TechNsight

Ask a Question

How to Access Office 365 on Unsynced RDS Servers with Conditional Access

Question:

How to enable Office 365 access on RDS servers that are not synced to Azure AD?

We have some on-premises RDS server VMs that host Office 365 apps for our users. However, these VMs are not in an OU that is synced to Azure AD. We have set up a Conditional Access policy in Intune that requires the user device to be Hybrid Azure AD Joined to access Office 365 (we also use SCCM). This policy blocks the access to Office 365 apps on the RDS servers, since they do not meet the criteria.

As a workaround, we have created a group of users who need to use the RDS apps and excluded them from the Conditional Access policy. However, this poses a security risk, according to our security team.

Another option we have tried is to exclude our Public IP from the Conditional Access policy, but this is not feasible, since all our sites share the same Public IP and connect to the internet through a single data center. This would effectively bypass the policy for all our company devices, regardless of their compliance status.

Is there a better way to solve this problem? Has anyone faced a similar situation or have any suggestions? Would it work to create a device filter in the policy, even if the devices are not in Azure/Intune?

Any advice would be appreciated. Thank you.

Answer:

Remote Desktop Services (RDS) is a technology that allows users to access applications and data on a remote computer over a network. Many organizations use RDS to provide shared access to Office 365 apps for their users. However, this scenario can pose some challenges when it comes to licensing and security.

One of the main challenges is how to enable Office 365 access on RDS servers that are not synced to Azure AD. Azure AD is a cloud-based identity and access management service that provides single sign-on and multi-factor authentication for Office 365 and other cloud services. Syncing RDS servers to Azure AD allows them to be managed and secured by the same policies and tools as other devices in the organization.

However, some organizations may have reasons to not sync their RDS servers to Azure AD, such as legacy infrastructure, compliance requirements, or network limitations. In this case, they need to find a way to allow Office 365 access on RDS servers without compromising the security and compliance of their environment.

In this article, we will explore some possible solutions to this problem, based on the following scenario:

  • We have some on-premises RDS server VMs that host Office 365 apps for our users. However, these VMs are not in an OU that is synced to Azure AD.
  • We have set up a Conditional Access policy in Intune that requires the user device to be Hybrid Azure AD Joined to access Office 365 (we also use SCCM). This policy blocks the access to Office 365 apps on the RDS servers, since they do not meet the criteria.
  • As a workaround, we have created a group of users who need to use the RDS apps and excluded them from the Conditional Access policy. However, this poses a security risk, according to our security team.
  • Another option we have tried is to exclude our Public IP from the Conditional Access policy, but this is not feasible, since all our sites share the same Public IP and connect to the internet through a single data center. This would effectively bypass the policy for all our company devices, regardless of their compliance status.
  • We are looking for a better way to solve this problem. Has anyone faced a similar situation or have any suggestions? Would it work to create a device filter in the policy, even if the devices are not in Azure/Intune?

    • Shared Computer Activation

    The first thing we need to do is to enable Shared Computer Activation (SCA) for Office 365 on our RDS servers. SCA is a feature that allows multiple users to use Office 365 apps on a shared device or virtual machine, without consuming multiple licenses. SCA also enables Office 365 to activate and deactivate based on the user’s sign-in and sign-out, ensuring that only licensed users can access the apps.

    To use SCA, we need to have an Office 365 plan that includes Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus) or Microsoft 365 Business Premium. We also need to use the Office Deployment Tool and a configuration file to install Office 365 on our RDS servers, and specify the `` element as `1` to enable SCA. For more details, see [Deploy Microsoft 365 Apps by using Remote Desktop Services].

    Conditional Access Policy

    The next thing we need to do is to modify our Conditional Access policy in Intune to allow Office 365 access on our RDS servers. Conditional Access is a feature that allows us to control who can access which cloud apps and under what conditions, based on various factors such as user identity, device state, location, and app sensitivity. We can use Conditional Access to enforce security and compliance policies for Office 365 and other cloud services.

    In our scenario, we have a Conditional Access policy that requires the user device to be Hybrid Azure AD Joined to access Office 365. Hybrid Azure AD Join is a process that registers a device in both on-premises Active Directory and Azure AD, allowing it to be managed and secured by both domains. However, this policy blocks the access to Office 365 apps on our RDS servers, since they are not synced to Azure AD.

    To fix this, we need to create an exception for our RDS servers in our Conditional Access policy. There are two possible ways to do this:

  • Option 1: Use device groups. We can create a device group in Azure AD that contains our RDS servers, and then exclude this group from the Conditional Access policy. This way, the policy will not apply to the devices in this group, and they will be able to access Office 365 apps. However, this option requires us to sync our RDS servers to Azure AD, which may not be possible or desirable in some cases.
  • Option 2: Use device filters. We can create a device filter in the Conditional Access policy that matches our RDS servers based on their attributes, such as device name, operating system, or domain. This way, the policy will not apply to the devices that match the filter, and they will be able to access Office 365 apps. This option does not require us to sync our RDS servers to Azure AD, but it may be less reliable and more complex to maintain.

    • For more details, see [Configure Office 365 in a Remote Desktop Services Environment].

    Conclusion

    In

this article, we have discussed how to enable Office 365 access on RDS servers that are not synced to Azure AD. We have learned that we need to enable SCA for Office 365 on our RDS servers, and create an exception for them in our Conditional Access policy. We have also explored two possible ways to create an exception: using device groups or device filters. We hope that this article has been helpful and informative for anyone who faces a similar situation or has any questions. Thank you for reading.

Related posts:

  1. How to Make a Successful Career Move from a School IT Manager to a Hospital IT Specialist
  2. The Best Boom Arm Solutions for IKEA MICKE Desks
  3. The Future of Work: AI-Enhanced Human Resources
  4. Discover Free Image Enhancement Filters in Aoao Photo Editor
  5. How CMOS Inverters Power Our Electronic World
  6. CENU’s Calculator: A Standout in the World of Number-Crunching

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us