MFA; for example, maybe he lost his mobile phone. So with One-Time Bypass, you can give one user a one-time pass without multifactor authentication being required for a specific time you specify. So you can say 1 minute, 2 minutes, and so on. It is only for one time and begins immediately after you. Serra. So this is yet another feature made available to you. The third one is called “trusted location.” And I thought it’s also important for you to understand and to know about where you can use this functionality to define a range of IPS Tobe excluded from the MFA policies.
So you can ask for a specific range of IPS; just do not ask for the MFA. And that’s it. So this is the third functionality. One thing to wrap up this lecture is the relationship between the MFA multifactor authentication functionality and how it is related to the Azure Active Directory plans, different plans, and tiers. So with the free Azure Active Directory, you can use the security defaults to enable multifactor authentication for all the users. But you cannot enable MFA authentication on a per-user basis. You don’t have granular control over enabled users or scenarios, but it does provide the additional security step that users assigned to the Azure Ad Global Administrators load can use multifactor authentication. The second one, or the second tier, is the Premium P One.
So with the Premium Plan, you can use Azure Active Directory conditional access to prompt users for multifactor authentication during certain scenarios or events that fit your business requirements. You will have more granular control. You can use it per user, and you can use it with the conditional access features as well. The third plan, or tier, from the Azure ad is the premium B two.And with this one, you will have the strongest security position and an improved user experience. You can add risk-based conditional access to Azure Ad Premium BO features to adapt user patterns and reduce multifactor authentication prompts. So you can have more of the artificial intelligence factor here in this one with the Azure Ad Premium, where it decides if a login access is risky or not, and it gives it like a degree or a level, and based on that, it may ask for or not ask for the multifactor authentication.
5. Implement MFA for AVD Users
Let’s set up MFA, or multifactor authentication, for some of the users and play with some of the settings. So in the Azure Portal, go to the Azure Active Directory, and then go to Users. There you will find the option called multifactor authentication, and you will notice two pages: Users and Service Settings. On the users page, you can select the users for whom you want to enable multifactor authentication. So you can view filters based on the type of users or the status of multifactor authentication. So let’s assume we want to enable MFA for Chris.
So the next time Chris tries to log in, he will be forced to use MFA, or multifactor authentication. So all you have to do is select this user. If you click on the user name and you see that it is checked, you can check more than one user name to enable it for them. And if you go here and say enable, it will tell you that if you do this, Chris will have to set up some information and use MFA, which I am aware of, and I will enable the multifactor authentication and make the update successful. That’s it. Chris is now marked as enabled. This means the next time Chris tries to log in, the login page will ask him to enter some more information, like the email address if it is not already entered, or the phone or mobile number. And if he wants to install the authenticator application on his mobile phone as well, if he wants to use it as the other factor of the multifactor authentication,
So this is how you enable MFA for any user you want. It’s pretty straightforward and easy. There are some settings or important settings that I want to also explain to you, or important functionalities. If you go to the service settings, you can specify a range of IBS to skip the multifactor authentication. These are known as the dependable IBS. So you just mark this option and enter the actual range if you want to skip any. So you just mark it, enter the IB range, and these IBS will skip the multifactor authentication. You have other options, such as the options for verification and if you want to attract a device and make it remember the multifactor authentication. I wouldn’t recommend that. But the most important one here is this trusted IPS option. If we go back, you can discover other options.
So again, let me just go here. You can go to the Azure Active Directory, and you will have some other MFA options. From this navigation pane, scroll down until you go to Security, and then scroll down again until you see MFA. so you can manage MFA. And if you click on it, there are some pretty good options that I would encourage you to go through. But the most important ones are the fraud alerts, where you can allow users to report fraud if they receive a two-step verification request that they didn’t initiate. So you could say, “allow users to submit fraud alerts”? Yes. And would you like to automatically block users who report fraud? I would say yes. And you can actually give it a different type of code to report the fraud to you if you want to use custom codes. Another excellent option If you don’t want to save the changes, you can click Save or Discard.
Another great option is called One Time by Bass. It’s important to note that this feature only applies to MFA server deployments. And with this feature you can allowa user to authenticate without performing twostep verification for a limited time.For one time, it goes into effect immediately. So once I say I will add the user, I input the user name. I specify the time once I click OK. And, of course, the reason, such as a misplaced phone. So once I input this information and I click on “Okay,” the 300 seconds will be calculated immediately, which means the user will have only 300 seconds to try and log in without the MFA. After that, everything will be back to normal. And this is the one-time pipeline. MFA is an excellent feature for ensuring the security of your system logins and user logins. And I would encourage you to use it whenever you believe it is necessary.
