{"id":1483,"date":"2020-07-22T01:00:00","date_gmt":"2020-07-22T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/protecting-windows-virtual-desktop-wvd-with-okta-and-microsoft-azure-active-directory-conditional-access\/"},"modified":"2024-10-10T07:43:33","modified_gmt":"2024-10-10T07:43:33","slug":"protecting-windows-virtual-desktop-wvd-with-okta-and-microsoft-azure-active-directory-conditional-access","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/modern-workplace\/protecting-windows-virtual-desktop-wvd-with-okta-and-microsoft-azure-active-directory-conditional-access\/","title":{"rendered":"Protecting Windows Virtual Desktop (WVD) with OKTA and Microsoft Azure Active Directory Conditional Access"},"content":{"rendered":"<p><span>On a recent engagement deploying Windows Virtual Desktop (WVD) for a customer who leveraged OKTA as their Identity Provider (IDP), we ran into a challenge where the WVD client was caching user credentials (by design), resulting in a situation where on the first authentication, OKTA would prompt for multi-factor authentication, however once validated, the WVD client would never request authentication again, resulting in a rather large security concern for the customer who had a mandate of multi-factor authentication for all external access attempts.<\/span><\/p>\n<p><span>We can get pretty close to meeting that mandate by leveraging Azure Active Conditional Access Policies to assist in setting the <a rel=\"noopener nofollow\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/conditional-access\/howto-conditional-access-session-lifetime\" target=\"_blank\">sign-in frequency<\/a> interval to 1 hour. The sign-in frequency defines the time before a user is asked to sign in again when attempting to access a cloud application.<\/span><\/p>\n<p>We can leverage a combination of OKTA for identity in conjunction with Microsoft Azure Conditional Access Policies for application control, ensuring that we apply our specific control requirements only to the appropriate enterprise application, in this case, Windows Virtual Desktop (and client).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.insentragroup.com\/wp-content\/uploads\/sites\/22\/2021\/02\/insentra_james_kindon_07222020_img1.jpg\" alt=\"\" data-udi=\"umb:\/\/media\/82ae5a6a23de4d628ab784e7b36b3c39\" title=\"\"><\/p>\n<p><span>Specifically, the policy is configured as follows:<\/span><\/p>\n<ul>\n<li><span>Applies to all users<\/span><\/li>\n<li><span>Applies to specific cloud apps (WVD)<\/span><\/li>\n<li><span>Has a single session control defined (Sign-in frequency is set to 1 hour)<\/span><\/li>\n<\/ul>\n<p><span>Combined with the usual power of Conditional Access Policies, you can get extremely fine-grained. What\u2019s even cooler is that you can still wrap these controls around 3<sup>rd<\/sup> party IDP\u2019s such as OKTA and leverage the best of both worlds<\/span><\/p>\n<p><span>If you have enough licencing to be running WVD, there is a good chance you have enough to protect it via Microsoft Azure Conditional Access at no extra cost.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On a recent engagement deploying Windows Virtual Desktop (WVD) for a customer who leveraged OKTA as their Identity Provider (IDP), we ran into a challenge where the WVD client was caching user credentials (by design), resulting in a situation where on the first authentication, OKTA would prompt for multi-factor authentication, however once validated, the WVD&hellip; <a class=\"more-link\" href=\"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/modern-workplace\/protecting-windows-virtual-desktop-wvd-with-okta-and-microsoft-azure-active-directory-conditional-access\/\">Continue reading <span class=\"screen-reader-text\">Protecting Windows Virtual Desktop (WVD) with OKTA and Microsoft Azure Active Directory Conditional Access<\/span><\/a><\/p>\n","protected":false},"author":86,"featured_media":1484,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[19],"tags":[],"class_list":["post-1483","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modern-workplace","entry"],"_links":{"self":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/1483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/users\/86"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/comments?post=1483"}],"version-history":[{"count":1,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/1483\/revisions"}],"predecessor-version":[{"id":22920,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/posts\/1483\/revisions\/22920"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media\/1484"}],"wp:attachment":[{"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/media?parent=1483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/categories?post=1483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insentragroup.com\/au\/wp-json\/wp\/v2\/tags?post=1483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}