Jump to content
Welcome to our new Citrix community!

Securing Citrix DaaS for Azure

  • Contributed By: Loay Shbeilat

In this article, we discuss how to secure your Citrix deployment in Azure. The sections explain how to implement the best practices and detailed configurations recommended by Microsoft and Citrix. We also provide guidance around which Microsoft Azure and Citrix security services are appropriate for securing your Citrix deployment.

The first section presents Azure security where we discuss the key topics of administration, Azure Active Directory, networking, data protection, and Azure policy. The next section focuses on accessing resources from Citrix Cloud and provides the minimum role permissions required for the Hosting Connection and Machine Catalog management. The final section offers you guidance on the Azure and Citrix services that deliver the best protection for your Citrix deployment.

This document presumes an administrative-level understanding of Microsoft Azure and Citrix. To assist those readers who may not be familiar with all the concepts we discuss, we include helpful explanations.

Microsoft Azure Security

Since Microsoft Azure comprises many services, security within Azure requires a broader approach. We start by securing each of the services at the point of access. This section provides guidance on how to secure the services based on recommendations from Microsoft and Citrix.

The Azure Administration section discusses securing the environment using identity and access management (IAM) and role-based access control (RBAC) within an Azure Account. The Azure Active Directory (AAD) section discusses authentication and using conditional access to secure your Citrix resources. The Networking section lists ports and protocols used by Citrix Cloud and explains how private endpoints prevent your network traffic from traversing the public internet. The Storage Security section covers data encryption and backups while the Azure Policy section recommends policies to secure the account. Finally, the last section explains the invaluable benefits of using Azure Tag and Security Center in your Citrix deployment.

Azure Administration Recommendations

Azure Identity and Access Management (IAM) is a Microsoft-managed identity service that provides authentication, authorization, and auditing services for Azure resources. Azure IAM controls the access and permissions to the Azure resources and must be as hardened as possible. Azure IAM is the first line of defense because all Azure resource access is granted through IAM. We start by discussing the concept of role-based access control followed by how those roles apply to the Azure resources within an Account.

Role-based Access Control Concepts

Azure Role-based access control (RBAC) is an authorization system that provides fine-grained access management to Azure resources. The best practice is to grant access to a resource through an Azure RBAC role assigned to a group. The users are then put into the group for access. Azure RBAC includes over 70 built-in roles with support for custom roles. A role is a collection of permissions, such as Read, Write, and Delete that are applied to a resource and assigned to a security principal. A security principal can be user, group, managed identity, or a service principal (Azure application).

The four fundamental Azure roles are: Owner, Contributor, Reader, and User Access Administrator.

| Owner: | Service Administrator and Co-Administrators are assigned the owner role at the subscription scope. Owners are granted full access to all resources and can delegate access to others. All resource types are assigned at least one owner. | | Contributor: | Entities with contributor role assigned can create and manage all of types of Azure resources. Contributors have the ability to create a new tenant in Azure Active Directory if they are assigned to the account. Contributors cannot grant access to others. All resource types support a contributor role. | | Reader: | The reader role grants the entity view (read-only) permissions to the resource. All resource types support the reader role.| | User Access Administrator: | The user access administrator role grants the entity the ability to manage user access to Azure resources. |

Roles can be limited by a scope. A scope is a defined set of resources where the security principal can act. Scopes can be limited at four levels: the individual resource, a resource group, a subscription, or a management group.

Access is granted to the resource by creating a role assignment, which is the act of attaching a role definition to a security principal. Revoking access is completed by removing the role assignment. When nested groups are used in the role assignment, members in the nested groups receive the role assignment as well. If members are linked to multiple groups, the permissions are cumulative and deny assignments block immediately at evaluation time. Cumulative permissions apply for both actions and not actions and apply for all groups.


Azure subscriptions are used to organize access to Azure resources. Each subscription is associated with only one Azure account and that account pays for the charges associated with a subscription. Each subscription is associated with an Azure AD directory. An Azure subscription is a boundary for administration, security, scale, and policy.


Both Citrix and Microsoft recommend placing the Citrix resources in their own set of subscriptions when possible.

