Forum Discussion
stevenzelenko
Mar 22, 2019Brass Contributor
Different between Windows Virtual Desktop and Client Application Assignments in Azure AD
Can someone explain the difference of these two apps in AD? It seems like at some point today something changed and I have to set my test users to be Tenant Creators in the Windows Virtual Desktop A...
- Aug 07, 2019Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
Rob Blankers
Jun 03, 2019Brass Contributor
stevenzelenko same issue here... glad I found this link.
stevenzelenko
Jun 03, 2019Brass Contributor
Rob Blankers Thanks for reporting this. Christian_Montoya looks like we have another one. Just reporting it to Microsoft so we can have some ammunition to get down to the bottom of this.
- AT1991Mar 05, 2020Copper ContributorAwesome! I will give it a go. Thank you.
- stevenzelenkoMar 05, 2020Brass Contributor
AT1991 We had this exact same thing happen to us too. Turn off the "User Assignment Required" toggle in the WVD apps in Azure. You should only need to add the users via powershell.
- AT1991Mar 05, 2020Copper ContributorBecause for some reason without it, a few of our users were not able to log in via the desktop client. Adding them resolved the issue
- Christian_MontoyaMar 05, 2020
Microsoft
AT1991 : Why are you adding the users to the Enterprise App? If it's for user access, we don't use the Enterprise App for that, we use our Windows Virtual Desktop PowerShell: https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups
- AT1991Mar 05, 2020Copper ContributorI am trying to automate the addition of users to the enterprise app using :
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
However I get the following :
New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned was not found on application
When I get the service principal :
AppRoleAssignmentRequired : True
AppRoles : {}
So this does not make any sense to me 😞
There are no roles so why would this fail? - Christian_MontoyaNov 21, 2019
Microsoft
sarahpotrick2573 : How did you configure Azure AD Domain Services? Does the domain match the UPNs those for the Azure AD user?
- sarahpotrick2573Nov 19, 2019Copper Contributor
Christian_Montoya Yes i checked it out and is telling that user does not exist and that the VM is not joined.,But my VM is joined to my domain that i created through Azure ADDS and also all of my users exists in the azure active directory and i have created that user in my azure active directory only. I dont want all of my users to be in the AADC group i just want them to access the WVD environment Please find or help me out with some solution ASAP as i have been trying to resolve this from past 10 days and i need to deploy this in my client environment.
- Christian_MontoyaNov 18, 2019
Microsoft
sarahpotrick2573 : Can you run steps from our troubleshooting guide to see if there are specific errors from Diagnostics? https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-client-connection#troubleshooting-end-user-connectivity .
This would be the best way to understand what the initial errors are so that you don't need to add them as admins.
- sarahpotrick2573Nov 18, 2019Copper Contributor
Christian_Montoya hey I am facing the same issue. i have added my users through powershell and also i have added them in my Entreprise application including windows virtual desktop and windows virtual desktop client. Everthing is in place also in my Enterprise applications in properties i have set the the users assigned tab to NO still my users are not able to access the WVD and throwing the folllowing error:-
pls help me with it as soon as possible also wen i add those users in AADC group they are able to access it and does not throw any error but for my environment i dont want all users to have the the admin access
- FeffenAug 13, 2019Copper ContributorConfirmed it’s working for me now as well.
- Christian_MontoyaAug 13, 2019
Microsoft
Glad you're up and running! As we depend on Azure AD and other Azure services, we are learning as we go in certain scenarios. Thanks for the patience and validating! - Rob BlankersAug 13, 2019Brass Contributor
stevenzelenko Christian_Montoya SUCCESS!!! I flipped the 'User assignment required' switch to No on each Enterprise Application, removed all the users from those apps and verified that all users in the Desktop Application Group (administered through PowerShell) can login without issue. Appreciate the follow up on this unsupported service and can't wait for GA!! Thanks again!
- stevenzelenkoAug 08, 2019Brass Contributor
Christian_Montoya Looks like I spoke too soon. For some reason, our session host crashed and I had to reboot the VM. All works now, even CA. Great and simple discovery. Thank you.
