Answer being formulated I've already made this work by process names for the client and by domains for web access. 😉
Urls and domains that must be allowed to use the web interface. Recommend using global bypass for wvd sites scoped by users/groups allowed to use Azure Virtual Desktop. If not global bypass, at least decryption bypass except for login sites which need to be allowed and decrypted if you wish to enforce tenant restrictions..
- Any hosts or domains to reach your IdP
- Hosts or domains associated with login to your Azure environment (likely login.microsoftonline.com at a minimum)
- All hosts in the domain wvd.microsoft.com
- All hosts in the domain prod.do.dsp.mp.microsoft.com
For simplicity of testing I implemented my positive security model in Web Filtering which means I would be decrypting WVD traffic which is pointless and adds latency. I highly recommend bypassing wvd.microsoft.com domain with global bypass in a production implementation.
Implementing positive security model with web filtering, block all categories and block uncategorized.
Processes to bypass if you want to use the client. Recommend using global bypass by process scoped by users/groups allowed to use Azure Virtual Desktop. (In order to subscribe the client you will also need access to the subscription URL (domain wvd.microsoft.com) and login.microsoftonline.com and aacdn.msftauth.net)
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?