Subscriptions ultimately enable control over how Azure resources are organized, accessed, and billed. Subscriptions have two roles that grant access to all the resources in the subscription: Service Administrator and Co-Administrator.

Service Administrator: The Service Administrator role is by default assigned to the email account that is used to create the Azure Subscription. The Service Administrator has the same access of the Owner role at the subscription scope. Only the Account Administrator can change the service administrator to a different email account. The Service Administrator has full access to the Azure portal and only one Service Administrator account can exist per subscription. The Service Administrator has the following permissions:

  • Manage services in the Azure portal

  • Cancel the subscription

  • Assign users to the Co-Administrator role

Co-Administrator: This role has the same access of the Owner role at the subscription scope. Each subscription can have up to 200 co-administrators and those administrators are granted the following permissions and restrictions:

  • Same access privileges as the Service Administrator

  • Can assign users to the Co-Administrator role

  • Cannot change the association of subscriptions to Azure directories

  • Cannot change the Service Administrator

Resource Groups

Resource groups are logical containers that you use to group related resources in a subscription. Each resource can exist in only one resource group. Resource groups allow for more granular grouping within a subscription. Resource groups are commonly used to represent a collection of assets that are required to support a workload, application, or specific function within a subscription. Typically, the resources within a resource group share the same lifecycle. Resource groups also provide a way to apply granular permissions to a set of resources within Azure.


Citrix machine catalogs are linked to their resource groups when creating the machine catalog. Any changes to the resource groups require deleting and recreating the machine catalogs.

Management Groups

Management groups are logical containers that you use for one or more subscriptions and are configured at the Azure account level. You can define a hierarchy of management groups, subscriptions, resource groups, and resources to efficiently manage access. Management groups are primarily used for compliance though Azure policies and rely heavily on inheritance to streamline administration.


Microsoft and Citrix recommend placing all subscriptions that contain Citrix resources into a Management group at the Azure account level.

Azure Active Directory Recommendations

Azure Active Directory (Azure AD) is the identity provider for Microsoft 365, the Azure Portal and many other applications. Azure AD is not a cloud-based implementation of Active Directory (AD), but it can synchronize with your on-premises domain through Azure AD Connect. This section provides the security recommendations for Citrix with Azure AD. The recommendations include authentication, logging, conditional access, and Azure AD Connect configurations.

Multi-factor Authentication

Azure AD supports several multi-factor authentication (MFA) methods. The supported methods include FIDO2 Security Key, Microsoft Authenticator, Text message, and Certificate-based authentications. Both the Text message and Certificate-based authentication are currently in Preview. For the best security, enable the Microsoft Authenticator for MFA use since it is available for general release. Also enable the Text message option once it is available for general release to provide secondary authentication methods for Azure AD users. Enable MFA for all administrative user accounts. If Azure AD Premium is deployed, then the best practice is to enable MFA for all users.

Logs

Monitor the Azure AD User Sign-in logs for any failed logons and all logons coming from unexpected locations. The monitoring can range from a simple weekly review by administrators to an automated solution that uses Azure Monitor. Azure Monitor and Alerting can email administrators when any suspicious conditions occur. Be sure to monitor both interactive and non-interactive sign ins.

Azure AD Conditional Access

Azure AD supports the use of conditional access to block users from authenticating based on location or group membership. Conditional access can be used to prevent any location or IP address from accessing your Citrix resources. Use conditional access to block traffic that does not originate from locations where you expect users to be. For instance, if you are not expecting any traffic from outside your country, use conditional access to allow only connections that originate within your country.

“Just in time” (JIT) access prevents all inbound network traffic to a virtual machine (VM) except when someone needs to connect to the VM. With JIT, the connection window only opens for a few minutes when requested by the user. This behavior is similar to how Citrix allows inbound connections to a host temporarily. When a user connects to Citrix, the Virtual Delivery Agent (VDA) allows inbound connections for only a few minutes while the user connects. Both Microsoft and Citrix recommend enabling JIT access to Azure infrastructure VMs to lower the probability that unauthorized users can connect to the resources.

