When using Entra Joined Azure Virtual Desktop Sessionhosts, you will need to assign a RBAC role to the user group which will login to the sessionhosts. The RBAC role of Virtual Machine User Login, located at the resource group which holds the sessionhost virtual machines. In this post: Azure | Deploy Azure Virtual Desktop – GetToTheCloud I explained that the user group that needs to access the Azure Virtual Desktop require the Virtual Machine User Login RBAC role.
A problem using Entra Joined AVD sessionhosts is that every time you enroll new sessionhosts and a User will login to those sessionhosts, the need to give consent. It’s annoying to a user and only remembered for x amount of days. When you use a golden image and you redeploy that image when it is updated, they will get that popup and need to grant access. But It can be solved 🙂
How to configure
Microsoft wrote an article about it: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID authentication | Microsoft Learn but let me write it out for you downhere.
We recommend you use a dynamic group and configure the dynamic membership rules to includes all your Azure Virtual Desktop session hosts. You can use the device names in this group, but for a more secure option, you can set and use device extension attributes using Microsoft Graph API. While dynamic groups normally update within 5-10 minutes, large tenants can take up to 24 hours.
Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education license. For more information, see Dynamic membership rules for groups.
First you need to enable Microsoft Entra Authentication for RDP which is a switch property on the service principals. There are two service principal applications which needs to be set:
| Application Name | Application ID |
|---|---|
| Microsoft Remote Desktop | a4a365df-50f1-4397-bc59-1a1564b8bb9c |
| Windows Cloud Login | 270efc09-cd0d-444b-a71f-39af4910ec45 |
Those Applications ID’s are in every tenant the same.
#getting serviceprincipals
$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id
# changing RDPProtocolEnabled
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId).IsRemoteDesktopProtocolEnabled -ne $true) {
Write-Host "Setting for application: Microsoft Remote Desktop RDPProtocol to Enabled"
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}
else {
Write-Host "Setting for application: Microsoft Remote Desktop RDPProtocol is already Enabled"
}
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId).IsRemoteDesktopProtocolEnabled -ne $true) {
Write-Host "Setting for application: Windows Cloud Login RDPProtocol to Enabled"
Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled
}
Else {
Write-Host "Setting for application: Windows Cloud Login RDPProtocol is already Enabled"
}This can be done if you connect to Microsoft Graph with the Connect-MGGraph -Scopes “Application.Read.All”,”Application-RemoteDesktopConfig.ReadWrite.All”,”Group.Read.All” -NoWelcome cmdlet.
You need to get the groupId and the group name and set it to variables
$Group = "avd-userstoconnect" #dynamic group with users which need to connect to the sessionhosts
$groupId = "[YOURGROUPID]" #the groupId of the group above.Create a new object with the variables
# creating new TargetDeviceObject
$tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = $groupId
$tdg.DisplayName = $groupUpdate the service principal
# setting group to be rdp protocol enabled
New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -BodyParameter $tdg
New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -BodyParameter $tdgThis needs to be done for every group which is required.
IT Professional on a journey to discover the cloud platforms and become certified and an expert.
A Blog that follows the journey to get to the Cloud.
Azure Local | Azure Bicep | Azure Virtual Desktop | Powershell | Azure Certified | MCSA | Microsoft 365