6. Plan Conditional Access Policies
Azure ad. Conditional access is the tool used by Azure Active Directory to bring signals together, make decisions based on these signals, and enforce organisational policies. Conditional access is at the heart of the new identity-driven control plane from Microsoft. As you can see on the slides, with conditional access, you will have signal signals, such as who is attempting to log in and from where. So those are signals based on those signals. And based on that, the proper policy will be enforced. This is how conditional access works. It is worth mentioning, of course, that you will get conditional access only when you use Azure ADP 1 and B 2. You do not get it with the free plan; you only get it with the P-1 and B two.
To know more about how the conditional access works. So you have the signals, as we have said. For example, we have a user who is trying to log in, so we can see there are many types of signals. We will talk more about this in a minute. So who is the user, from which device he is trying to access, which location, and maybe which app? Based on those, conditional access will try to use the training and the machine learning. It has to assess the risk, give it a specific assessment, and based on that, it will select the policy—the effective policy—to be used, and then it will enforce the control based on the decision of the conditional access. So it may allow access, it may allow limited access, it may require multifactor authentication, for example, or it may even force the password reset or deny access.
So this is actually the mechanism of the conditional axis and how it works. It is important to also know what kind of conditions or signals the conditional access provides and what kind of access control there is. So let’s start with the conditions. There are many types of conditions. What, for example, is the user-risk or sign-and-risk? Is it high, medium, or low? So you can specify, for example, if the risk is high, I want you to block the user. What is the device platform, so what is it Android?
Is it iOS, for example? You can use this as a condition as well. What is the location? You can include a location. So you say that if a login is from a specific location, I want you to block it. Or you can exclude the location. So if you apply the policy to any location other than the excluded one, as we will see later in client applications, you can select that as well as a condition and the device state. So you can exclude the compliant devices and the hybrid network joint ones as well. You have this option. Once you select the conditions, you can select which access control lives you want to control. So you can block or grant access, or grant limited access by using multifactor authentication, or force a password reset as well. Or you can control the decision. As a result, you can enable restricted experience within a cloud application. Currently, this experience is limited to some of the supported apps. The “What If” tool is something you should be aware of once you’ve discussed conditional access. So the conditional access What If tool allows you to understand the impact of your conditional access policies on your environment.
It enables you to evaluate a simulated sign-in of a user, so it provides a way to quickly determine the policies that apply to a specific user. So basically, instead of testing your policies by performing multiple sign-ins manually to see what works and what is not working, and so on, the simulation of the What If tool estimates the impact that this sign-in has on your policies, and it generates a simulation report for you. So it makes your life a lot easier. It is available in the Azure Portal, and you can use it to do the simulation, and it will give you the result of the evaluation in two forms: policies that apply to your users and policies that don’t apply to your users. And for the ones that will apply, it will tell you what action will happen as well. So, for example, it will state that access will be denied, granted, or granted but with limited access.
7. Implement Conditional Access Policies
You can implement conditional access policies by logging into your Azure Portal. And then you go to the Azure Active Directory, scroll down until you see Security, and from there you will see the Conditional Access option. So let’s click on Conditional Access, and from here you can start creating and testing your own policy. So let’s see what options we will have once we try to create a new policy.
And then let’s review two policies I have already created so I can explain them to you. So let’s click on “New policy.” First, it will ask you for a name. So, say this policy, followed by the assignments. So, to whom do you want to apply this policy? So you have the option of including or excluding some or all of your users. So it’s important to know that if you select all users, you need to make sure to exclude your own users. So you don’t get the impression that you’re prone to logging yourself out of the system. So you can select none, all users, or some of the specific users, and then you can select a user, a group, based on a role, and so on, or only the guest users.
But for now, I will show you in an example what you can select and what you can do. For now, let’s go to the cloud for apps or actions. So you can select this, and you can specify some of the apps, none of the apps, or all cloud apps. So if you select all cloud apps, it’s going to tell you not to lock yourself out. This policy impacts the Azure Portal because you selected all apps. Or you can have selected apps if you have registered them with your Azure Portal, for example, Office 365 or whatever applications you have already added or registered. And the important part is, of course, the conditions. So if you click on conditions, you can select many of the options here. So whether it is a design risk or a user risk, it is worth mentioning.
