Forum Discussion
Different between Windows Virtual Desktop and Client Application Assignments in Azure AD
- Aug 07, 2019Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
stevenzelenko : Can we follow up in a Private Message? It's really strange that you're hitting this and would like to get to the bottom of this. Although you are seeing this behavior, you should not have to be adding users to the TenantCreators role to access their desktops or applications, so I just want to better understand your environment.
Christian_Montoya of course. Thanks for helping me through this.
- AT1991Mar 05, 2020Copper ContributorAwesome! I will give it a go. Thank you.
- stevenzelenkoMar 05, 2020Brass Contributor
AT1991 We had this exact same thing happen to us too. Turn off the "User Assignment Required" toggle in the WVD apps in Azure. You should only need to add the users via powershell.
- AT1991Mar 05, 2020Copper ContributorBecause for some reason without it, a few of our users were not able to log in via the desktop client. Adding them resolved the issue
- Christian_MontoyaMar 05, 2020Microsoft
AT1991 : Why are you adding the users to the Enterprise App? If it's for user access, we don't use the Enterprise App for that, we use our Windows Virtual Desktop PowerShell: https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups
- AT1991Mar 05, 2020Copper ContributorI am trying to automate the addition of users to the enterprise app using :
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
However I get the following :
New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned was not found on application
When I get the service principal :
AppRoleAssignmentRequired : True
AppRoles : {}
So this does not make any sense to me 😞
There are no roles so why would this fail? - Christian_MontoyaNov 21, 2019Microsoft
sarahpotrick2573 : How did you configure Azure AD Domain Services? Does the domain match the UPNs those for the Azure AD user?
- sarahpotrick2573Nov 19, 2019Copper Contributor
Christian_Montoya Yes i checked it out and is telling that user does not exist and that the VM is not joined.,But my VM is joined to my domain that i created through Azure ADDS and also all of my users exists in the azure active directory and i have created that user in my azure active directory only. I dont want all of my users to be in the AADC group i just want them to access the WVD environment Please find or help me out with some solution ASAP as i have been trying to resolve this from past 10 days and i need to deploy this in my client environment.
- Christian_MontoyaNov 18, 2019Microsoft
sarahpotrick2573 : Can you run steps from our troubleshooting guide to see if there are specific errors from Diagnostics? https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-client-connection#troubleshooting-end-user-connectivity .
This would be the best way to understand what the initial errors are so that you don't need to add them as admins.
- sarahpotrick2573Nov 18, 2019Copper Contributor
Christian_Montoya hey I am facing the same issue. i have added my users through powershell and also i have added them in my Entreprise application including windows virtual desktop and windows virtual desktop client. Everthing is in place also in my Enterprise applications in properties i have set the the users assigned tab to NO still my users are not able to access the WVD and throwing the folllowing error:-
pls help me with it as soon as possible also wen i add those users in AADC group they are able to access it and does not throw any error but for my environment i dont want all users to have the the admin access
- FeffenAug 13, 2019Copper ContributorConfirmed it’s working for me now as well.