Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Conditional Access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. Conditional Access policies at their simplest are if-then statements. If a user wants to access a resource, they must complete an action. Conditional Access policies are powerful tools to help keep your organization's devices secure and your environments compliant.
This article provides examples of how organizations can use Conditional Access policies to manage access to dev boxes. For Microsoft Dev Box, it's common to configure Conditional Access policies to restrict who can access the dev boxes, and from which locations they can access their dev boxes.
Device-based Conditional Access:
- Intune and Microsoft Entra ID work together to make sure that only managed and compliant devices can use Dev Box. Policies include Conditional Access based on network access control.
- Learn more about device-based Conditional Access with Intune.
App-based Conditional Access:
- Intune and Microsoft Entra ID work together to make sure that only dev box users can access managed apps like the Microsoft developer portal.
- Learn more about app-based Conditional Access with Intune.
Prerequisites
Provide access to Dev Box
Your organization might start with Conditional Access policies that, by default, allow nothing. You can set up a Conditional Access policy that allows your developers to access their dev boxes by specifying the conditions under which they can connect.
You can configure Conditional Access policies through Intune or Microsoft Entra ID. Each path brings you to a configuration pane.
Scenario 1: Allow access to dev boxes from trusted networks
You want to allow dev box access, but only from specified networks, like your office or a trusted vendor's location.
Define a location
Follow these steps:
Sign in to the Microsoft Entra admin center as at least a Conditional Access administrator.
Browse to Protection > Conditional Access > Named locations.
Choose the type of location to create:
- Countries location
- IP ranges location
Give your location a name.
Provide the IP ranges or select the countries/regions for the location that you're specifying.
- If you select IP ranges, you can optionally select Mark as trusted > location.
- If you select Countries/Regions, you can optionally choose to include unknown areas.
Select Create.
For more information, see What is the location condition in Microsoft Entra Conditional Access?.
Create a new policy
Follow these steps:
Sign in to the Microsoft Entra admin center as at least a Conditional Access administrator.
Browse to Protection > Conditional Access > Policies.
Select New policy.
Give your policy a name. Use a meaningful naming convention for Conditional Access policies.
Under Assignments, select Users or workload identities:
- Under Include, select All users.
- Under Exclude, select Users and groups. Choose your organization's emergency access accounts.
Under Target resources > Cloud apps > Include, select All cloud apps.
Under Network:
- Set Configure to Yes.
- Under Exclude, select Selected networks and locations.
- Select the location that you created for your organization.
- Choose Select.
Under Access controls, select Block Access > Select.
Confirm your settings, and set Enable policy to Report-only.
Select Create to create your policy.
Confirm that your policy works as expected by using Report-only mode. Confirm that the policy is working correctly, and then enable it.
For information on how to configure a Conditional Access policy to block access, see Conditional Access: Block access by location.
Scenario 2: Allow access to the developer portal
You want to allow developer access to the developer portal only. Developers should access and manage their dev boxes through the developer portal.
Create a new policy
Note
The application Microsoft Developer Portal was renamed from Fidalgo Dev Portal Public, so it's possible for certain tenants to still see the previous name. Even though they see a different name, they still have the same application ID, so it's the correct app. If you want to try fixing this naming problem, delete and readd the tenant's service principal for the app.
Follow these steps:
Sign in to the Microsoft Entra admin center as at least a Conditional Access administrator.
Browse to Protection > Conditional Access > Policies.
Select New policy.
Give your policy a name. Use a meaningful naming convention for Conditional Access policies.
Under Assignments, select Users or workload identities.
- Under Include, select Dev Box Users.
- Under Exclude, select Users and groups and choose your organization's emergency access accounts.
Under Target resources > Cloud apps > Include, select Microsoft Developer Portal > Fidalgo dataplane public > Windows Azure Service Management API.
Under Access controls, select Allow Access and choose Select.
Confirm your settings, and set Enable policy to Report-only.
Select Create to create your policy.
Confirm that your policy works as expected by using Report-only mode. Confirm that the policy is working correctly, and then enable it.
Caution
Misconfiguration of a block policy can lead to organizations being locked out. You can configure accounts for emergency access to prevent tenant-wide account lockout. In the unlikely scenario that all administrators are locked out of your tenant, you can use your emergency-access administrative account to sign in to the tenant to take steps to recover access.
Apps that are required for Dev Box
The following table describes the apps that are relevant for Dev Box. You can customize Conditional Access policies to suit the needs of your organization by allowing or blocking these apps.
| App name | App ID | Description |
|---|---|---|
| Windows 365 | 0af06dc6-e4b5-4f28-818e-e78e62d137a5 | Used when Microsoft Remote Desktop is opened to retrieve the list of resources for the user, and when users initiate actions on their dev box, like Restart. |
| Azure Virtual Desktop | 9cdead84-a844-4324-93f2-b2e6bb768d07 | Used to authenticate to the gateway during the connection and when the client sends diagnostic information to the service. Might also appear as Windows Virtual Desktop. |
| Microsoft Remote Desktop | a4a365df-50f1-4397-bc59-1a1564b8bb9c | Used to authenticate users to the dev box. It's only needed when you configure single sign-on in a provisioning policy. |
| Windows Cloud sign-in | 270efc09-cd0d-444b-a71f-39af4910ec45 | Used to authenticate users to the dev box. This app replaces the Microsoft Remote Desktop app. It's only needed when you configure single sign-on in a provisioning policy. |
| Windows Azure Service Management API | 797f4846-ba00-4fd7-ba43-dac1f8f63013 | Used to query for DevCenter projects where the user can create dev boxes. |
| Fidalgo Dataplane Public | e526e72f-ffae-44a0-8dac-cf14b8bd40e2 | Used to manage dev boxes and other DevCenter resources via the DevCenter REST APIs, the Azure CLI, or the Microsoft developer portal. |
| Microsoft developer portal | 0140a36d-95e1-4df5-918c-ca7ccd1fafc9 | Used to sign in to the Microsoft developer portal web app. |
You can allow apps based on your requirements. For example, you can allow Fidalgo Dataplane Public to allow dev box management by using the DevCenter REST APIs, the Azure CLI, or the Microsoft developer portal. The following table lists the apps that are used in common scenarios.
| App | Sign in to and manage dev boxes in developer portal | Dev box management (create/delete/stop etc.) | Connect through browser | Connect through Remote Desktop |
|---|---|---|---|---|
| Microsoft developer portal | 
|
|
|
|
| Fidalgo Dataplane Public |
|
|
|
|
| Windows Azure Service Management API |
|
|
|
|
| Windows 365 |
|
|
|
|
| Azure Virtual Desktop |
|
|
|
|
| Microsoft Remote Desktop |
|
|
|
|
For more information on how to configure Conditional Access policies, see Conditional Access: Users, groups, and workload identities.