So the risk-based conditions are only available with the B2 plan, the Azure Active Directory Premium P It is only available for two people; the B one is not included. So you can specify high, medium, or low. What is it like when you want to apply this policy? Done. The same applies for the sign and the risk. You can configure it or not, and you can select the degree. As for the device platform, you can select which one you want to apply this policy to. So if you say configure yes, you can select to include any device or one of these devices (Android, iOS, and soon), or you can exclude some of them as well. The same can be said for the locations. You can exclude or include a specific region or all the trusted locations that you have already preconfigured in your Azure Portal. so you can select a region. For example, you say you want to allow or enforce this policy for the USA region, and so on. Of course, you also have to add the named regions, as I will show you in a minute. So you can see them once you select them here, and you can again configure it or not. And you can include or exclude, as I will explain in some of the examples. As for the client’s applications, you select what kind of applications to use or not. It gives you this ability. As for the device state, it gives you the ability to exclude compliant devices or hybrid joint devices. So you can exclude this kind of device. If you configure it, you can mark it, and so on. and So you can configure the system, include filtered devices and policies, and add expressions. For example,
if I want to specify that a device is from a specific manufacturer, and you specify the name of the manufacturer here, then I want to enforce this policy. So these are the conditions available. Now, what about the access control that Azure gives you? So you have the grant and you have decision access control for the first session, but it has limited support. As you can see, this control only works with supported applications. Microsoft currently supports only 365 Exchange Online and SharePoint Online as cloud apps. So it gives you the ability to control user access based on session controls to enable limited experiences. As for the grant, you can either block access based on the policy and the conditions, or you can grant access and grant access, or you can grant access with limited experience or with conditions. So you can require multifactor authentication, for example, or enforce that they reset their passwords, and so on.
So let’s look at a real example that I have created for you. I have created two examples so I can explain how these conditions and policies work. So the first one we have is called a high sign of risk. I have created it just now to save you time. And the high-sign nrisk that you can see for the users includes all but one of them. Of course, I’ve left out my own user. So I won’t look back because I’ll apply this to all of the applications. So. Even the Azure Portal? As for the conditions, I only selected one, and you can see it is design and risk. And I’m requesting from Azure conditional access for any user other than myself. If the risk of sign-in is high, take the following access control measures: block access. So the function of this policy is to prevent any user except myself from accessing whatever application they are trying to access. If the sign-in risk is assessed to be high, then just plug in access. So this is the first policy. The second policy is called access from non-US regions. So I’m assuming that my employees are based in the US. But what if one of my employees has travelled to another country? How shall we handle the access? And this is what this policy is for. So it’s called Access from Outside the US Region, and the assignment again is the same for any user except myself and from any application. But the condition is different this time; we are talking about location conditions. And for the location, I’m saying that configure, yes, include any location except the United States. We chose the same location. which means any person signing in from any other country except the US So what do I need the police to do? I want it to grant access. I have selected to grant access but require multifactor authentication. So the function of this policy again is to block any login attempt from any country other than the US. I need to make sure; I need to verify with the user that he is indeed one of my employees. So I need them to use multifactor authentication.
I will enforce multifactor authentication, and this is the functionality of this policy. So in order to test them out, we can use the What If tool. What if tools are a great tool to be used in these situations? Click on “What If?” and let’s do a simulation for our users’ login attempts to see what would be the result, what policies would be enforced, and so on. This is the purpose of this what-if tool. It tests the impact of conditional access on a user when signing in under certain conditions. So let’s select a user. So let’s say one of our users is Chris. So we have a user; his name is Chris, and he wants to sign in from any cloud applications. Let’s leave it as it is, and let’s assume he’s trying to sign in from the United States this time, okay? And let’s give him just an IP address to complete the experiment.
So I will not select any other conditions. Let’s just pretend there’s no sign-in risk. So I’m asking the What If tool to tell me what the outcome would be, and what policies would be enforced. If I have a user named Chris who is from the United States and his sign-in risk is negligible, everything is fine. So let’s see what policies would apply, and I will click on “what if.” And if you scroll down, it will show you the result. Policies that will not be applicable The significant increase in risk and access from non-US regions So, basically, nothing will happen to this user. Why? Because he’s not triggering the conditions, and the signals are not triggering any of the policies that we have created. Remember, we have created one only if the sign-in risk is high, which is not the case. We have no risk. Furthermore, if the user attempts to access from a region or country other than the United States, and he’s trying to access it from the United States. So everything is good. Let’s try again to manipulate something else. Let’s keep Chris and from the United States; he’s trying to get in, but this time we’ll make it a high risk. What do you think will happen? What if? and let’s click on it. The policies that will actually apply are those with a high sign-in risk because the sign-in is high and the grant control will block access this time. So this is what will happen if we have Chris based in the United States but with a high sign-in risk. Let’s take it at no risk.
Again, what if no policy is applied? Now, let’s assume Chris is at no risk as well, but this time he’s trying to log in from Canada. So it’s a country other than the US. Right? and he’s using this IP address, for example. So let me just paste in this IP address. of.. of. of. of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the He travelled to Canada, and he’s trying to access the system from there. And I’ll use the what if scenario this time, and we’ll see what policies are implemented. And as you can see, access is from a non-US region. So the grant control is going to require him to use multifactor authentication. Something else you can notice is that it says the status of the policy is report only. What does that mean? If we go back to our policies that we have created, let’s click on any one of them. and you can see the enabled policy. It says report only. So it is neither active nor disabled. It is just active for reporting purposes.
So when you want to create a policy, you need to make sure what the enabled policy status is. So you can make it for reports only and maybe test it using the What If?, and then you can enable it and enforce it on the user, or you can disable it whenever you want. So in a nutshell, conditional access can be used to assess some signals and conditions, pay for them to make a decision, and then grant or not grant access to block the users or give them a limited experience. And you can use MFA and so on. The what-if tool is a great tool to use to test those policies that you have created, to do a simulation, and to give you a report at the end. What would happen to the users in a specific case, and what would be the result of the policy if it were enforced on that user? So one last thing I want to show you is the list of named locations you have noticed in the non-USA region policy. I was able to choose the country USA, and it was waiting for me. So once you are in the conditional access window, you can go to named locations under Manage, and you will see the countries I have already added already.
These have been added by me, from Canada, and you can click on any one of them to edit or delete it. So I can delete it from here or change the name and the country of this listing. So what if you want to add countries of your own, or any other country? You can do that by going to these options. There are two options. You can add IB ranges, and you can add CANTRY locations. Also, you can use the MFA-trusted IBS. These can be configured in the MFA window. So let’s add the country. I just want to show you how to do it so you can also deploy it for your policies. So let’s go with China as an example. Okay. and I will use it here. It’s going to be there somewhere. And here it is: China. I will mark it and I will say “create” once it is added here, and now we can see it. Now I can select it in the policies. which means if I go and try to create a policy, let’s try to create a new policy. And if I go to conditions, then location, configure, and select locations, I’ll be able to see China as well. So this is how you can add or remove locations, countries, or IV ranges. Thank you for mentioning conditional access named locations.
8. Security Center and Azure Defender
Azure Security Center is a critical service offered by the Microsoft Azure Cloud. With Azure Security Center, you will have a unified infrastructure security management system that improves the security posture of your datacenters and provides advanced threat protection across your hybrid workloads in the cloud. The Azure Security Center covers two broad spectrums. The first one is the Cloud Security Policy Management, and this is the free one.
And the second one is cloud workload protection. And this is the paid plan for the first one, cloud security posture management. All Azure users have free access to Security Center. The free experience includes features such as security scoring, detection of security misconfigurations in your Azure Machines asset inventory, and much more. As for the protection of cloud workloads, it is considered, or it is called Azure Defender. So I want you to think of both of them. Cloud workload protection and cloud security posture management These are both of them. They belong to the Security Center as a subset, if I may call it that; the CloudWorkload Protection is also called the Azure Defender. So with the Azure Defender plan, which also integrates the Cloud Workload Protection Platform for the Security Center, you get advanced, intelligent protection of your Azure and hybrid resources. So, not only Azure resources, but also large-scale hybrid resources such as on-premises servers and other cloud providers such as Amazon Web Services. So it brings you these advanced services, these intelligent services, for your hybrid workloads, not only the Azure ones. And enabling the Azure Defender brings a range of additional security features, as we will see as we go through these slides. It is important to note that the Security Center service, along with the Azure Defender, of course, provide you with great things and great advantages.
