Forum Discussion
Different between Windows Virtual Desktop and Client Application Assignments in Azure AD
- Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
So there are 2 enterprise apps created in AAD: Windows Virtual Desktop and Windows Virtual Desktop Client. In my experience adding a user to my app group using the PowerShell cmdlet does not add the user to either enterprise app. At least you can't see them in the AAD GUI. I've used the following:
Add-RdsAppGroupUser -TenantName <tenant> -HostPoolName <hostpool> -appgroupname "Desktop Application Group" -UserPrincipalName
Manually adding a user to only the "Windows Virtual Desktop Client" app does not work. Users get stuck in a login loop, with a message in the URL advising the user "is not assigned to a role for the application". The application ID presented in this error is the ID for the "Windows Virtual Desktop" app. If I add the user to that app, it works. But, if I then remove the user from the "Windows Virtual Desktop Client" group, I get the same error, referencing the app ID for it.
Currently I need to add users to both Enterprise Applications in AAD for them to successfully access a session.
MicrosoftRob Blankers , stevenzelenko , Feffen : Thanks for bringing this back up. Can you actually all check one thing? As mentioned here or in other threads, we don't expect users to be assigned specific app roles for the two Azure AD Applications (Windows Virtual Desktop and Windows Virtual Desktop Client), but there may be something in your directory that automatically set these.
Can you...go to Enterprise applications, select each application, and select Properties? Your app should mirror my screenshot of User assignment required? set to No.
- Awesome! I will give it a go. Thank you.
AT1991 We had this exact same thing happen to us too. Turn off the "User Assignment Required" toggle in the WVD apps in Azure. You should only need to add the users via powershell.
- Because for some reason without it, a few of our users were not able to log in via the desktop client. Adding them resolved the issue
- Christian_Montoya
AT1991 : Why are you adding the users to the Enterprise App? If it's for user access, we don't use the Enterprise App for that, we use our Windows Virtual Desktop PowerShell: https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups
- I am trying to automate the addition of users to the enterprise app using :
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
However I get the following :
New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned was not found on application
When I get the service principal :
AppRoleAssignmentRequired : True
AppRoles : {}
So this does not make any sense to me 😞
There are no roles so why would this fail? - Christian_Montoya
sarahpotrick2573 : How did you configure Azure AD Domain Services? Does the domain match the UPNs those for the Azure AD user?
Christian_Montoya Yes i checked it out and is telling that user does not exist and that the VM is not joined.,But my VM is joined to my domain that i created through Azure ADDS and also all of my users exists in the azure active directory and i have created that user in my azure active directory only. I dont want all of my users to be in the AADC group i just want them to access the WVD environment Please find or help me out with some solution ASAP as i have been trying to resolve this from past 10 days and i need to deploy this in my client environment.
- Christian_Montoya
sarahpotrick2573 : Can you run steps from our troubleshooting guide to see if there are specific errors from Diagnostics? https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-client-connection#troubleshooting-end-user-connectivity .
This would be the best way to understand what the initial errors are so that you don't need to add them as admins.
Christian_Montoya hey I am facing the same issue. i have added my users through powershell and also i have added them in my Entreprise application including windows virtual desktop and windows virtual desktop client. Everthing is in place also in my Enterprise applications in properties i have set the the users assigned tab to NO still my users are not able to access the WVD and throwing the folllowing error:-
pls help me with it as soon as possible also wen i add those users in AADC group they are able to access it and does not throw any error but for my environment i dont want all users to have the the admin access
- Confirmed it’s working for me now as well.
- Christian_MontoyaGlad you're up and running! As we depend on Azure AD and other Azure services, we are learning as we go in certain scenarios. Thanks for the patience and validating!
stevenzelenko Christian_Montoya SUCCESS!!! I flipped the 'User assignment required' switch to No on each Enterprise Application, removed all the users from those apps and verified that all users in the Desktop Application Group (administered through PowerShell) can login without issue. Appreciate the follow up on this unsupported service and can't wait for GA!! Thanks again!
Christian_Montoya Looks like I spoke too soon. For some reason, our session host crashed and I had to reboot the VM. All works now, even CA. Great and simple discovery. Thank you.
Christian_Montoya Had some time to test this. I removed my account from the Azure application and got right in. When I went to open an app, I got this error shown in the screen cap. We do have a conditional access policy applied to require MFA off of our network. But even on our network, this same error presents itself.
Christian_Montoya Mine was set to yes too. That makes sense. You are handling the permission from the app group, if you aren't part of the permission to that group, no access. Makes perfect sense now. We'll test tomorrow and report back our findings. Thanks for the reply! Greatly appreciated.
- Christian_MontoyaFeffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
Just checked and both of my apps are set to Yes for user assignment. Ill change them to no and test again in the morning.
Im a bit confused by the language here i guess, wouldnt i want to have to assign users to this app to control access?
