Share via

‎[Adviser] Global secure access with Windows Virtual Desktop

Ruben Faustinita 80 Reputation points
2025-01-06T14:41:07.3333333+00:00

Good Afternoon,

 

We're contacting you to ask for support on a sensitive issue we're having with a client.

 

We were asked by a client to create VDIs in Azure. These VDIs would be cloud-only machines managed by intune and would only be accessed by cloud-only accounts. Accounts created exclusively in Microsoft Entra. Access to these machines should be solely and exclusively via Global Access. In terms of architecture, we had thought of something like this.

Untitled picture (1)

We would have our VDIs on a single network with private ip's and supported by another machine with the Entra Private Connector. Then we'd have an enterprise app supporting Private Access with CA policies so that users could only access via global access.

 

We had some doubts about whether it was possible to use Private Access with VDI's, but we ended up finding this use case, which I'll link to here: https://www.joeyverlinden.com/connect-to-azure-virtual-desktop-via-microsoft-entra-private-access/

We have a few questions we'd like to ask:

  1. is this use case possible? Remembering that the user accounts would be cloud-only and so would the VDIs. No Active Directory registration.
  2. Knowing that in order to RDP to cloud-only machines we need to activate ‘Use a web account to sign in to the remote computer’ and that we need to use the machine's Hostname. I wonder if with the above scenario we would still have to access it this way. This brings us to a problem. The DNS of the source machines using RDP needs to recognise the VDI's in order to convert the names into ip's.

 

Thank you so much for your help.

Best regards,

Ruben Faustinita

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,639 questions
Microsoft Entra Private Access
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
74 questions
0 comments
Accepted answer
  1. Akshay kumar Mandha 1,880 Reputation points Microsoft Vendor
    2025-01-06T19:17:31.72+00:00

    Hi Ruben Faustinita,
    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here
    Based on your query, the cloud-only setup, where user accounts and VDIs are managed through Azure AD (Microsoft Entra ID) without needing an on-premises Active Directory, it is possible as per below documentation
    Microsoft Entra joined session hosts in Azure Virtual Desktop
    And DNS source of the machine generally for hostname issue will occur if it already exists the same name of hostname need modify the hostname, please refer the below documentation for more details and SS User's imageSign in to a Windows virtual machine in Azure by using Microsoft Entra ID including passwordless Azure AD authentication to Windows VMs

    Note: -Before making any changes or setting things up, please test it in a separate environment first to understand how it works and spot any potential issues

    If you have any further query, please let me know, I will help you as needed.!

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.