And this is only a partial list. So you will have hybrid security management and threat protection, centralised policy management, lockdown, and use of ports, so you only open the ports whenever they are needed. And Piper’s mission You can protect many kinds of resources, like storage, databases, and other resources. So it’s not just for VMs on servers. You can easily provision an agent to server workloads running on premises, and you can assess your security through a unified view across your hybrid cloud workloads. So you’ll have one view for everything. You can also have continuous security assessments and actionable recommendations. As for the Azure Defender, which is the workload protection part, you can protect many kinds of resources using the Azure Defender. In one slide, you can use it for servers, app services, storage, SQL, Kubernetes, container registries, key vaults, and DNS. Let’s have a comparison between the Security Center free plan and the Azure Defender, which is the paid plan.
As you can see, with the free tier, you will get the continuous assessment and security recommendations and the Azure Security Score, which is basically a score that gives you an indication for the security posture of your environment. So you get Azure Defender dues, but you also get Justintime VM Access, adaptive application control, and network hardening compliance control threat protection for Azure VMs, as well as the licence for the endpoint Defender. You will get threat protection for platform-as-a-service as well, not only for the infrastructure as a service such as the VMs. As a result, it will be available for SQL databases, as well as Microsoft Defender Advanced Threat Protection and hybrid support with Azure Defender. The last thing I want to mention regarding the Azure Security Center is the Secure Score, which you get with the free plan, not only the paid plan—you get it on both of them. So the Security Center will continually assess resources, subscriptions, and organisations for security issues. It then aggregates all of the findings into a single score, allowing you to see your current security situation at a glance. So this is Security Center’s functionality or mission. It gives you a percentage score, as shown in the screenshot on the right. So the higher the score, the lower the identified risk level. This is important to note, and of course you have the ability to create and export reports that can be readily shared with stakeholders, management, colleagues, or whomever you want to share them with.
9. Enable Azure Defender & Configure Endpoint Protection
In this lecture, we will discuss the Azure Security Center and Azure Defender Services. The Azure Security recommendations and security score will be displayed. We will enable the paid plan or Azure Defender. And we will also check the advanced settings available in the Azure Defender. And we will also enable automatic provisioning for the agents required for the services to work properly. So let’s start this by going to the Security Center service. You can search for it and say “Security.” And you will find a security centre here. And this is the Security Center service overview page. So you will get your security score, some of the insights from Azure Defender information, and the compliance, of course. So first, let’s explore some of the items that you can see. You can see that it gives you the most or highest priority recommendations, which are actionable. So if you click on any one of those, it will take you to the action list or to what you need to do.
For example, you can install an endpoint protection solution. So it asks you, or it recommends that you, install the endpoint protection solution on your machines. This could be your virtual machine, your on-premises machine, or your WVD machines. Also, if you go to the navigation pane and scroll down to the security score, you will get a more detailed view of the things that you need to do. So you can see that this is the security score. It is low at the moment, and you have completed about six of the 51 points. So you will need to actually do some actions to get a higher score, and the higher the score, the better, of course. So if we scroll down, you can select the subscription to see the view, or you can actually click Also on View Recommendations. So it tells you how many healthy resources it has discovered. And while you scroll down, you will get a more detailed view. So you can see, for example, you will need toenable MFA and it gives you two of them, theone with the check, it has been already done.
So if we click on this one, it says that multifactor authentication (MFA) should be enabled for all subscription accounts with owner permission. As a result, any owner on the subscription will require an MFA. This is a good security practise to follow. and it gives you the remediation steps. Even you can do that. One, two, three. You go to this, and that’s it. You will have many, many recommendations here. For example, we have talked about enabling endpoint protection. So it tells you that you have the agent installed on your virtual machines. You will need to install another agent, and you will need to install endpoint protection.
Now, it is worth mentioning that endpoint protection is free. The licence for the endpoint protection is actually provided as part of the standard offering of Azure Defender. So this takes us to: how can you enable the Azure Defender? How can you upgrade your free plan to the Azure Defender plan? So let’s go back to our Security Center menu view. And if you scroll down under Management, you will see pricing and settings. If you click here and then select your Azure subscription, it takes you to the AzureDefender plans, and there is nothing. This is the default option, usually with Azure Defender turned on. So if you click on Azure Defender, it gives you access to the advanced security features that it will have access to.