Azure AD Connect

As mentioned earlier, Azure AD can synchronize with your on-premises Active Directory domain through Azure AD Connect. Synchronizing your on-premises domain with Azure AD provides a more seamless end-user experience for your Citrix deployment. Users are able to maintain a single logon for both cloud-hosted and on-premises resources.

Azure AD Connect can synchronize user objects and their associated attributes from an on-premises Active Directory with Azure Active Directory. When using Azure AD Connect, follow these guidelines for the best security.

  1. Turn on password hash synchronization. The hash is required to prevent the user’s actual password from being stored in Azure AD.

  2. Never synchronize high-privilege accounts, such as Enterprise or Domain Admins, with Azure AD. By default, this filter is on for AD Connect and it is to protect any compromise of an Azure account from also compromising the on-premises data centers.

  3. Use Azure AD accounts for authentication whenever possible. This approach reduces the management overhead.

Networking Security Recommendations

Network access control (NAC) provides a way to limit connectivity between specific devices or subnets within a virtual network. The goal of NAC is to restrict access to a VM or service to only approved users or devices. Access control is based on decisions to allow or deny connections at several different layers within Azure. This section covers all the containment and security recommendations for protecting your Citrix deployment within the Azure cloud.

Firewalls and Security Groups

One of the best protections for your Citrix Cloud environment is to strictly control all inbound and outbound access to the Citrix resources. Configure access control by using Azure Network Security Groups (NSGs) and Firewalls. Azure NSGs allow you to allow or deny inbound and outbound traffic by defining the five tuples: source IP, destination IP, source port, destination port and protocol. Firewalls can be enabled for almost all network-based services.

The NSGs are stateful so return traffic is allowed and can be applied to a VM, a subnet, or both. When both subnet and VM NSGs exist, the subnet ones are applied first for inbound traffic and the VM NSGs are applied first for outbound traffic. By default, all traffic within a VNet is allowed between hosts along with all inbound traffic from a load balancer. By default, only outbound internet traffic is allowed, and all other outbound traffic is denied.

Use NSGs to limit the traffic in the Citrix Cloud environment to only expected traffic. This approach can restrict the potential attack vectors and significantly increase security for the deployment. Table 1 Citrix Cloud Required Ports and Protocols provides the required networking ports and protocols for your Citrix deployment. This table lists only the ports used for the Citrix infrastructure and does not include the ports used by your applications. Configure these ports in the NSG protecting the Citrix virtual machines.

Source Destination Protocol Port Purpose
Cloud Connectors *.digicert.com HTTP 80 Certificate Revocation Check
Cloud Connectors *.digicert.com HTTPs 443 Certificate Revocation Check
Cloud Connectors dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt HTTPS 443 Certificate Revocation Check
Cloud Connectors dl.cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.cert HTTPS 443 Certificate Revocation Check
Cloud Connectors Cloud Connectors TCP 80 Communication between controllers
Cloud Connectors Cloud Connectors TCP 89 Local host Cache
Cloud Connectors Cloud Connectors TCP 9095 Orchestration Service
Cloud Connectors Cloud Connectors TCP/UDP 1494 ICA/HDX Protocol(EDT requires UDP)
Cloud Connectors Virtual Delivery Agent TCP/UDP 2598 Session Reliability(EDT requires UDP)
Cloud Connectors Virtual Delivery Agent TCP 80(bidir) Application and performance discovery
Virtual Delivery Agent Gateway Service TCP 443 Rendezvous Protocol
Virtual Delivery Agent Gateway Service TCP 443 EDT UDP over 443 to Gateway Service
Virtual Delivery Agent *.nssvc.net, *.c.nssv.net, *.g.nssv.net TCP/UDP 443 Gateway Service domains/subdomains
Citrix Provisioning Services Cloud Connectors HTTPS 443 Citrix Cloud Studio Integration
Citrix License Server Citrix Cloud HTTPS 443 Citrix Cloud Licensing Integration
CVAD Remote PowerShell SDK Citrix Cloud HTTPS 443 Any system running remote PSH via SDK
WEM Agent WEM Service HTTPS 443 Agent to service communication
WEM Agent Cloud Connectors TCP 443 Registration traffic
Application Security Groups