- stevenzelenkoAug 07, 2019Brass Contributor
Christian_Montoya Had some time to test this. I removed my account from the Azure application and got right in. When I went to open an app, I got this error shown in the screen cap. We do have a conditional access policy applied to require MFA off of our network. But even on our network, this same error presents itself.
- stevenzelenkoAug 07, 2019Brass Contributor
Christian_Montoya Mine was set to yes too. That makes sense. You are handling the permission from the app group, if you aren't part of the permission to that group, no access. Makes perfect sense now. We'll test tomorrow and report back our findings. Thanks for the reply! Greatly appreciated.
- Christian_MontoyaAug 07, 2019
Microsoft
Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation. - FeffenAug 07, 2019Copper Contributor
Just checked and both of my apps are set to Yes for user assignment. Ill change them to no and test again in the morning.
Im a bit confused by the language here i guess, wouldnt i want to have to assign users to this app to control access?
- Christian_MontoyaAug 07, 2019
Microsoft
Rob Blankers , stevenzelenko , Feffen : Thanks for bringing this back up. Can you actually all check one thing? As mentioned here or in other threads, we don't expect users to be assigned specific app roles for the two Azure AD Applications (Windows Virtual Desktop and Windows Virtual Desktop Client), but there may be something in your directory that automatically set these.
Can you...go to Enterprise applications, select each application, and select Properties? Your app should mirror my screenshot of User assignment required? set to No.
- stevenzelenkoAug 06, 2019Brass Contributor
Feffen The powershell piece isn't bad since I'm in powershell almost all day. It's just one of those things that previews find...odd behavior. Glad it's not just us and there are others out there following this thread.
- FeffenAug 06, 2019Copper Contributor
stevenzelenko Still happening here as well. Have to make users tenant creators and manually add to the desktop users group via powershell before they can login. Really not fun to Admin this thing.
- stevenzelenkoAug 06, 2019Brass Contributor
Rob Blankers I'm bumping this again. We still have this issue. Microsoft told me that they would escalate internally but haven't heard anything yet. Christian_Montoya Do you know anything? Everything else is fine but this issue seems weird. Attaching the error we are still seeing again if it helps.
Date
8/6/2019, 9:23:38 AM
Status
Failure
Sign-in error code
50105
Failure reason
The signed in user is not assigned to a role for the signed in application. Assign the user to the application. For more information: https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-problem-federated-sso-gallery#user-not-assigned-a-role.
Client app
Mobile Apps and Desktop clients - Rob BlankersJun 04, 2019Brass Contributor
So there are 2 enterprise apps created in AAD: Windows Virtual Desktop and Windows Virtual Desktop Client. In my experience adding a user to my app group using the PowerShell cmdlet does not add the user to either enterprise app. At least you can't see them in the AAD GUI. I've used the following:
Add-RdsAppGroupUser -TenantName <tenant> -HostPoolName <hostpool> -appgroupname "Desktop Application Group" -UserPrincipalName
Manually adding a user to only the "Windows Virtual Desktop Client" app does not work. Users get stuck in a login loop, with a message in the URL advising the user "is not assigned to a role for the application". The application ID presented in this error is the ID for the "Windows Virtual Desktop" app. If I add the user to that app, it works. But, if I then remove the user from the "Windows Virtual Desktop Client" group, I get the same error, referencing the app ID for it.
Currently I need to add users to both Enterprise Applications in AAD for them to successfully access a session.
- Christian_MontoyaJun 04, 2019
Microsoft
jaycrumpgp stevenzelenko : Oh man, yes, this is definitely still an error. Let me followup with the team and get back to you to see how we can address/resolve this. Full disclosure, I definitely want to get to the bottom of this because I don't want this error happening in the future, especially GA.
Let me get back to you, but definitely thank you both for reporting.
- jaycrumpgpJun 04, 2019Brass Contributor
Wow, glad I saw this post too - thanks Steven. See mine below - ignore all the older posts. Same situation, except I though it had something to do with the fact that my Tenant Creator user didn't have MFA while the regular user account who is in the Desktop Application Group does have MFA enabled.
I just did what you guys have done - added the regular user to the Tenant Creator role in the Windows Virtual Desktop application and tried the RD Client again. I can see my pool now....
Christian_Montoya- this is messed up :) . Following this post closely now too. Thanks - have a good day, all.