Recently, once I started down the inevitable reality of custom images I started thinking more about the security model of Windows 365 and its flexibility. Most of the Windows 365 bloggers/evangelists focus on larger enterprises and their multitude of moneys. I focus more on the SMB (Small and Medium Business). Today, we’re going to discuss the different options you have for a network and the plusses and negatives of it, how you can use Microsoft Hosted Networks without losing out on integrations/investments, and things to consider down that road.
The Different Networks for Windows 365
My good friend Aresh, recently wrote some cool stuff about ANCs (Azure Network Connections) and the high availability of them. He wrote a really cool article about having multiple ANCs to deliver a more robust experience and account for blips on the radar.
So what is an ANC?
Basically, an ANC is an object that lets your Windows 365 provisioning policy provision a vNIC. You can see an example below:
You specify your network and subnet and it uses the address space/network tech in your Azure tenant to provision your Cloud PC.
Your ANC can be in two different flavors:
- Azure AD Join
- Hybrid Azure AD Join
Obviously the main difference being whether you need it connecting back to your internal network or not. Basically, during provisioning it will be connected to the Azure subnet you specified and be domain joined to either your AD or Azure AD based on your configuration.
Another part that is good to mention is how the authentication works. User authentication requests are routed over the ANCs so you must have a good connection and cached credentials don’t work here.
The most important thing to remember is that any Azure Egress costs money. ANCs are not particularly viable for SMBs because that cost can really add up and it hurts the business proposition of Windows 365. Microsoft has a solution for that: The Microsoft Hosted Network
What is a Microsoft Hosted Network? (MHN)
Most people will use ANCs because of how pliable they are and controllable. Microsoft offers another solution for simplicity at the vNIC level. They’re called MHNs or Microsoft Hosted Networks. They’re harder to control as they’re strictly not a manageable interface like ANCs.
The MHN only supports Azure AD-joined machines and has the added benefit that it doesn’t use your Azure subscription and Microsoft will literally manage it for you hence the name.
You specify the region you want your vNIC in and if NECESSARY the region aka East or East 2 in this example below:
As we will discuss shortly, it does create challenges for companies that might be doing some “fun” stuff with Azure. Luckily, I have a solution for you!
The Problem with Microsoft Hosted Networks
One of the things I am known for, which I showcased at VMware Explore and have written about in the past is an interesting strategy around Zero Trust. One of the things I insist on, is that my SSO strategy is consistent across my organization. I also believe, if you aren’t doing certificate-based authentication you aren’t doing Zero Trust. You may or may not agree and that’s okay.
The Problems Created by Azure App Services
SCEPman is a service you host in Azure as an App Service that basically gives you a Cloud SCEP server is a huge value to a full cloud organization. SCEP in general is often an external service and you achieve it securely with proper security layers.
SCEPman uses an App Registration with Azure AD groups as one layer of security and security restrictions as another.
Within SCEPman, we have the network access restrictions as I mentioned above:
Network Access restrictions are the first line of defense with Azure App Services and are super useful. You can see an example below of how it works, like many Azure resources you create rules that you want to let a CIDR block/IP address in, a service, or Service Tags. This ensures you do things in a secure way.
You can imagine this works great with a standard vNIC like an ANC, but MHNs create some major problems here. Inevitably, any product living in Azure will have this issue when integrating with Windows 365. This is a problem that flat out needs fixing! So, let’s discuss how we can turn a problem into a solution.
Solutioning Around the Restrictions of MHNs
So, when I started working with Windows 365 I learned that my certificates just weren’t coming down. I learned quickly that I was getting 403s with the Azure App Services. A quick IP chicken showed this:
So my first reaction was “What in the Literal F?” and I talked to a bunch of people were like yeah you need ANCs to make that work, including the super smart people at @ConfigMgrDogs which consists of people at Microsoft who have really helped me to think more critically.
I suppose it was my inferiority complex being a mobile guy and being told I can only do mobile things, but I went all beautiful mind on this. To set the stage here, I also run this as Azure AD Domain Services, which makes stuff even harder. I tried a number of things that were epic failures:
- Intune Certificate Connector (Epic Fail)
- Continually whitelisted the CIDR ranges as I ran into issues
- Messing around with Category allows
- Using ANCs (till I remembered egress $$$)
Next, I downloaded the Azure Public IP address json here. Once I grabbed that, I started looking at the IPs I had seen over the last few weeks.
I discovered, that this is part of this category:
Once finding that, I added the proper categories to my access rules:
Things to Consider with Microsoft Hosted Networks
One thing to caution, if you are going to use this route to allow Azure resources into your environment, you need multiple layers of security. The caveat is obviously that this does grant access to my SCEP server to others in my region, but I have other security measures within SCEPman to ensure only approved users can request certificates via SCEPman.
I also recommend some of the other aspects I have put together like advanced analytics and logging to know when people are accessing your services and ensuring you have the visibility you need. Nothing is perfect, but these changes have elevated my Windows 365 deployment to be more robust and effective.
Just because Microsoft thinks Microsoft Hosted Networks are limited doesn’t mean you can’t amplify their utility with creative engineering. Windows 365 is the new frontier and we will continue to extend it to our needs.