WVD/Azure Conditional Access and IGEL OS – learn how it can be achieved!

By Fredrik Brattstig @virtualbrat

10th February -21
There is a lot of customer demand for controlling which devices can connect to your Windows Virtual Desktop (WVD) environment, or basically ANY corporate cloud app running in Azure. It makes good sense for instance to have users that are in known locations to be able to login using username and password to access their WVD sessions. But when the users endpoints are out in the wild, like in home office or on a internet café you would like to add MFA, like AzureAD sends a token to a cellphone etc.

When you open up the ‘Conditional access’ and create a new policy, you specify the User or Groups to be hit by the policy, you specify which ‘cloud apps or actions’ and then go to conditions->device platforms you see that there is no IGEL OS there. Of course, if you select “Include->Any Device” in the config dialogue below, IGEL OS endpoints will be targeted, including your Windows or iOS or any other of the “known” operating systems. Sometimes you might want different rules hitting your iOS phones or tablets than your IGEL OS endpoints.

No option to select IGEL OS endpoints for policy targeting here..

Darn, it’s not possible to assign a policy to IGEL OS devices… But, it actually is! If you select ‘Exclude’ under Device platform and select all the options, the policy will apply to all endpoints that is not of the sort found in the list. This equals to that the policy will hit IGEL OS endpoints, but not your windows or macOS devices for instance. Quite smart right?! It should look like:

Exclude all known operating systems from processing this policy

In my example here ‘WVD Require MFA on IGEL OS in the wild’ (aka it will ask for a MFA token while logging in to WVD (I assigned it for my WVD resources, it can be used for any cloud app) if the IGEL OS endpoint is not on-premises on a known network), what I’m doing is to apply the conditional access rule to require MFA when logging in to AzureAD from a IGEL OS endpoint, but I exclude the list of known IP-addresses in the ‘MFA trusted IP’s’ which you will find in Azure-Portal -> Conditional Access->Named Locations->Configure MFA trusted IP’s.

The result will be that your users can login without MFA when using IGEL OS endpoints in the office, but when they connect from their IGEL OS endpoints at home or anywhere else, they will be requested to provide a MFA token to access the system.

This article is meant as a example and I leave it for you to figure out how you should build your ‘Conditional Access’ policies to address your organizations needs.

The below video will show an IGEL OS device logging in to WVD without MFA, then the MFA policy is added to all unknown operating systems. The second login then prompt the user for MFA token. Finally I add exclusion to disable MFA requirement when the device access origins from the public IP-address of my home office which results in no MFA token request from my home office network.

The Azure Conditional Access policies is tied to the login form, not the device by it self. It evaluates the policies to be applied based on the ‘user agent strings’. This is certainly helpful in the scenario of setting up policies for IGEL OS endpoints. It would be helpful to have IGEL OS in the list of known operating systems, but until that is reality, this is a way to target IGEL OS endpoint.

Stay well!