Design and Implementation of a Secure Zero Trust Security Landing Zone & Azure Virtual Desktop (AVD) for External Partners

Challenge / Problem

Vattenfall was operating an outdated Citrix environment that slowed down operations and increased costs due to expensive licensing and on-premises infrastructure maintenance. Limited scalability and high administrative overhead made it difficult to securely enable remote access for external partners and contractors.

  • Outdated Citrix environment with rising licensing and operational costs
  • High administrative overhead with limited scalability
  • Challenges enabling secure remote work for external partners

Our Approach

Zero Trust by design with least-privilege access, identity-based controls, and conditional access

  • Zero Trust by Design mit Least-Privilege-Zugriffen, identitätsbasierten Kontrollen und Conditional Access
  • Reproducible Azure landing zone using ARM, Bicep, and Terraform
  • Governance and compliance embedded into the platform architecture
  • DevSecOps mindset with automated security and compliance checks

Implementation

The solution was implemented in phases, enabling a smooth migration of a large user base with minimal downtime, while ensuring centralized security and operations.

  • Migration of 10,000+ users (employees, contractors, external partners) to Azure Virtual Desktop
  • Zero Trust security architecture with MFA, just-in-time access, and microsegmentation
  • Centralized management and monitoring via Azure Monitor, Microsoft Sentinel, and Azure Policy
  • Tenant-wide enforcement of security and compliance standards

Results

The new cloud foundation reduced costs, simplified operations, and enabled secure, scalable collaboration with external partners.

  • 15% reduction in IT operational costs through license optimization and cloud-native scaling
  • Increased productivity and flexibility with secure desktop access from anywhere
  • No additional hardware investments or shipment delays
  • Future-ready, modular Azure landing zone enabling fast onboarding of new partners and workloads