Forum Discussion

stevenzelenko's avatar
stevenzelenko
Brass Contributor
Mar 22, 2019

Different between Windows Virtual Desktop and Client Application Assignments in Azure AD

Can someone explain the difference of these two apps in AD?  It seems like at some point today something changed and I have to set my test users to be Tenant Creators in the Windows Virtual Desktop Application to use the web URL.  Adding users to the client app seems to do nothing.  We've had no issue with the windows and mac RDP apps using the web feed URLs.  Unless this is what we have to do for the time being but it just seems a little confusing.

 

And I don't know if I'm missing something but I can only deploy apps and desktops per UPN and cannot apply a security group.  Would be nice to have the app groups set up to look for a security group and simply adding the users to the group in AD and when things sync up, you have your apps.

  • Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
  • stevenzelenko : Thanks for the testing so far! To address some of your questions:

    • Difference between apps: the Windows Virtual Desktop app is for the management of the service, and includes granting permission for the service to call your Azure AD for user validation, service principal validation, etc. The Windows Virtual Desktop client app is for the end-user login, where you can control MFA/Conditional Access policies. I agree that we should highlight this a bit more with some examples.
    • Correct, right now you can only assign users through Add-RdsAppGroupUser by individual user UPNs and not a security group. We're working on this.
    • stevenzelenko's avatar
      stevenzelenko
      Brass Contributor

      Christian_Montoya got it, thank you.  Is there a reason why all my test users have to be assigned TenantCreator roles in the Windows Virtual Desktop app to even use the service?  It seems like adding a user to the client app as a user role fails to log them in with an error stating they are not assigned the app.  When I add them as a tenant creator all is well.

      • Christian_Montoya's avatar
        Christian_Montoya
        Icon for Microsoft rankMicrosoft

        stevenzelenko The only user that needs to be assigned the TenantCreator role is the one who wants to run "New-RdsTenant". Otherwise, standard users shouldn't have to be assigned.

         

        If you did the admin consent on both apps (Windows Virtual Desktop and Windows Virtual Desktop client), there should be nothing else you need to do to get the standard users working. What exactly do you mean by "When I add them as tenant creator all is well"? 

    • sarahpotrick2573's avatar
      sarahpotrick2573
      Copper Contributor

      Christian_Montoya   My Users are not able to sign-in into thier hostpool virtual Machine. It is throwing the following error. The username and password is correct and also i have assigned them through powershell, Still it is throwing the same error

      • Christian_Montoya's avatar
        Christian_Montoya
        Icon for Microsoft rankMicrosoft

        sarahpotrick2573 : Can you run the following command to check the failed connections

        Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityType Connection -Outcome Failure -Detailed

         

        Then, you can look at each individually and expand their Errors property. You can do this by getting the exact ActivityId, then:

        $activity = Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityId <activityId> -Detailed
        $activity.Errors

         

Resources