Forum Discussion

Stefan Georgiev's avatar
Jun 15, 2021

Getting started wizard in Azure Virtual Desktop

This document provides an overview of how to leverage the getting started wizard in AVD (Azure Virtual Desktop).

 

If you would like to reach out to the product team please use our form https://aka.ms/avdgsquestions.

 

1.   Explaining the getting started wizard

The getting started flow is aimed at addressing the following challenges with deploying AVD environments:

  • Remove complex multi-step process (e.g., FSLogix profiles setup, Azure Files Storage account creation, domain join, etc.)
  • Create session hosts and configure AVD (host pool, workspaces, desktop groups, validation user)
  • Validate user input
  • Validate environment (DNS, firewall/NSG configuration requirements for AVD, permission on Azure AD and subscriptions)

Getting started has two main branches

  • Existing setup – This branch is tailored for Azure tenants and subscriptions that already have AD DS or Azure AD DS configured
  • Empty subscription – This branch is tailored for subscriptions that do not have AD DS or Azure AD DS, but may have other Azure resources (e.g. Azure Databricks, Azure Kubernetes).

 

Once an AVD deployment has been completed existing AVD management tools can be used for management.

 

2.   Requirements and limitations

To use the getting started flow following requirements must be met:

  • Active Azure subscription
  • Azure AD tenant
  • An account with Global Admin permissions on Azure AD (MSA and guest accounts are not supported see section 8.2)
  • An account with Owner permissions on the subscription
  • If getting started wizard is being used in an environment with an existing identity provider there is an additional requirement for Active Directory domain admin credentials
  • Azure AD Connect is syncing the USERS container from AD DS to Azure AD

 

The getting started flow has the following limitations:

 

3.   Feedback

For bugs and questions, please file them via our form https://aka.ms/avdgsquestions.

 

4.   Getting start wizard  validation and deployment overview

This section explains the phases through which the getting started wizard.

  1. Validates that there is an active subscription.
  2. Validates user has Global Admin permissions on Azure AD
  3. Validates user has Owner permissions on the Azure subscription
  4. If needed registers AVD resource provider on the subscription
  5. General input validation for required fields, empty space, reserved words
  6. If an empty subscription confirms no Azure AD DS is deployed and deploys it
    1. Creates Azure AD service principal
    2. Creates AAD DC Administrators group
    3. Checks if the selected domain administrator account can be created, creates it, and adds it to AAD DC Administrators group
    4. Creates VNET and NSG
  7. Validates if URLs required for AVD are reachable
  8. If existing setup
    1. Validates VNET and DNS can resolve the domain name
  9. If selected creates validation user
    1. Grant Desktop Virtualization User role
  10. Creates the AVD user group
    1. Grant the group Storage File Data SMB contributor
  11. If selected creates a storage account for FSLogix profiles
  12. AVD resources
    1. Host pool
    2. User-defined number of session host
  13. Validates the input for the ARM template (pre-flight check)
  14. Validates the individual resources against their corresponding resource provider (in-flight check)

 

Note: the last two options are always performed when ARM templates are deployed.

 

4.1.          Getting started in the Azure portal

Getting started is currently available under its code name “Quickstart”. 

 

5.   Existing setup walkthrough

This section walks the user through the getting started wizard on a subscription that contains either Azure AD DS or AD DS configured.

 

5.1.          Getting started wizard for existing setup  

 

Note: this URL is subject to change and eventually will be remove and only https://portal.azure.com will be needed.

 

  • If requested sign to Azure and open Azure Virtual Desktop management, then select the Quickstart blade
  • This will open the landing page for the wizard. Click Create.
  • In the Basic blade select
    1. Subscription - allows you to select a subscription in which the wizards is going to deploy.
    2. How is your subscription configured – select Existing setup
    3. Location – resource location
    4. Azure admin UPN – the full user principal name (UPN) for an account that has admin permissions on Azure AD and owner permission on the subscription
    5. AD Domain join UPN – the full user principal name (UPN) for an account that has permissions and will be used to join the virtual machines to your domain
    6. Identity – The getting started wizard supports Azure AD DS or AD DS. Select an option applicable to your environment. This selection will have an impact on the input needed for Virtual machines
  • In the Virtual machines blade
    1. Do you want the users to share this machine? – This option determines if a single session (aka personal) or multi-session (aka pooled) host pool will be configured. When selecting Yes (multi session) this will also trigger the creation of Azure Files (AF) storage account (SA) that will be joined to either Azure AD DS or AD DS.
    2. Image type – allows to selecting image from the Image gallery, custom images, or VHDs from storage blobs.
    3. VM size – allows you to select size and SKU for the VMs that are going to be deployed.
    4. Number of VMs – defines how many VMs are to be provisioned in the host pool.
    5. Subnet – This option will only appear if this is an existing setup with AD DS. It allows you to select a subnet in the VNET. This must be the same subnet as the identity (AD DS or Azure AD DS) is located or has been peered to it
    6. Domain controller resource group – This option will only appear if this is an existing setup with AD DS. It requires a selection of the resource group (RG) to which the AD DS VM is located or peered to. The RG with the domain controller must be in the same subscription (peered subscriptions are not supported.)
    7. Domain controller virtual machine – This option will only appear if this is an existing setup with AD DS. It asks for the VM running the AD DS
  • Assign existing users – when checked this will open the Select Azure AD users or Users group.
    1. Create validation user – when checked this will open two fields Validation user username and Validation user password

