In this chapter, we will look at Azure Active Directory (Azure AD) join for Azure Virtual Desktop. Using Azure AD join for Azure Virtual Desktop has many benefits for organizations, including Single Sign-On (SSO), virtual machines just using one identity provider, and being able to avoid some of the complexities associated with having an Active Directory domain controller.
It is important to note that other services may still require an Active Directory Domain Services environment for access to applications and Server Message Block (SMB).
In this chapter, we will take a look at the following:
It is important to note that there are a few limitations when using Azure AD join for Azure Virtual Desktop at the time of writing. As you may know, many Microsoft services, third-party platforms, and others require access to an Active Directory environment for authentication and user/group permissions. Therefore, it is important to assess your organization's current requirements to ensure that Azure AD join is a suitable solution:
Important Note
Azure AD join is different from an Active Directory Domain Services controller in that the session host Virtual Machines (VMs) are automatically joined with the Azure AD tenant of the subscription that deploys the VMs. There is no way to specify a different Azure AD tenant for the host VMs. This means you will need to ensure that the required Azure tenant is linked to the subscription you wish to deploy the Azure AD-joined VM to.
Let's now look at deploying an Azure AD-joined host pool.
In this section, we will look at deploying a host pool using Azure AD join.
Before we get started, I want to cover the use of FSLogix profile containers with Azure AD join. When using Azure AD join, there are a few slight differences compared to the traditional way when using Active Directory Domain Services. The following link takes you to the Microsoft documentation detailing how to configure FSLogix profile containers with Azure Files and Azure AD. Please note this feature is in preview at the time of writing: https://docs.microsoft.com/azure/virtual-desktop/create-profile-container-azure-ad.
Let's now move on and look at the creation of an Azure AD-joined host pool:
You can read more on Intune as a part of Microsoft Endpoint Manager (MEM) here: https://techcommunity.microsoft.com/t5/intune-customer-success/getting-started-with-microsoft-endpoint-manager/ba-p/2497614.
Important Note
You need to ensure that you have set up MEM before using the Enroll VM with Intune feature; otherwise, the host pool deployment will fail.
Now that we have deployed the Azure AD-joined host pool, we will now take a look at enabling access for users in the next section.
Before users can sign in to the session hosts within the Azure AD-joined host pool, you must configure the required permission using Role-Based Access Control (RBAC). First, we need to add the required users and Azure AD groups to the host pool default desktop application group. We also need to add the Virtual Machine User Login RBAC role.
Important Note
The Virtual Machine User Login RBAC role is not an Azure Virtual Desktop role. This is required to enable access to sign in to a VM. The Azure role enables logon by applying the DataAction permission.
Depending on your requirements and host pool deployment, you may want to review the scope for this role. For example, assigning an Azure AD group at the resource group level may make more sense than assigning the RBAC role for each user per VM.
Important Note
It is not advised to set the Virtual Machine User Login RBAC role at the subscription level; you would essentially give all assigned users the ability to sign in to all VMs within the subscription.
To assign the Virtual Machine User Login role, do the following:
This section looked at assigning the Virtual Machine User Login role to give Azure user accounts access to VMs. In the next section, we will look at connecting to session hosts using the Windows Remote Desktop client.
Before you can sign in to your Azure Virtual Desktop Azure AD-joined session host, you must ensure your local PC meets the following requirements:
If you do not meet the preceding criteria, you can enable the RDSTLS protocol, an enhanced RDP security protocol. You can read more on RDSTLS here: https://docs.microsoft.com/openspecs/windows_protocols/ms-rdpbcgr/83d1186d-cab6-4ad8-8c5f-203f95e192aa.
You can add the RDSTLS protocol using a custom RDP property with the host pool: targetisaddjoined:i:1. You will also need to use the same custom RDP property when using web, Android, macOS, and iOS clients:
Azure AD join host pool access uses the Public Key User to User (PKU2U) protocol for authentication. To sign in, both the session host and the local PC must have PKU2U set to Enabled. If you are using Windows 10 build 2004 or later, you can enable the protocol by following these steps:
You can also set this using Group Policy by completing the following steps:
In the next section, we will take a brief look at configuring local admin access when using Azure AD join.
To give the user local admin access to a VM, you will need to assign the Virtual Machine Administrator Login role to the VM using the same process as shown in the Enabling user access section.
Important Note
It is recommended that you only assign users to the required VMs when assigning the Virtual Machine User Login role. For example, if you assign this role to a group at the subscription level, all users within the group would have local admin rights to all the VMs. This is not a recommended approach.
You can add the required user to the Virtual Machine Administrator Login role as shown in the following screenshot:
Once you have added the required permissions, you should see the user account now logs in as an administrator:
This brief section looked at assigning local admin rights to an Azure AD-joined host pool.
This chapter looked at the Azure AD join feature for Azure Virtual Desktop. First, we looked at the prerequisites, then we studied deploying an Azure AD-joined host pool, and we finished off the chapter by looking at applying the required permissions and setting the custom RDP property for access on devices that are not Azure AD-joined or hybrid domain-joined. In the next chapter, we will take a look at creating and managing Session Host images.