Forum Discussion
Different between Windows Virtual Desktop and Client Application Assignments in Azure AD
- Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
Christian_Montoya got it, thank you. Is there a reason why all my test users have to be assigned TenantCreator roles in the Windows Virtual Desktop app to even use the service? It seems like adding a user to the client app as a user role fails to log them in with an error stating they are not assigned the app. When I add them as a tenant creator all is well.
Microsoftstevenzelenko The only user that needs to be assigned the TenantCreator role is the one who wants to run "New-RdsTenant". Otherwise, standard users shouldn't have to be assigned.
If you did the admin consent on both apps (Windows Virtual Desktop and Windows Virtual Desktop client), there should be nothing else you need to do to get the standard users working. What exactly do you mean by "When I add them as tenant creator all is well"?
- Christian_Montoya. I have allowed admin and client rights using my global admin account in azure. When I add a user to the WVD client app, going to the website attempts to log them in but kicks them back out. Same with the desktop client. In order to get them access, I have to add them as a tenant creator in the WVD application in Azure. Actually, I can only add them as tenant creators.
- Christian_Montoya
stevenzelenko : And when you say "going to the website", which website are you referring to? Can you post the link?
Christian_Montoya the rdweb link here https://rdweb.wvd.microsoft.com/webclient
but it doesnt matter. Even when using the wvd desktop client, every user has to be a tenant creator in the WVD app in Azure. If they are only assigned to the WVD client app in Azure, they have no access. Everything works fine but the permissions seem backwards.
I've added some screen caps of what I'm talking about. You can see, all users marked as Tenant Creators in the WVD app have access. All users in the WVD client app set with a role of default access cannot log into the web URL nor the WVD client app. If I move them to creators, they have access without issue.
