Microsoft Azure Virtual Desktop: Secure Remote Access for Small Businesses in Berlin

What Is Microsoft Azure Virtual Desktop?

Microsoft Azure Virtual Desktop (AVD) is a cloud-hosted desktop and application virtualisation service that delivers Windows desktops and specific applications to any device with an internet connection and the Remote Desktop client. Rather than requiring users to connect from a managed corporate device, AVD provides the corporate Windows environment — with all applications, data access, and security controls — as a session hosted in Azure infrastructure that the user accesses remotely, leaving no corporate data resident on the endpoint.

For small businesses in Berlin, AVD addresses a set of operational challenges that traditional desktop infrastructure handles poorly: secure access for remote and hybrid employees, consistent application environments for field staff using personal devices, access continuity for workers in multiple locations, and secure access for temporary or contract workers without issuing managed hardware. The corporate workload runs in Azure; the endpoint is simply a display and input device.

Architecture: Session Hosts, Host Pools, and Application Groups

AVD is built around three components. Session hosts are the Azure virtual machines that run the Windows sessions. Host pools are collections of session hosts that provide the same desktop environment; they can be configured as pooled (multiple users share VMs, each getting a fresh session) or personal (each user is assigned a dedicated VM). Application groups define what users see: a full desktop or a selection of individual remote applications published without the full desktop interface.

For a Berlin small business, the practical configuration is typically a pooled host pool running Windows 11 multi-session — a variant of Windows 11 that supports multiple concurrent users on a single VM, significantly reducing infrastructure cost compared to dedicated VMs per user — with a full desktop application group assigned to users who need complete Windows environments, and optional RemoteApp groups for users who only need specific applications such as an ERP system or accounting software.

Security Architecture: Zero-Trust Remote Access

AVD’s security architecture aligns closely with zero-trust principles. Access to AVD is gated through Entra ID authentication — all users authenticate with their Microsoft 365 credentials, including MFA. Conditional Access policies apply fully: a policy requiring compliant device or MFA for AVD access enforces those requirements regardless of whether the user is on a managed corporate laptop or a personal home computer. The user’s Entra ID session token is presented to the AVD gateway; the actual RDP traffic never traverses the public internet directly but is proxied through Azure’s global gateway infrastructure.

Conditional Access Integration

Applying a Conditional Access policy to the AVD application in Entra ID — requiring MFA, requiring a compliant or Entra-joined device, blocking access from high-risk locations or anonymous IP addresses — gates access to the virtual desktop environment using the same identity-aware controls that protect Microsoft 365 apps. A user connecting from a personal laptop over a home internet connection can be required to complete MFA; a user connecting from a managed device on a known corporate network can be permitted without additional friction.

No Data on the Endpoint

AVD sessions run entirely in Azure. By default, clipboard and drive redirection can be disabled through host pool RDP settings, meaning users cannot copy data from their virtual desktop to their local device. All data stays in Azure — in the session host’s temporary storage or in the connected file shares — and never touches the endpoint. For Berlin businesses concerned about data leakage from personal devices used by remote workers, AVD provides a technically enforced containment boundary that device-based MDM policies cannot replicate for unmanaged endpoints.

FSLogix Profile Containers

In pooled host pool configurations, user profiles are managed by FSLogix Profile Containers, which store each user’s Windows profile — desktop settings, browser profiles, application data, and Outlook OST file — in a VHD file on an Azure Files share or Azure NetApp Files. When the user logs into any session host in the pool, FSLogix attaches their profile container, providing a consistent, personalised desktop experience regardless of which VM handles their session. Profile containers load in seconds and eliminate the profile management complexity that plagued earlier VDI deployments.

For Berlin businesses using AVD, Azure Files Premium is the recommended storage for FSLogix containers: it provides SMB file shares with consistent low latency, Active Directory or Entra Kerberos authentication, and Azure Backup integration for profile container recovery.

Scaling and Cost Management

AVD session hosts run on Azure virtual machines that can be started, stopped, and scaled based on demand. Autoscale policies in AVD can power off session hosts during off-hours and start them as user demand increases, reducing VM compute costs significantly for businesses with predictable usage patterns. A Berlin business whose employees work standard Central European business hours can configure autoscale to run zero session hosts from midnight to 7:00 AM and scale up as the day progresses, paying only for active compute time rather than running idle infrastructure continuously.

Azure Hybrid Benefit applies to AVD session hosts for organisations with existing Windows Server or Windows Client licences, further reducing VM costs. Microsoft 365 Business Premium subscribers are licensed for AVD at no additional per-user charge for Windows multi-session — the primary cost is Azure VM compute and storage for the session host infrastructure.

GDPR Considerations

AVD processes user session data within Azure data centres, subject to Microsoft’s Data Processing Agreement. Configuring the AVD deployment in Azure’s EU regions (West Europe, Germany West Central) ensures session host VMs and associated storage remain within the European Economic Area, satisfying GDPR Article 46 cross-border transfer requirements without requiring additional legal mechanisms. For Berlin businesses with strict data residency requirements, Germany West Central (Frankfurt) provides EU-only residency for all AVD infrastructure. FSLogix profile containers on Azure Files in the same region maintain full data residency compliance for user profile data.

Intune Integration for Session Host Management

AVD session host VMs can be enrolled in Microsoft Intune for endpoint management, applying compliance policies, configuration profiles, and software deployment through the same tooling used for physical endpoints. For Berlin businesses already managing their Windows fleet through Intune, this provides a consistent management approach for virtual and physical desktops, with the same security baseline, update compliance requirements, and application deployment pipelines applied to session hosts. Entra-joined AVD session hosts combined with Intune management provide a fully cloud-native virtual desktop infrastructure without domain controller dependencies.

Licensing

AVD is included at no additional licence cost for Microsoft 365 Business Premium, Microsoft 365 E3 and E5, and Windows 10/11 Enterprise E3 and E5 subscribers. The cost for a Berlin small business running AVD is primarily Azure infrastructure: VM compute hours for session hosts, storage for FSLogix profile containers, and network egress. For modest deployments of 5–20 concurrent users, a well-tuned pooled deployment with autoscale and Azure Hybrid Benefit typically costs less per month in Azure infrastructure than the equivalent number of dedicated physical workstations when total cost of ownership including hardware refresh and on-premises management is considered.