Forum Discussion
Different between Windows Virtual Desktop and Client Application Assignments in Azure AD
Can someone explain the difference of these two apps in AD? It seems like at some point today something changed and I have to set my test users to be Tenant Creators in the Windows Virtual Desktop Application to use the web URL. Adding users to the client app seems to do nothing. We've had no issue with the windows and mac RDP apps using the web feed URLs. Unless this is what we have to do for the time being but it just seems a little confusing.
And I don't know if I'm missing something but I can only deploy apps and desktops per UPN and cannot apply a security group. Would be nice to have the app groups set up to look for a security group and simply adding the users to the group in AD and when things sync up, you have your apps.
- Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
- Christian_MontoyaMicrosoft
stevenzelenko : Thanks for the testing so far! To address some of your questions:
- Difference between apps: the Windows Virtual Desktop app is for the management of the service, and includes granting permission for the service to call your Azure AD for user validation, service principal validation, etc. The Windows Virtual Desktop client app is for the end-user login, where you can control MFA/Conditional Access policies. I agree that we should highlight this a bit more with some examples.
- Correct, right now you can only assign users through Add-RdsAppGroupUser by individual user UPNs and not a security group. We're working on this.
- stevenzelenkoBrass Contributor
Christian_Montoya got it, thank you. Is there a reason why all my test users have to be assigned TenantCreator roles in the Windows Virtual Desktop app to even use the service? It seems like adding a user to the client app as a user role fails to log them in with an error stating they are not assigned the app. When I add them as a tenant creator all is well.
- Christian_MontoyaMicrosoft
stevenzelenko The only user that needs to be assigned the TenantCreator role is the one who wants to run "New-RdsTenant". Otherwise, standard users shouldn't have to be assigned.
If you did the admin consent on both apps (Windows Virtual Desktop and Windows Virtual Desktop client), there should be nothing else you need to do to get the standard users working. What exactly do you mean by "When I add them as tenant creator all is well"?
- sarahpotrick2573Copper Contributor
Christian_Montoya My Users are not able to sign-in into thier hostpool virtual Machine. It is throwing the following error. The username and password is correct and also i have assigned them through powershell, Still it is throwing the same error
- Christian_MontoyaMicrosoft
sarahpotrick2573 : Can you run the following command to check the failed connections
Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityType Connection -Outcome Failure -Detailed
Then, you can look at each individually and expand their Errors property. You can do this by getting the exact ActivityId, then:
$activity = Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityId <activityId> -Detailed
$activity.Errors