Securing my privileged access with AVD

Posted on by
Reading Time: 3 minutes

I’m trying to “lead by example” (I use that term loosely), when it comes to privileged access.

A bit of background

For a long time my regular Microsoft 365 account was also my GA account in my own tenant, I know, I know thats top of the no no’s when it comes to Entra, but, my excuse: “it made things easier for me“, yeah, we’ve all heard that before, thats not a valid excuse!

Well, after playing/testing in my dev environment I have now finally ditched the GA role assigned to my regular account and implemented a dedicated account for privileged roles.

 Sure, its only me in my tenant, so what, its a good place to start.

High-level overview 

  1. Implemented PIM for my cloud only privileged account
  2. Configured Passwordless auth for my privileged account
  3. Setup an AVD environment (single session host) as an Entra joined privileged access workstation enrolled and managed via Intune, on its own isolated vNet not connected to a site-to-site VPN or any other resources I have in Azure or on my home environment
  4. Configured a conditional access policy using device extension attributes to only allow access for my privileged account to Microsoft 365 and Azure Portals and services only from the AVD session host
  5. Configured a conditional access policy using device extension attributes to only allow access to AVD for my privileged account from my device (Entra joined Mac)
  6. Configured a conditional access policy to ensure my privileged account needs to re-sign in every 8 hours
  7. Configured a break glass account with a FIDO2 Key and a Passkey, in the event that my privileged account/AVD Session host is unavailable
  8. Configured Monitoring for the break glass account so I get emailed when it is used.

 Licensing

I’m running Microsoft 365 Business Premium, but have also purchased a single Entra P2 license for my account to make use of PIM, But even if you only have Business Premium or even M365 E3 its still worth controlling which devices privileged accounts can be accessed from.

Services targeted at 

This is currently is for management of Entra and Microsoft 365, I have not tackled my Azure Subs yet, so that’s next on the list.

 Conclusion

Is this over kill for my own tenant and subs? There is only me on it, so it probably is. But, if I do not start doing it myself then how can I expect people to follow my advice, its not like politicians who live by “do what I say, not what I do” mantra 🤣

Some initial “snags” I’ve hit are mainly with passwordless. Occasionally I have had to get a TAP for my privileged account, but again this is a step in the right direction to ensuring privileged access is secured as best as possible. I could look at creating a group and using PIM for groups activate it so it allows me to use traditional authentication and then put some other controls in place. The only scenarios I have hit this snag so far is with running Connect-MSOLService and also running the Entra Connect configuration.

Let’s be honest, nothing is better than a physical 2nd device as a PAW, but for me I think that this is a good compromise. And, through using the auto shutdown and start VM on connect I can keep the AVD costs to a minimum.

Posted in Azure, Azure Virtual Desktop, Entra, Microsoft, Privileged Access, Privileged Identity, Virtual and tagged , , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *