Azure Virtual Desktop
Last Updated: June 11, 2022
Azure AD Authentication
There are a couple of extra things you need to do when configuring your Azure Virtual Desktop (AVD) environment to authenticate with Azure Active Directory. Note that this is a guide for authenticating with Azure AD directly, not through Azure Active Directory Domain Services (Azure AD DS).
Upon creating the session host, the status is Unavailable.
The error message is specifically: SessionHost unhealthy: SessionHost is not joined to a domain.
Run the following on the session host (VM). You can run this through Operations -> Run command -> RunPowerShellScript.
New-Item -Path HKLM:\SOFTWARE\Microsoft\RDInfraAgent\AADJPrivate
Reboot the VM.
The host should be available.
If you have a policy that requires MFA, exclude the Azure Windows VM Sign-In app from the conditional access policy (the application ID is
372140e0-b3b7-4226-8ef9-d57986796201
).Add theses two values in the custom RDP properties in the host pool:
targetisaadjoined:i:1;
andenablerdsaadauth:i:1;
.Make sure the users that are allowed to use AVD are assigned the Virtual Machine User Login role in the Resource group where the session hosts are located. They should also be assigned to the application group. Use a security group for this assignment.
Terraform Example
Below is an example of the setup through Terraform.
# Resource Group
resource "azurerm_resource_group" "virtual_desktop" {
name = "virtual-desktop"
location = "West US 2"
}
# Workspace
resource "azurerm_virtual_desktop_workspace" "workspace" {
location = azurerm_resource_group.virtual_desktop.location
resource_group_name = azurerm_resource_group.virtual_desktop.name
name = "techstormpc"
friendly_name = "techstormpc"
description = "TechStorm PC Workspace"
}
# Host pool
resource "azurerm_virtual_desktop_host_pool" "host_pool" {
location = azurerm_resource_group.virtual_desktop.location
resource_group_name = azurerm_resource_group.virtual_desktop.name
name = "host-pool"
friendly_name = "Pool"
validate_environment = false
start_vm_on_connect = true
type = "Pooled"
maximum_sessions_allowed = 10
load_balancer_type = "DepthFirst"
custom_rdp_properties = <<EOT
targetisaadjoined:i:1;
audiocapturemode:i:1;
audiomode:i:0;
enablecredsspsupport:i:1;
enablerdsaadauth:i:1;
videoplaybackmode:i:1;
use multimon:i:1
EOT
}
# Application group
resource "azurerm_virtual_desktop_application_group" "desktop" {
location = azurerm_resource_group.virtual_desktop.location
resource_group_name = azurerm_resource_group.virtual_desktop.name
host_pool_id = azurerm_virtual_desktop_host_pool.accounting_pool.id
name = "techstormpc-desktop"
friendly_name = "Full Desktop"
type = "Desktop"
}
# Associate app group to workspace
resource "azurerm_virtual_desktop_workspace_application_group_association" "desktop_association" {
application_group_id = azurerm_virtual_desktop_application_group.accounting_desktop.id
workspace_id = azurerm_virtual_desktop_workspace.workspace.id
}
# Create security group for AVD access
resource "azuread_group" "avd_group" {
display_name = "AVD Users"
description = "Allowed to connect to session hosts"
security_enabled = true
}
resource "random_uuid" "role_assign_uuid" {}
# Assign the security group access to login to the VM
resource "azurerm_role_assignment" "vm_assignment" {
name = random_uuid.role_assign_uuid.result
scope = azurerm_resource_group.virtual_desktop.id
principal_id = azuread_group.avd_group.id
role_definition_name = "Virtual Machine User Login"
}
# Assign the security group access to the application group
resource "azurerm_role_assignment" "desktop_assignment" {
principal_id = azuread_group.avd_group.id
scope = azurerm_virtual_desktop_application_group.desktop.id
role_definition_name = "Desktop Virtualization User"
}