Create Application Security Groups (ASGs) to simplify management of the Citrix resources across the enterprise. ASGs enable source/destination definition based on a label rather than an Internet Protocol (IP) or network address. ASGs can be defined for workloads and then used as part of NSGs to filter workloads. ASGs can filter both East-West traffic between workloads and North-South traffic between your data centers and Azure. The ASGs allow you to micro-segment your network further and isolate traffic between groups of applications at scale. For instance, creating an application group for database servers that communicates with the application servers but not to web servers.

Azure Service Tags

Azure Service tags are monikers that Azure gives to a group of IP addresses that represent an Azure service. Microsoft manages the IP addresses associated with the service tags. Service tags can be used in place of IP addresses in NSGs to control access to set of dynamic resources. For instance, you can allow traffic to the service tag Storage, which grantd access to all Azure Storage IP addresses, or you can restrict it to just West US storage IP addresses with the service tag of Storage.WestUS.

Service tags come with some usage restrictions around direction, regional restrictions or use with the Azure Firewall. For a complete list of service tags and their usage rules, see the Microsoft website, Virtual network sevice tags.

Remote Management Protocol

To remotely manage Citrix infrastructure hosts running Windows, the most convenient protocol to use is Microsoft’s Remote Desktop Protocol (RDP). The default port for RDP is TCP 3389; however, change this port if the virtual machine allows any inbound access from the internet. Internet-facing Windows servers that have port 3389 open find themselves under attack within 24 hours of being connected to the internet. The following Windows registry key controls the inbound listening port number for RDP sessions. Use this registry key to change the listening port number to a port higher than 10000:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp: PortNumber REG_DWORD

Changing the RDP port number becomes exceptionally hardened when combined with the JIT access recommendation earlier.

Public IP Addresses

If you are using your own Citrix Application Delivery Controller (ADC) VPX virtual appliances, they likely use a public IP address on the Azure Load Balancer. In some deployments, the public IP address is set directly on the appliances themselves to accept inbound connections for the Citrix farm. Other than those ADC configurations, no public IP addresses are required for the Citrix deployment. Citrix Cloud manages the Citrix Cloud Connectors and updates them as needed. Public IP addresses are not needed for the Cloud Connectors since they initiate all outbound connections.

Outbound Internet Access

As mentioned, the Citrix Cloud Connectors do need to have outbound connectivity to reach the Citrix Cloud infrastructure. The connectivity is used to receive their updates and interface between Citrix Cloud and your Azure Citrix deployment. Other Citrix infrastructure may need outbound access for maintenance updates or user access.

Private Endpoints

Private endpoints are used to improve communication between Azure services by eliminating routes over the public internet. Private endpoints work by controlling the route of traffic over the network. An Azure private endpoint is a network interface that connects securely to an Azure service. The private endpoint uses an IP address on your virtual network (VNet). The endpoint then routes traffic directly from your VNet to the Azure service over the Microsoft Azure backbone network. Using the Microsoft Azure backbone prevents the traffic from traversing the public internet. Private endpoints are inherently more secure since the traffic is not exposed to the internet where it can be potentially compromised. For instance, you can create a private endpoint from the Citrix host subnet to the Azure Files storage account network and avoid public endpoints.  

Citrix recommends creating private endpoints for the following Azure services:

  • Azure Blog Storage

  • Azure Files

  • Azure Automation

  • Azure Batch

  • Azure Managed Disks

  • Azure Key Vault

  • Azure Backup

  • Azure Monitor

Networking Best Practices

By default, no access controls exist between the different subnets within an Azure VNet. Microsoft and Citrix recommend adopting a zero-trust approach inside Azure. The zero-trust approach means that unrestricted communication is not permitted under the assumption that internal traffic is trusted. Use a “deny all” methodology instead. Allow only “trusted” communications from devices, locations, and users that need the access. The following guidance can significantly increase your Citrix network security:

  • Use NSGs to control the flow between subnets hosting Citrix resources

  • Use AD conditional access to grant access based on location, identity, device, or assurance level

  • Configure Just-in-Time access on Citrix infrastructure VMs

  • Keep the Citrix infrastructure on its own subnet

  • Keep the Citrix VDA VMs on their own subnets

  • Network connections from outside Azure into any resource should be over an encrypted virtual private network (VPN) connection. VPNs can be point-to-site (P2S), site-to-site (S2S) or a secure ExpressRoute connection.

