Since some time it is possible to join a Windows VM to Azure AD directly. Now this is also possible with Azure Virtual Desktop.
This Blogpost will show all my steps until I am possible to login to my Windows 10 System.
First of all we need some basic informations such as pool name.
next to the basics we need to define: VM Size, VM Availability, Image type and the number of VMs.
addition to that we can use an existing network or we are able to create a new one.
After these Settings we need to define which domain we want to join. Her we can now choose between Active Directory and Azure Active Directory.
I have chosen AzureAD.
During the host pool creation it is possible to create a assignment to a workspace. I have created tech-guy-workspace as a new one.
Roles and Permissions
With AzureAD joined devices we need to create a role assignment and a app group assignment. With each host pool one default app group will be created. In my test lab it is called “tech-guys-personal-pool-DAG”.
within this app group we are able to assign users
2nd task is to assign rbac role to at least the virtual machine to that we want to login. I prefer to assign that role to my resource group that I have that assignment for all future host as well.
there are 2 roles we need to consider about.
As it says the first role is useful when you want to login and want to have admin privileges on that machine. second group is only for your users that they are able to login without admin permission. In my lab I assigned my test user to “virtual machine user login” and my cloud only user “virtual machine administrator login” role.
To access host pool VMs, your local computer must be:
- Azure AD-joined or hybrid Azure AD-joined to the same Azure AD tenant as the session host.
- Running Windows 10 version 2004 or later, and also Azure AD-registered to the same Azure AD tenant as the session host.
Host pool access uses the Public Key User to User (PKU2U) protocol for authentication. To sign in to the VM, the session host and the local computer must have the PKU2U protocol enabled. For Windows 10 version 2004 or later machines, if the PKU2U protocol is disabled, enable it in the Windows registry as follows:
- Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\pku2u.
- Set AllowOnlineID to 1
and here we go.
If you need to use an other client rather than the windows one, than you need enable the RDSTLS protocol. Just add a new custom RDP Property to the host pool, targetisaadjoined:i:1. Azure Virtual Desktop then uses this protocol instead of PKU2U.
3 thoughts on “Azure Virtual Desktop and AzureAD joined VM”
Pingback: AVD news of the week - Johan Vanneuville
Pingback: Virtual Desktops Community Weekly Blog Post 4th November – 18th November – Virtual Desktops Community
Pingback: FSLogix Profile Container with Azure Files and AzureAD – tech-guys.blog