March 7, 2026

Summary

A security-conscious enterprise programme required a modern solution to enable secure remote access for its users. The organisation needed to provide the flexibility of a virtual desktop environment without compromising its stringent security and compliance posture. The solution had to integrate seamlessly with their existing cloud infrastructure and a developing Zero Trust security framework, ensuring that all access was controlled, monitored, and isolated from public networks.

Challenge

The primary challenge was to deploy a scalable remote access solution that met several competing requirements. It needed to offer a high-quality, persistent user experience while operating in a non-persistent virtual desktop infrastructure (VDI). Furthermore, all network traffic associated with the VDI environment, including authentication and user profile data, had to be secured and isolated from the public internet. This required a design that could enforce strict identity and network controls, preventing unauthorised access and potential data exfiltration while remaining manageable for the operations team.

Objectives

• Deploy a robust Azure Virtual Desktop (AVD) environment to serve as the primary remote access solution.
• Implement FSLogix for efficient and reliable user profile management, ensuring a consistent desktop experience across sessions.
• Enforce network isolation by using Azure Private Link to ensure all AVD-related traffic traversed the Azure private backbone, not the public internet.
• Integrate the AVD solution with the existing Microsoft Entra ID (formerly Azure AD) for identity management and apply Zero Trust principles through Conditional Access policies.
• Produce comprehensive architectural diagrams and technical documentation to ensure a smooth handover to the client’s internal support teams.

Approach and Delivery

The project was executed following a Zero Trust architectural approach from the outset. As the lead technical architect, the end-to-end delivery was managed from initial design to final rollout. This involved creating detailed architectural plans and Statements of Work (SOWs) that specified the security controls and network topology.

The foundation was a hub-and-spoke virtual network architecture, which provided the necessary segmentation and control. The AVD deployment was treated as a spoke, inheriting security policies from the central hub. The process included hands-on build, configuration, and the development of repeatable deployment patterns using automation to ensure consistency and speed up future rollouts for other business units.

Technical Implementation

• Azure Virtual Desktop (AVD): Deployed and configured AVD host pools, applications, and workspaces tailored to the client’s user groups.
• FSLogix Profile Management: Implemented FSLogix Profile Containers to manage user profiles. This solution decouples the user profile from the virtual machine, providing a fast and reliable user experience by mounting profiles from a central storage location at sign-in.
• Network Security: The entire solution was secured using a combination of network security groups (NSGs), Azure Private Link, and private endpoints. Private Link was critical for ensuring that connections from the AVD session hosts to the Azure Files storage used for FSLogix profiles were routed securely over the Azure private network.
• Identity and Access Management: The solution was integrated with Microsoft Entra ID. Conditional Access policies were configured to enforce multi-factor authentication (MFA) and other device compliance checks for all AVD connections, ensuring only authorised and trusted users could gain access.

Outcome

The project successfully delivered a secure, scalable, and compliant Azure Virtual Desktop environment that met all of the client’s stringent security requirements.

• Controlled Remote Access: Users were provided with secure remote access to their applications and data without exposing any part of the infrastructure to the public internet.
• Enhanced Security Posture: The use of Private Link and integration with the Zero Trust framework significantly strengthened the organisation’s security posture for remote work.
• Improved User Experience: FSLogix provided a seamless and consistent user experience, a critical factor for user adoption in a non-persistent desktop environment.
• Operational Readiness: The delivery included comprehensive technical documentation, Visio diagrams, and operational guides, enabling the client’s internal team to manage and support the platform effectively.

Risks, Controls and Governance

• Data Exfiltration: This risk was mitigated by enforcing network isolation with Private Link and NSGs, which prevented session hosts from communicating with the public internet. Microsoft Purview DLP policies were also part of the broader Zero Trust framework.
• Unauthorised Access: Strong identity controls, including MFA enforced via Entra ID Conditional Access, ensured that only authenticated and compliant devices could connect to the AVD environment.
• Inconsistent User State: The risk of a poor user experience due to lost settings or slow logons was addressed by the robust implementation of FSLogix for profile containerisation.
• Lack of Maintainability: Governance was established through the creation of repeatable deployment frameworks and detailed documentation, ensuring the solution could be managed, scaled, and replicated according to defined standards.

Key Lessons

This delivery highlighted several key principles for deploying secure virtual desktops in a regulated enterprise. Firstly, integrating AVD within a wider Zero Trust strategy is not optional; it is fundamental to its success. Secondly, for any security-conscious organisation, Azure Private Link is an essential component for isolating VDI traffic and minimising the attack surface. Finally, the project reinforced that while security controls are paramount, they must be balanced with user experience. The use of FSLogix was a critical enabler for user acceptance, proving that a secure and compliant remote access solution can also be user-friendly and performant.

Related Services

• AVD Deployment & Optimisation
  Design, deploy, and optimise Azure Virtual Desktop to deliver reliable Windows sessions with predictable performance, controlled costs, and secure access.
• FSLogix Design & Optimisation
  Design and optimise FSLogix profiles for Azure Virtual Desktop, improving logon performance, storage resilience, and operational supportability outcomes.
• Azure Network Architecture (Hub/Spoke, DNS, Private Link)
  Azure network architecture services covering hub and spoke design, DNS, routing and Private Link to support secure, scalable connectivity.
• Conditional Access Design & Rollout
  Design and roll out Conditional Access policies with testing, pilot groups, break glass controls, and reporting that reduces risk without disrupting users.
• Zero Trust Architecture & Hardening
  Design and implement a Microsoft aligned Zero Trust programme covering identity, devices, least privilege access, segmentation, and continuous monitoring.