  • Never expose Azure VMs directly to the internet. If exposed, enable JIT access and change the default ports for inbound connections.

  • Instead of the standard unencrypted HTTP protocol for communication, require protocols with encryption to protect data in transit. Protocols such as HTTPS with TLS 1.2 or Citrix Gateway which tunnels ICA/HDX inside HTTPS are recommended.

  • Deploy Azure-native network security appliances capable of scanning traffic across the Open Systems Interconnect (OSI) layers. Implement user-defined routing (UDR) to route traffic through these appliances.

  • Enable Distributed Denial of Service (DDoS) protection along with Intrusion Detection (IDS) and Intrusion Prevention (IPS) systems within your perimeter network. Your perimeter network sits between the internet and your Citrix resources hosted in Azure.

Storage Security Recommendations

This section provides recommendations for increasing the security and protection of your data stored in Azure Storage. We discuss the built-in protections and provide recommendations for improving those protections. Use the recommendations to increase the availability of your data and decrease the potential attack vectors against it.

Azure Data Protection

Azure Storage stores multiple copies of data so that is protected from both planned and unplanned events. These events include hardware failures, power outages, and natural disasters. Every Azure region is paired with another Azure region. Microsoft automatically replicates the storage between region pairs. When an emergency is declared by Microsoft in a region, the data stored in the paired region becomes available. Storage account selections also control data redundancy. The account type choices include storing data only within the region or replicating it across regions. Citrix recommends configuring key infrastructure VMs, such as Domain Controllers, with storage that replicates across regions.


Most Citrix servers in the environment are Virtual Delivery Agents (VDA) that rely on either Machine Creation Services (MCS) or Provisioning Services (PVS) for deployment. Both MCS and PVS machines use a golden master image as the template. For these hosts, use snapshots of a Golden Image as the source for the machine template. Rollbacks can easily be made to any version of a disk snapshot. The other servers in the Citrix infrastructure should have Azure Backup enabled or be set up in Azure Site Recovery. When using Azure Site Recovery, select the Microsoft paired region as the target location. If the ASR targets are in the paired region and Microsoft declares a disaster, your replicated storage accounts will also be present in that region.

Encryption at rest

Azure automatically encrypts all storage at rest using server-side encryption (SSE) which uses a 256-bit Advanced Encryption Standard (AES) block cipher. You can use customer-managed keys (CMKs) to encrypt your data and store those keys in the Azure Key Vault. The use of CMKs provides the ability to quickly crypto-shred data when necessary by destroying the CMK.

Managed Disks

Citrix recommends using managed disks. With managed disks, Azure automatically controls the disk placement, so the virtual disks avoid any single point of failure. With unmanaged disks, you are responsible to place them in storage accounts and manage the data recovery plans.

Access Control Lists

Access control lists (ACLs) allow you to granularly control access to a file or directory. ACLs apply to any user, group, managed identity, or service principal found in Azure AD. When using a Shared Key or Shared Access Signature (SAS) token, a security principal is not present. Therefore, ACLs do not apply to access granted when the storage is accessed via a key or token. ACLs consist of simple Read (R), Write (W), and Execute (X) permissions. You can use ACLs to restrict access to any Azure storage files or folders and prevent inadvertent access to a container, file or directory. Citrix recommends always setting access via ACLs for the data to an appropriate audience to maintain confidentiality.

Azure Policy Recommendations

Azure Policy is a state management engine that actively evaluates Azure resource properties. Azure policy ensures that a resource's state stays compliant to the business rules. Azure Policy can block actions, even if users have permissions to perform those actions. Azure policies operate at the subscription level and below. Table 2 Recommended Azure Policies for Citrix Deployments provides a list of the recommended Azure Policies. Enable these polices at the Account level and apply them to subscriptions containing Citrix resources.

