Azure Virtual Desktop | FSLogix App Masking with Entra Joined Devices I
If you google Azure Virtual Desktop with FSLogix AppMasking on Entra Joined devices, you will not find such a thing. For example you can use it with Liquit but that is the only method. Further you will find only other administrators asking the same question.
Is it possible to use FSLogix app masking with Azure Virtual Desktop Entra/Azure AD joined
In basics if you look further in the deep ground of google, you will almost find nothing. All the blogposts are writing that an Active Directory is needed. But Entra is also an Active Directory, so why is this not documented?
Entra is indeed an Active Directory but not in the traditional way. Azure Virtual Desktops Entra joined are able to use Entra to login to the desktop, but if you search for variables which will give you the idea that you are domain joined, you will not find it.
Let’s make it clear, I wasn’t able to find a quote which states that it is not supported but also not a quote that is is supported. So actually the situation does not exists. But, local groups are supported and you are able to fill local groups with Entra ID users. So let’s automate that.
Azure Virtual Desktop
So, Azure Virtual Desktop and applications or permissions to applications are basically set with avd app groups and assignments. Those app groups are connected with a MSIX Package or a App Attach package or just installed applications within the sessionhosts. They make it possible to use it as remote app. The new way of working. The modern workplace.
As you can see, FSLogix App Masking isn’t a part of that.
‘A’ Work around
If it is a requirement, you can use FSLogix App Masking with Entra joined devices. But how? Well there are a few steps to implement, and in the next posts I will make it clear. But then still you do not know how?! … Well the trick is: Use local groups with Entra Users in it.
Steps:
- Create an Azure Function to get all members of application security groups and upload csv’s with UPN’s to Azure Blob Storage (part II)
- Create FSLogix App rules with assignments to local groups (part III)
- Create local groups and add UserPrincipals from CSV’s (part IV)
This all we do in an Azure Function and scripting in the Session host.