The Privileged Path

AVD PAW

Using Azure Virtual Desktop as a session-based privileged access environment — scalable, flexible, and cost-effective.

Overview

Azure Virtual Desktop (AVD) provides session-based or personal desktop experiences hosted in Azure. For privileged access, AVD can deliver isolated admin sessions that are separate from the user’s primary device and workloads.

AVD is well-suited to organisations that need flexibility, scale, or cost optimisation in their PAW deployment.

How AVD differs from Windows 365

FeatureWindows 365AVD
PersistenceAlways-on Cloud PCSession-based or persistent
PricingPer-user subscriptionConsumption-based
CustomisationStandard Windows imagesFully customisable
ScalingFixed allocationAuto-scaling host pools
NetworkingAzure Network ConnectionFull Azure VNet integration

Design approach

Host pool configuration

  • Dedicated host pool for admin sessions
  • Personal or pooled, depending on requirements
  • Custom image with hardened configuration and admin tools only

Session security

  • No clipboard or drive redirection
  • Restricted peripheral passthrough
  • Screen capture protection enabled
  • Session time limits enforced

Identity and access

  • Conditional Access requiring AVD session for admin portal access
  • Authentication strength policies (phishing-resistant MFA)
  • PIM activation required before session access

Networking

  • Host pool deployed into a dedicated admin subnet
  • Network Security Groups restricting traffic to admin endpoints
  • Azure Firewall or third-party NVA for outbound filtering
  • Private endpoints for admin services where available

When AVD makes sense

AVD is a strong option when:

  • The admin team is large or distributed
  • Cost optimisation matters — pooled sessions reduce per-user cost
  • You need full control over networking (VNet integration, private endpoints)
  • Session-based access is acceptable (admins don’t need a persistent desktop)
  • You are already invested in Azure infrastructure

Trade-offs

Strengths:

  • Cost-efficient at scale
  • Full control over networking and image customisation
  • Session-based model reduces persistent attack surface
  • Scales dynamically with demand

Challenges:

  • More complex to deploy and manage than Windows 365
  • Requires Azure infrastructure knowledge
  • Session-based experience may not suit all admin workflows
  • Consumption costs need monitoring

Getting started

  1. Create a dedicated AVD host pool for admin sessions
  2. Build a custom hardened image with admin tools
  3. Configure Conditional Access to scope admin access to AVD sessions
  4. Deploy network segmentation for the host pool
  5. Enable monitoring and session recording