And it asks you for which resources you want to enable the Azure Defender. It’s important to note that you can enable it for these listed resources, but also that the charge is going to be per bare-metal or per-pair instance, which means if you have five VMs, you will be charged this amount at this time monthly for each of the VMs. So you can turn on or off the Azure Defender for the services or resource types that you would like to have it enabled for. So this is one important note. The second is that you can get it for a free 30-day trial to enable Azure Defender, depending on whether it appears here or not. So you can experiment with the features to see how much value they will add to your environment.
So once you turn Azure Defender on and select Switch Resources, you go and click on Save. So, of course, I’ve already done that; it only takes a few minutes. And while you enable the Azure Defender, you will have access to it. So again, this is the Security Center, and you scroll in the navigation pane, but this time you go to Azure Defender. And once you enable Azure Defender, as I have just shown you, you will see the number of resources protected by the Azure Defender. And you can play around with what things you can do, how you can protect them, installing endpoints, and whatever else you can actually do to make sure you have good protection for your workloads. But you will also have access to the advanced protection features. So you have the VM assessment and just-in-time access.
So you can actually close the ports of your machine and only open them once a staff member asks for permission to access the machines. For example, there is the RDB port. So if you use just-in-time access, the RDB port will be closed by default. It will only be opened once. A staff member, an employee, or a colleague will ask to access the virtual machine, and it will be opened for a specific time that you specify. You have a lot of great features, such as AdaptiveApplication Control, which includes container image scanning, adaptive network hardening, SQL assessment, file integrity monitoring, and so on.
All of these will be accessible by default. Once you enable the Azure Defender, there is one important thing that you also need to know how to do or what the purpose of it is. It’s the auto provisioning, of course. So you now know the Azure Secured Center, you know the features, you know the Security Center, and you know how to take advantage of the actionable items and see the secure score. So for this to work properly, for the Secured Center to work properly, and for the Azure Defender to work properly, you need to have the agents installed on the resources that you need to check and that you need to take actions against. So the way you do that, instead of doing it manually for every resource, you just go and enable the auto-provisioning Provisioning Service. You go back to management. Pricing and settings You select your subscription, and you will find the option called “Auto Provisioning.” From the left navigation pane, you click on “Auto Provisioning.” So you can see it says Secured Center collects security data and events from your resources and services to help you prevent, detect, and respond to threats. When you enable an extension, it will be installed on any new or existing resource by assigning a security policy.
So this is what the auto-provisioning feature does. If you enable it, it’s going to actually install the agent on any machine that you already have and on any new machine that you provision. If you enable all the extensions, it will enable these for you by default, or you can enable only one of them. And it is recommended to enable all extensions to receive the maximum recommendations. So that is the Azure Security Center, the SecureScore, and how to upgrade or enable the AzureDefender plan, which is the paid plan, and also how to do the Auto Provisioning. Enable auto-provisioning for all of your available resources.
10. Configure Device Redirection to Protect Corporate Data
A good security practise is to make sure corporate data is never cooked to the user’s desktop. The goal is to make sure the data only resides on the session host and not on the client’s machine. You can do this by configuring some settings for your Windows virtual desktop on the host board. Let me show you how to go to the Windows virtual desktop. You click on the host pools, and then you select one of your host pools. After that, you scroll down under Settings and go to RDP Properties.
Here you can see some of the settings, but the one we want is the device redirection. You can specify which devices will be redirected between the locked end user and the virtual machine he is locked into from this point. So let’s take a look at the options. You have audio and video. As a result, for the Microsoft Redirection, you can enable audio capture from a local device as well as redirection to an audio application and a remote session.
Or you can disable the audio capture on the local device. Of course, it is recommended to disable it. Let’s scroll down to see what else we have. Some of the other options you need to also take care of are USB device redirection, which is already by default set to not redirect any devices. The same is true for drive storage redirection. So do not redirect any drives as well. I have selected this one, or you can redirect all disc drives, including those that are connected later and so on. But again, the goal is to make sure the data only resides on the session host to protect the corporate data. So this is a great security practise to follow.
So do not redirect any drives. You can even use the clipboard redirection feature. So you can disable the copy and paste between the user’s machine and the VM as well. But for now, let’s leave it enabled. Also, if we scroll down, we reach the end of it. There is USB redirection again, but do not redirect any SAP devices. So once you are done, you click on “Save.” So it’s very important to do this because you are controlling the experience of the RDB session between the user, the user machine, and the VME that is logged into it. You protect the corporate data, and you make sure to only provide permission for what is needed.