Policy Name Description
Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication.
Azure Active Directory Domain Services managed domains should use TLS 1.2 only mode Use TLS 1.2 only mode for your managed domains. By default, Azure AD Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications. However, if you do not need them, the ciphers are weak and can be disabled. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 fails.
Windows machines should only have local accounts that are allowed Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. This definition is not supported on Windows Server 2012 or 2012 R2. Managing user accounts using Azure Active Directory is a best practice for management of identities. Reducing local machine accounts helps prevent the proliferation of identities managed outside a central system. Machines are non-compliant if local user accounts exist that are enabled and not listed in the policy parameter.
Log Analytics Workspaces should block non-Azure Active Directory based ingestion. Enforce log ingestion to require Azure Active Directory authentication. This protection prevents attackers from manipulating unauthenticated logs which can lead to erroneous status, false alerts, and incorrect logs stored in the system.
VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication.
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources.
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.
Require a tag and its value on resource groups Enforces a required tag and its value on resource groups.
Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups.

Azure Tag Recommendations

A tag is a feature that allows specific key and value pairs to be assigned as metadata to resources. A tag consists of name and a value. Tag names are case-insensitive, while tag values are case-sensitive. All Citrix resources should be tagged at the least with the following tags:

Owner: [Owning organization or department] Email: [Email or distribution list to contact if something goes amiss with the resource] Environment: [Production, PreProduction, Development, Test, Sandbox]

Azure tags are a powerful way to organize, search and report on your Citrix resources in the environment. For instance, you can use the Cost Analysis report to view costs by scope based on a resource group or resource tag.

Security Center Recommendations

The security center automatically monitors for security vulnerabilities across all subscriptions in the Azure account. Review these recommendations monthly and implement any recommendations which have a High or Medium severity as soon as possible.

Citrix Cloud Roles

This section provides detailed guidance on how to set up the Azure RBAC roles required by Citrix Cloud. Citrix resources in Azure can be accessed through the console, Azure CLI, Azure PowerShell and Rest API. Azure RBAC is an authorization system built on Azure Resource Manager (ARM) that provides fine-grained access management of Azure resources.

In some deployments, the granting access to Citrix Cloud using the broad-reaching contributor role is acceptable, especially when Citrix resources have their own subscription. However, usually, the best approach to securing your Citrix deployment is to limit the roles to just the minimum required permissions. We discuss how resource groups, app registrations, and roles integrate with Citrix Cloud. We also provide you custom roles that can be easily be imported directly into your Azure AD.

Use of Resource Groups

All Citrix resources should be contained in resource groups dedicated to the Citrix deployment. When all the Citrix-related resources exist within a resource group, the RBAC policies can be applied at the resource group level easily.

For the most secure environment, a minimum of two resource groups need to be created:

Citrix_Infrastructure which contains all the Citrix infrastructure components, including Cloud Connectors and the Master image VMs. Generally, one resource group per subscription is sufficient for the infrastructure.

Citrix_MachineCatalog which contains the Citrix VDA virtual machines. Since the MCS wizard asks to create a new resource group by default for the machine catalog, usually you have multiple resource groups. In most Citrix deployments, multiple machine catalogs exist.

App Registrations

An App Registration is the process of creating a one-way trust relationship between your Citrix Cloud account and Azure, such that Citrix Cloud trusts Azure. During the process, an Azure Service Principal account is created for Citrix Cloud. Citrix Cloud uses this account for all Azure actions through the hosting connection. The hosting connection is configured in the Citrix Cloud console. The hosting connection links Citrix Cloud through the Cloud Connectors to a resource location in Azure.

You need to grant the service principal access to the resource groups that contain Citrix resources. The company's security posture determines the best method to grant this access. You can either provide access at the contributor level to the subscription or create a custom role for the service principal.

When creating the service principal, you set the following values:

  • Redirect URL Enable and set to Web with a value of https://citrix.cloud.com.

