Forum Discussion
Different between Windows Virtual Desktop and Client Application Assignments in Azure AD
- Aug 07, 2019Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
stevenzelenko : Thanks for the testing so far! To address some of your questions:
- Difference between apps: the Windows Virtual Desktop app is for the management of the service, and includes granting permission for the service to call your Azure AD for user validation, service principal validation, etc. The Windows Virtual Desktop client app is for the end-user login, where you can control MFA/Conditional Access policies. I agree that we should highlight this a bit more with some examples.
- Correct, right now you can only assign users through Add-RdsAppGroupUser by individual user UPNs and not a security group. We're working on this.
Christian_Montoya got it, thank you. Is there a reason why all my test users have to be assigned TenantCreator roles in the Windows Virtual Desktop app to even use the service? It seems like adding a user to the client app as a user role fails to log them in with an error stating they are not assigned the app. When I add them as a tenant creator all is well.
- Christian_MontoyaMar 29, 2019Microsoft
stevenzelenko The only user that needs to be assigned the TenantCreator role is the one who wants to run "New-RdsTenant". Otherwise, standard users shouldn't have to be assigned.
If you did the admin consent on both apps (Windows Virtual Desktop and Windows Virtual Desktop client), there should be nothing else you need to do to get the standard users working. What exactly do you mean by "When I add them as tenant creator all is well"?
- stevenzelenkoMar 30, 2019Brass ContributorChristian_Montoya. I have allowed admin and client rights using my global admin account in azure. When I add a user to the WVD client app, going to the website attempts to log them in but kicks them back out. Same with the desktop client. In order to get them access, I have to add them as a tenant creator in the WVD application in Azure. Actually, I can only add them as tenant creators.
- Christian_MontoyaApr 01, 2019Microsoft
stevenzelenko : And when you say "going to the website", which website are you referring to? Can you post the link?