Using Windows 365 for Cloud Based Privileged Access Workstations (PAW)

A while back, I blogged about using Conditional Access and device filters to specify allowed privileged access workstations for Microsoft 365- and Azure management. In security focused organisations, this might be a requirement and I will continue to evolve this idea for Microsoft 365 management in this post. What about cloud based Privileged Access Workstations (PAW)?

Conditional Access is part of bringing this solution to life, but of course the workstations themselves needs to be managed and hardened. I’ve been playing around with the idea of using cloud based PAWs, leveraging Windows 365, instead of a more traditional on-prem solution. The idea would be to lock down dedicated Windows 365 cloud PCs, one for each privileged admin, and make sure those are the only workstations able to perform administrative tasks in the cloud. Since Windows 365 Enterprise is also connected to on-prem by default, I guess these workstations could be used to manage on-prem resources as well, but I will not discuss that scenario any further in this post.

Microsoft has replaced their old on-prem focused security tiering model with the new Enterprise access model. This model is more focused on cloud and hybrid scenarios and is better suited for modern IT security. What we are trying to build here is the privileged access plane where Windows 365 cloud PCs would act as jump servers for both cloud management and on-prem management.

Complete enterprise access model from old tiers

Windows 365 PAWs would fall in under the Privileged Access plane and act as jump servers for different management tools and portals.

The following would be the recipe to use Windows 365 for PAW:

  • Important: Careful scooping of PAW management and the Windows 365 service in Intune.
  • Strict Windows 11 policy hardening using Microsoft security baselines and a custom policy, locking down and removing unnecessary attack surface in Windows 11.
  • Enable all Defender Attack Surface Reduction rules with Intune.
  • Enable Application Control for Windows (WDAC or AppLocker) and block any unwanted applications, not required by admins.
  • Use strict Defender SmartScreen blocking to only allow required management portal and API URLs and endpoints.
  • Make sure all admins use separate cloud-only admin accounts. Each account should have their own Windows 365 license and cloud PC. We will still use PIM of course!
  • Optional: Require these admin accounts to sign in to the Windows 365 portal with FIDO2 security keys. However, they still need to use a password for connecting to the cloud PC inside the Windows 365 portal.
  • Disable persistent token caching on the PAW’s (forces admins to sign in with MFA every time).
  • Use Conditional Access to:
    • Block access to Windows 365 for unlicensed users (block everyone except for a Windows 365 license group).
    • Block privileged users from signing into “normal” workloads like Office 365 tools.
    • Require MFA for signing into Windows 365 portal.
    • Block access to Azure management from everything but the dedicated PAWs according to this.

It would also be possible to use a role tiering model where an admin would have different cloud based admin accounts for different role tiers. For example, only highly privileged roles would require the PAW’s like Global Admin or Privileged Admin, but simple service roles like Exchange Admin or SharePoint Admin would be okay to use from any device with normal MFA activation. That would limit the hassel of signing into the PAW and activating all those roles every time. Also, only the admins sitting on such roles would be required to have a Windows 365 license.

Another important thing to think about is to monitor your PAWs. In a cloud scenario, I would put sensors on the PAWs and monitor them with Sentinel. Sign-in paterns and application execution is examples of good things to monitor and create alert rules for. Another benefit of putting them under Sentinel surveillance is the advanced hunting capabilities of the service. It would be very easy to hunt for suspicious PowerShell usage or strange process trees to name a few. Similar capabilities is of course included with Microsoft 365 Defender too.

Finally, before building any of this, make sure you have a solid break glass process in place since there is room for configuration mistakes in a solution like this, potentially locking you out from your tenant. I hope this inspires you to start thinking about PAWs in the cloud. There are of course a lot more stuff you could do to secure your PAWs but this is hopefully a good baseline and starting point.

Please follow me here, on LinkedIn, and on Twitter!