In this chapter, we'll take a look at security and compliance settings for Azure Virtual Desktop (AVD). First, we'll look at planning and implementing multi-factor authentication (MFA) and Conditional Access policies for AVD. Next, we'll look at Microsoft Defender for Cloud and the benefits of turning this feature on and enabling Azure Defender. To finish the chapter, we'll look at Microsoft Defender Antivirus and additional configurations you can apply to streamline the security signature updates to session hosts.

This chapter covers the following topics:

• Planning and implementing MFA
• Managing security by using Microsoft Defender for Cloud
• Using Microsoft Defender for Cloud for AVD
• Enabling Azure Defender for AVD
• Configuring Microsoft Defender Antivirus for AVD

MFA is an authentication layer you can add to the sign-in process as a way of improving sign-in security. When accessing corporate accounts, apps, or other services, the user is required to provide additional identity verification. This additional verification can be scanning a fingerprint or entering a code received by a phone or token-generating device.

Important Note

The security threat landscape is consistently changing, with new threats appearing daily. It is advised as a best practice that organizations use MFA as a standard practice to harden the sign-in process to protect users and corporate data.

Azure Active Directory (AD) MFA works by the user requiring two or more authentication methods to complete a sign-in process. The first method is typically a password. Trusted devices such as a phone or hardware key or biometrics such as a fingerprint or face scan can be used as a second method.

Important Note

Azure AD MFA also offers a feature known as secure password reset. This can be enabled when users register for Azure AD MFA, which appears as an additional step.

You can use the following forms of authentication when using Azure MFA:

• Microsoft Authenticator app
• OATH hardware token (preview)
• OATH software token
• SMS
• Voice call

The verification when using Azure MFA looks similar to the following screenshot:

Figure 11.1 – Azure MFA prompt during a user sign-in process

You have the option of configuring the security defaults to enable Authenticator for all users or choosing conditional...

This section goes into detail on how to implement MFA for AVD. We will navigate through the process step by step. The benefit of MFA is that it provides an extra layer of security for users, and only the user with access to the token can log in, reducing the risk of unauthorized access to the network and IT resources.

The prerequisites for getting started are as follows:

• You first need to assign a license to users that includes Azure AD Premium P1 or P2.
• You also need to create a new Azure AD group for MFA and ensure that you have included the users you want to assign MFA to.
• Ensure you enable Azure MFA for all required users.

For more information on the prerequisites, please see the following link: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-getstarted#prerequisites-for-deploying-azure-ad-mfa.

You also need to ensure that your users are configured to use MFA. This is done by following...

Microsoft Defender for Cloud was previously known as Azure Security Center and Azure Defender. I want to set some context around the reasoning and detail of the responsibilities split between Microsoft and the customer.

We previously spoke about some advanced security features, such as reverse connect, which reduces the risk of exposing virtual desktop resources directly to the public network. We'll now look at the security responsibilities and some of the Azure security best practices available to you.

Here are the security areas you're responsible for in your AVD deployment. Note that the value under the Customer responsibility column is Yes if the customer is responsible and No if Microsoft is responsible:

This table was taken from the following Microsoft link:

https://docs.microsoft.com/en-us/azure/virtual-desktop/security-guide#security-responsibilities

As detailed in the...

Out of the box, you can use Microsoft Defender for Cloud to provide continuous assessments and security recommendations, fixes, and Azure security scores, which can be used to gauge your security posture.

Enabling Azure Defender opens up additional features, including just-in-time virtual machine access, adaptive application controls/network hardening, compliance dashboards/reports, threat protection for Azure virtual machines, and non-Azure servers.

Important Note

It is important to note that Microsoft Defender for Cloud is a security posture manager (SPM).

The following screenshot shows the differences between Microsoft Defender for Cloud being switched on and off:

Figure 11.17 – The different features available when Microsoft Defender for Cloud is on and off

To access Microsoft Defender for Cloud, you will see an icon in the main window of the Azure portal with the Security Center icon...

This section summarizes the basic steps for enabling enhanced security for Microsoft Defender for Cloud on your Azure subscription. This will allow you to use the more advanced features of Security Center at a cost.

The link to pricing can be found here: https://azure.microsoft.com/pricing/details/azure-defender/.

Important Note

You will need to enable enhanced security for Microsoft Defender for Cloud for each subscription you use.

The basic steps for enabling Azure Defender on your Azure subscription are as follows:

1. Navigate to Security Center located on the left-hand menu. Within the Microsoft Defender for Cloud menu, select Environment settings. The following screenshot shows the Environment settings menu option, which lists the subscriptions:

Figure 11.21 – Pricing and settings page in Microsoft Defender for Cloud

2. Click on the required Azure subscription.
3. Select Enable all...

This section takes a look at Microsoft Defender Antivirus for session hosts. Before we look at scans and prevent notifications, I want to first take a look at offloading security intelligence updates onto a host machine.

The benefit of doing this is to reduce the impact on the CPU, disk, and memory resources of the session hosts when security intelligence updates are processed. You can manage Microsoft Defender Antivirus using Group Policy; however, you can also use System Center Configuration Manager, Intune, and other third-party mobile device management (MDM) platforms.

See the following link from Microsoft on deploying Microsoft Defender Antivirus: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.

What is the difference between Microsoft Defender Antivirus and Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is an additional license...

This chapter provided an insight into Microsoft Defender for Cloud with a focus on AVD. We started the chapter off by looking at enabling MFA and then configuring a conditional access policy to enforce MFA on AVD. We then moved on to looking at the security responsibilities of both Microsoft and the customers. We then dived into Microsoft Defender for Cloud, the value it offers Azure customers, and how you can use it to improve your AVD security posture as well as the security of the Azure resources running more widely within your subscription(s). To finish off the chapter, we looked at Microsoft Defender Antivirus at a high level, focusing on some of the features you may want to configure for AVD.

In the next chapter, we will change topics to look at implementing and managing FSLogix profile containers in AVD.

1. What is the difference between Microsoft Defender Antivirus and Microsoft Defender for Endpoint?
2. What are the three core principles required for setting up a Conditional Access policy?
3. What does the security defaults policy do in regards to Azure MFA?
4. What are the two options when configuring Azure Defender for Cloud?

1. Microsoft Defender Antivirus is native to the operating system. Microsoft Defender for Endpoint is an additional service for which you require a license.
2. Signals, decisions, and enforcements.
3. Applies a default set of preconfigured security settings.
4. Enhanced security off and enhanced security on.