  • API Permissions need the Delegated Permission of user_impersonation selected in the Windows Azure Services Management API found under the APIs my organization uses tab.

  • Certifications & secrets needs a new Client Secret created and the recommended expiration period is one year. Keep in mind this certificate needs to be updated as part of your security key rotation schedule.

You need both the Application (client) ID and the Client SecretKey value from the App Registration to configure the hosting connection within Citrix Cloud.

Enterprise Applications

Depending on how your Citrix Cloud and Azure AD are configured, one or more Enterprise Applications are created in your Azure AD tenant. These accounts allow Citrix Cloud to access data stored in your Azure AD tenant. Table 3 Citrix Cloud Enterprise Applications in Azure AD lists the Application IDs and their purpose.

Enterprise Application ID Purpose
f9c0e999-22e7-409f-bb5e-956986abdf02 Default connection between Azure AD and Citrix Cloud
1b32f261-b20c-4399-8368-c8f0092b4470 Administrator invitations and logins
e95c4605-aeab-48d9-9c36-1a262ef8048e Workspace subscriber login
5c913119-2257-4316-9994-5e8f3832265b Default connection between Azure AD and Citrix Cloud with Citrix Endpoint Management
e067934c-b52d-4e92-b1ca-70700bd1124e Legacy connection between Azure AD and Citrix Cloud with Citrix Endpoint Management

Each Enterprise application grants Citrix Cloud specific permissions to either the Microsoft Graph or the Windows Azure Active Directory API. For instance, the Workspace subscriber login grants User.Read permissions to both APIs so that users can sign in and read their profile. More information about the permissions granted can be found here.

Using Built-in Roles

The contributor built-in role contains the broadest permission set and works well when assigned to service principal accounts at the subscription level. Granting contributor permissions at the subscription level requires an Azure AD global administrator account. Once granted, Azure prompts for the required permissions during the initial connection from Citrix Cloud to Azure AD. Any accounts used for authentication during the host-connection creation must also be at least co-administrators on the subscription. This level of permissions allows Citrix Cloud to create any objects necessary without restriction. Typically, this approach is used when the entire subscription is dedicated to Citrix resources.

Some environments do not allow service principals to have contributor permissions at a subscription level. Citrix has provided an alternative solution called a Narrow Scope service principal. With a narrow scope service principal, the Azure AD global administrator manually completes the application registration. Then a subscription administrator manually grants the service principal account the appropriate permissions. Narrow-scoped service principals do not have contributor permissions on the entire subscription. Rather their contributor permissions are narrowed in scope to just the resource groups, networks, and images that are required manage the Machine Catalogs. The narrow-scoped service principal requires the following contributor permissions.

  • Pre-Created Resource Group: Virtual machine contributor, Storage account contributor, and Disk snapshot contributor

  • Virtual Network: Virtual machine contributor

  • Storage Account: Virtual machine contributor

Using Custom Roles

Narrow Scope service principals, while limited in scope still are granting the broad Contributor permissions, which is still unacceptable to security-sensitive environments. Citrix has developed two custom roles which can be used to provide only the necessary permissions to the service principal. The Citrix Host Role grants access for the Host Connection to be created, while the Citrix Machine Catalog Role grants access to create the Citrix workloads.

Citrix Host Role

Here is the JSON for the Citrix Host Role with the minimum permissions required to use the hosting connection. If only Snapshots or Disks are used for the Machine Catalog master image, then the unused action can be removed from the “actions” list.

Figure 1 Citrix Host Role (JSON)


"id": "",

"properties": {

"roleName": "Citrix_Hosting_Connection",

"description": "Minimum permissions creating a hosting connection. Assign to resource groups that contain Citrix Infrastructure such as Cloud Connectors, Master images, or Virtual Network resources",

"assignableScopes": [



"permissions": [


"actions": [







"notActions": [],

"dataActions": [],

"notDataActions": []





The Citrix_Hosting_Connection custom role is be assigned to the Citrix_Infrastructure resource groups that have the Cloud Connector, Master Image or Virtual Network resources. This JSON can be copied and pasted directly into your custom Azure AD role.

