Skip to content

Entra joined device rules #820

New issue
New issue
Open
Open
Entra joined device rules#820
@blaqvikin

Description

@blaqvikin
blaqvikin
opened on Apr 25, 2025

Statement:

I have two hostpools that behave differently with this configuration. Hostpool-A is Entra joined and Intune managed. Hostpool-B is Active Directory joined (Intune join can be irrelevant for this exercise).

Problem:

  • Odd behaviour with AVD and Azure Firewall on AD-joined AVD machines and Entra-joined AVD machines.

Config params/scenario: Recreate Steps

  • Route (UDR) sends all traffic to Hub vNET with Fw ***Hub-Spoke Architecture. This is being sent to the NVA "fw appliance".
  • Peered vNET-Hub to vNET-Spoke
  • Fw is configured with the base rules from this repo.
  • AVD vNET-Spoke is configured with the DNS and Fw private IP as the DNS server.
  • Fw has DNS proxy enabled and custom DNS set to CloudFlare/Google, but for my scenario, since I have an AD environment, I set the IP to my AD/DNS server .
  • CA policy that allows AVD connections with MFA (This is normal).
  • All Fw rules are configured to allow my AVD subnet "172.16.2.0/24"
  • I have the default NSG with little config and one DNAT rule for RDP **To be deleted.

Outcomes:

  • Hostpool-A (With AD) works just fine with the base rules. As my AVD-A-PC1 "172.16.2.1" is AD-joined.
  • Hostpool-B (With Entra join) keeps getting an error that my password is incorrect on AVD-B-PC2 "172.16.2.6".

Troubleshooting:

  • Disconnected the route config (UDR) and adjusted the hostpool RDP settings to include (targetisaadjoined:i:1;requireauthenticationserver:i:1). This worked, and my AVD login was successful without the UDR enabled/associated.

Further Issues:

  • Upon enabling the UDR, I had the same password incorrect issue.

I enabled Azure Monitor logging and reviewed the logs as they streamed. I noticed some denied actions and adjusted my firewall as these were not in the base rules provided, and that worked with my AD-joined environment. Looking back, I could have created a wildcard for the following rules, but I was troubleshooting each rule as it came.

I have attached a snapshot of all the configured rules. The collection name is "ApplicationRules_AVD-AuthForAADLogin" and "ApplicationRules_AVD-Intune" I probably do not need the "
NetworkRules_AVD-Authentication," but it's 01:20 AM in South Africa, and I am tired.

I have attached the rules I had to add to make this work as required, but figured I would share this so that someone doesn't have to spend 3 days' worth of Event logs, MSFT documentation and LLMS.

I have also attached my Azure Firewall logs as I was doing my troubleshooting.

query_data (1).csv

Here's a route print of my Intune-joined AVD VM after everything was resolved.

Image

azfwpolicy-AVD-FirewallPolicy-v2-rcg-DefaultNetworkRuleCollectionGroup.json
azfwpolicy-AVD-FirewallPolicy-v2-rcg-DefaultDnatRuleCollectionGroup.json
azfwpolicy-AVD-FirewallPolicy-v2-rcg-DefaultApplicationRuleCollectionGroup.json

Desired Outcome:

  • Microsoft to review the documentation and add some clarity on rules, also the DNS proxy config, to make more sense.
  • Microsoft to advise on rules for each scenario, as I suspect I will not be the only one with this scenario.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions