Question:

I’m facing a challenge with our on-premises RDS server VMs that deliver Office 365 applications to our users. These VMs are not synchronized with Azure AD, and we’ve implemented Conditional Access policies in Intune that require devices to be Hybrid Azure AD Joined for Office 365 access. This setup has inadvertently blocked the launch of Office 365 apps on RDS, as the servers do not comply with the policy.

To mitigate this, I’ve excluded a user group that requires RDS app access from the Conditional Access Policy, which has raised security concerns due to the potential risk involved. Additionally, I’ve considered excluding our public IP from the policy; however, this would exempt all devices company-wide due to a shared public IP, thus nullifying other compliance settings.

I’m seeking advice on how to navigate this issue. Has anyone encountered a similar situation or could offer insights? Would implementing a device filter within the policy be effective even if the devices are not enrolled in Azure/Intune?

Thank you for your expertise.

Answer:

In the evolving landscape of cloud services, maintaining secure and seamless access to applications across various platforms is a critical challenge for IT professionals. The scenario presented highlights a common issue faced when integrating on-premises Remote Desktop Services (RDS) with cloud-based security policies, specifically within a Microsoft 365 ecosystem.

The Core Issue

The crux of the problem lies in the Conditional Access policies enforced through Intune, which require devices to be Hybrid Azure AD Joined to access Office 365 applications. This policy is inadvertently blocking users from launching Office 365 apps on RDS servers that are not synchronized with Azure AD.

Potential Solutions and Their Implications

1.

Excluding Specific User Groups

: While excluding a user group from the Conditional Access Policy temporarily resolves the issue, it introduces significant security risks by potentially allowing non-compliant devices to access sensitive data.

2.

Excluding Public IP Addresses

: Exempting devices based on public IP addresses could lead to a broader security loophole, as all devices sharing the same public IP would bypass the Conditional Access Policy, undermining device compliance measures.

Strategies for Resolution

To navigate these challenges, consider the following strategies:

–

Azure AD Application Proxy

: Implementing Azure AD Application Proxy can provide secure remote access to on-premises applications without the need for VPN or additional network infrastructure.

–

Conditional Access Policy Refinement

: Refine Conditional Access policies to include exceptions based on trusted locations or specific device identifiers that align with your security framework.

–

Device Compliance Policies

: Establish device compliance policies that are separate from Conditional Access policies to ensure that security standards are met without hindering access to necessary applications.

–

Hybrid Azure AD Join for RDS Servers

: Explore the feasibility of Hybrid Azure AD Join for your RDS servers. This would bring them into compliance with the Conditional Access policies and eliminate the need for exclusions.

Conclusion

Balancing security with accessibility is a delicate task that requires a nuanced approach. By leveraging Azure’s native tools and carefully crafting policies that consider the unique needs of your organization, you can ensure that users retain access to essential applications without compromising on security.

Expert Opinion

In my experience, implementing a device filter within the policy could be effective, but it is essential to ensure that the devices, even if not enrolled in Azure/Intune, are still compliant with your organization’s security standards. It is advisable to consult with Azure security experts to tailor a solution that best fits your environment.

Call to Action

I encourage IT professionals facing similar challenges to share their experiences and insights. Collaborative problem-solving can lead to innovative solutions that benefit the broader community. If you have encountered a similar situation or have additional advice, please contribute to the discussion. Your expertise is invaluable.