Citrix Machine Catalog Role

Here is the JSON for the Citrix Machine Catalog Role used by the Citrix Machine Catalog Wizard. This role provides the minimum permissions required to create the Citrix resources within Azure:

Figure 2 Citrix Machine Catalog Role (JSON)


"id": "",

"properties": {

"roleName": "Citrix_Machine_Catalog",

"description": "Minimum permissions to create a machine catalog. Assign to resource groups that contain Citrix workload servers that are running the Virtual Delivery Agent.",

"assignableScopes": [



"permissions": [


"actions": [









































"notActions": [],

"dataActions": [],

"notDataActions": []





The Citrix_Machine_Catalog custom role is assigned to the Citrix_MachineCatalog resource groups that hold the Citrix VDA virtual machines. This JSON can be copied and pasted directly into your custom Azure AD role.

Security Monitoring

Microsoft and Citrix both offer security-based services that can be used to alert you to security events that need your attention. This section is not designed to provide a complete deep dive into how to use these services. Instead the section lists the recommended services along with how their capabilities can be used to improve your security. For more detailed information see the Monitoring a Citrix Deployment in Azure document.

Microsoft Defender for Cloud

Defender for Cloud is a service that combines functionality previously found in Azure Security Center and Azure Defender. This service continuously assesses your Azure resources and provides and overall score that indicates the security posture of your deployments. Defender for Cloud provides direct guidance on how to resolve any issues identified by the service. The recommendations come from the Azure Security Benchmark, an Azure-specific set of guidelines authored by Microsoft.

Microsoft Sentinel

Microsoft Sentinel is a both a Security Information and Event Management (SIEM) and a Security Orchestration, Automation, and Response (SOAR) system. Sentinel was designed and built as a cloud-native service. Using sophisticated artificial intelligence, Sentinel continuously monitors all content sources and hunts for suspicious activity. Sentinel provides a central location for collecting and monitoring data at scale through agents and data connectors. Security incidents are tracked through triggered alerts and automated responses to common tasks. Sentinel can operate across multiple clouds and with your on-premises infrastructure, making it ideal for hybrid Citrix environments.

Microsoft Sentinel does support data connectors from a wide variety of vendors. These vendors include security, networking, and application vendors. Installing those data connectors will be helpful within your Citrix environment.

Azure Network Watcher Traffic Analytics

While Citrix is built to be secure by design, users are still a weak link and login credentials can be compromised. When running Citrix in Azure, one of the best ways to secure access to your applications and data is by monitoring the network traffic. Traffic Analytics is designed to provide you relevant information by analyzing the network traffic flows. By combining raw flow logs with a knowledge of the network topology, Traffic Analytics can provide a comprehensive view of the network communication. The reports include the most active hosts or host pairs, top protocols in use, blocked traffic, open ports, rogue networks, and traffic distribution.

Citrix Analytics

Citrix Analytics is a cloud-based service that aggregates data gleaned from Citrix users across devices, networks, and applications. The sole purpose of Citrix Analytics is to identify relationships and trends that can lead to actionable insights. Analytics relies on built-in Machine Learning (ML) algorithms to find behavioral anomalies that can indicate issues with Citrix users. Citrix Analytics works with third-party providers, including Microsoft, to gather data for analysis.

Citrix Analytics for Security focuses on user and application behavior. The security analytics module is looking primarily for insider threats or external malicious behavior. Citrix Analytics integrates with the following Citrix and Microsoft products:

  • Citrix Virtual Apps and Desktops
  • Citrix Application Delivery Controller (NetScaler)
  • Citrix Secure Workspace Access (Access Control)
  • Citrix Gateway
  • Citrix Content Collaboration
  • Citrix Endpoint Management
  • Citrix Secure Browser
  • Microsoft Graph Security
  • Microsoft Active Directory

Data can be integrated into any SIEM service that supports Kafka topics or Logstash-based data connectors, such as Microsoft Sentinel. Data can also be exported in a comma-separated value (CSV) format for analysis on other systems.























User Feedback

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...