Azure Virtual Desktop and AzureAD joined VM

Since some time it is possible to join a Windows VM to Azure AD directly. Now this is also possible with Azure Virtual Desktop.

This Blogpost will show all my steps until I am possible to login to my Windows 10 System.


Create a host pool

First of all we need some basic informations such as pool name.

next to the basics we need to define: VM Size, VM Availability, Image type and the number of VMs.

General Settings

addition to that we can use an existing network or we are able to create a new one.

Network Settings

After these Settings we need to define which domain we want to join. Her we can now choose between Active Directory and Azure Active Directory.

I have chosen AzureAD.


During the host pool creation it is possible to create a assignment to a workspace. I have created tech-guy-workspace as a new one.

Roles and Permissions

With AzureAD joined devices we need to create a role assignment and a app group assignment. With each host pool one default app group will be created. In my test lab it is called “tech-guys-personal-pool-DAG”.

default app group

within this app group we are able to assign users

2nd task is to assign rbac role to at least the virtual machine to that we want to login. I prefer to assign that role to my resource group that I have that assignment for all future host as well.

there are 2 roles we need to consider about.

RBAC Roles

As it says the first role is useful when you want to login and want to have admin privileges on that machine. second group is only for your users that they are able to login without admin permission. In my lab I assigned my test user to “virtual machine user login” and my cloud only user “virtual machine administrator login” role.

To access host pool VMs, your local computer must be:

  • Azure AD-joined or hybrid Azure AD-joined to the same Azure AD tenant as the session host.
  • Running Windows 10 version 2004 or later, and also Azure AD-registered to the same Azure AD tenant as the session host.

Host pool access uses the Public Key User to User (PKU2U) protocol for authentication. To sign in to the VM, the session host and the local computer must have the PKU2U protocol enabled. For Windows 10 version 2004 or later machines, if the PKU2U protocol is disabled, enable it in the Windows registry as follows:

  1. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\pku2u.
  2. Set AllowOnlineID to 1

and here we go.

If you need to use an other client rather than the windows one, than you need enable the RDSTLS protocol. Just add a new custom RDP Property to the host pool, targetisaadjoined:i:1. Azure Virtual Desktop then uses this protocol instead of PKU2U.

Azure Backup – App Consistent

Diagram showing Linux application-consistent snapshot by Azure Backup.

Recently I migrated some Linux Systems with Azure Migrate from a VMWare environment to Azure. We also used Azure Backup to have a daily backup of all VMs and of all Databases as well, but we had not application consistent one. I needed some troubleshooting time to figure out how it works. This step by step guide shows an example how I did it and how to prepare a test environment. This includes how to installs MySQL, creating a Database and how to configure Azure Backup to have an app consistent Backup.

  1. Install MySQL
  2. Create a Database
  3. Configure Azure Backup

Install MySQL


To follow this guide you need to use (because I did 😉 ):
– Ubuntu 20.04

$ sysop@linux01:/$ sudo apt update


$ sysop@linux01:/$ sudo apt install mysql-server

$ systemctl status mysql.service


Create Test DB

$ sudo mysql
mysql> create database techguysdb;

mysql> show databases;


Configure Azure Backup

To configure Azure Backup you need to do the following:

  1. Download and prepare VMSnapshotPluginConfig.json
  2. prepare pre and post script
  3. enable Azure Backup for your Linux VM
  4. shutdown Linux VM and do a backup
  5. start Machine and do a second backup


I followed the Microsoft documentation

First we need to download the VMSnapshotPluginConfig.json file here:

“pluginName” : “ScriptRunner”,
“preScriptLocation” : “”,
“postScriptLocation” : “”,
“preScriptParams” : [“”, “”],
“postScriptParams” : [“”, “”],
“preScriptNoOfRetries” : 0,
“postScriptNoOfRetries” : 0,
“timeoutInSeconds” : 30,
“continueBackupOnFailure” : true,
“fsFreezeEnabled” : true

This file contains different values that need to be changed to fit to the current environment. My file look like this:

“pluginName” : “ScriptRunner”,
“preScriptLocation” : “/scripts/”,
“postScriptLocation” : “/scripts/”,
“preScriptParams” : [“”, “”],
“postScriptParams” : [“”, “”],
“preScriptNoOfRetries” : 2,
“postScriptNoOfRetries” : 2,
“timeoutInSeconds” : 30,
“continueBackupOnFailure” : false,
“fsFreezeEnabled” : true

I changed “script location” and “continueBackupOnFailure” (this change helped me to see an error message within azure backup jobs, if one script fails)

VMSnapshotPluginConfig.json need to be copied to “/etc/azure”. If this do not exit, simply create. After that we need to change the permission to that file that only “root” has read and write permissions.

sysop@linux01:/etc/azure$ sudo chmod 600 VMSnapshotPluginConfig.json

Output of ls -l:

Pre and PostScript

To have a pre and a post script I used the examples from veeam

my pre-script looks like this:

my post script looks like this:

both scripts must be copied to the Linux system. I copied it to /scripts. Next important task is to set permissions to 600 to both files otherwise azure backup will fail.

sysop@linux01:/scripts$ sudo chmod 600
sysop@linux01:/scripts$ sudo chmod 600


enable Backup for a Virtual Maschine

if the backup is enabled it looks like this. It is only configured but has never been executed. Restore points overview shows no backup.

1st Backup

Very important is that the first Backup needs to be done when the virtual machine is deallocated!

then run backup-job as configured

The Backup includes two steps. 1st take a snapshot, second is to copy data to the vault.

When the snapshot task is done the linux-system can be started and our vault shows a crash consistent backup

2nd backup

if the VM is up and running all scripts and config files are in place we can trigger the second backup. now the service should use all configuration and the result should be an app consistent backup 🙂

and here we go…

Hope that step by step guide helps to get this working.

about Tommy

Tommy Kneetz

Tommy is working as a Senior Cloud Consultant with more than 20 years of experience. Since 10 years his focus is on Microsoft Azure especially on Azure Governance, Azure Network, Azure Security, Azure IaaS, PaaS and my favorite Azure Virtual Desktop.

Tommy is Co-Founder and organizer of “Azure Meetup Schwerin” – a Gemany based Azure Community.