 

NOTE: The validation users group will be created in the USERS container. The Validation Group must be synced to Azure AD for the process to complete successfully. If Azure AD Connect is not syncing the USERS container, then pre-create the AVDValidationUsers group into an organization unit (OU) that is being synced to Azure.

 

6.   Empty subscription walkthrough

This section walks the user through the getting started wizard on an empty subscription. In the context of this wizard an empty subscription is one that does not have Azure AD DS or AD DS configured.

 

6.1.          Getting started wizard for empty subscription

Note: this URL is subject to change and eventually will be remove and only https://portal.azure.com will be needed.

 

  • If requested sign to Azure and open Azure Virtual Desktop management, then select the Quickstart blade
  • This will open the landing page for the wizard. Click Create
  • In the Basic blade select
    1. Subscription - allows you to select a subscription in which the wizards is going to deploy.
    2. How is your subscription configured – select Empty subscription.
    3. Resource group prefix – When getting started wizard is ran on an empty subscription we need to create three resource group all using this prefix
    4. Location – resource location
    5. Azure admin UPN – the full user principal name (UPN) for an account that has admin permissions on Azure AD and owner permission on the subscription
    6. AD Domain join UPN – the full user principal name (UPN) for an account that has permission and will be used to join the virtual machines to your domain
  • In the Virtual machines blade
    1. Do you want the users to share this machine? – This option determines if a single session (aka personal) or multi-session (aka pooled) host pool will be configured. When selecting Yes (multi session) this will also trigger the creation of Azure Files (AF) storage account (SA) that will be joined to the either Azure AD DS or AD DS.
    2. Image type – allows to select image from Image gallery, custom images, or VHDs from storage blobs.
    3. VM size – allows selecting size and SKU for the VMs that are going to be deployed.
    4. Number of VMs – defines how many VMs are to be provisioned in the host pool.
  • Assignments blade allows you to specify the creation of a validation user that is going to be assigned to test the deployment.
    1. Create validation user – when checked this will open two fields Validation user username and Validation user password.

 

7.   Outcome of successful run of the getting started wizard

This section covers what resources the getting started wizard deploys for its two variants, existing setup, and empty subscription.

Existing setup refers to the presence of an Active Directory in the subscription. In the context of the getting started wizard Active Directory can be either Azure AD DS or AD DS.

Empty subscriptions refer to an environment that does not have an active directory.

 

7.1.          Existing setup

Successful getting stated deployment on an environment that contains Azure AD DS or AD DS will include:

  • Two resource groups (RG):
    • First RG starting with a user defined prefix and ending at *deployment, that contains deployment artefacts.
    • Second RG starting with a user defined prefix and ending at *WVD, that contains the AVD environment.
  • AVD resources in RG ending in *WVD
    • Workspace (EB-WVD-WS)
    • Host pool (EB-WVD-HP)
    • Desktop application group (EB-WVD-HP-DAG)
    • Session hosts and their corresponding resource
      • nothing
      • Disk
      • VM
    • When the wizard is configured for multi-session
      • Storage account, used for FSLogix configuration.
      • Managed identity

 

7.2.          Empty subscription

Successful getting stated deployment on an environment that does not contain Azure AD DS or AD DS is considered empty by the getting started wizard.

  • Three resource groups (RG):
    • First RG starting with the user defined prefix and ending in *deployment, that contains deployment artefacts.
    • Second RG starting with the user defined prefix and ending in *wvd, that contains the AVD environment.
    • Third RG starting with the user defined prefix and ending in *prerequisite, that contains the Azure AD DS deployment.
  • AVD resources in RG ending in *wvd
    • Workspace (EB-WVD-WS)
    • Host pool (EB-WVD-HP)
    • Desktop application group (EB-WVD-HP-DAG)
    • Session hosts and their corresponding resource
      • nothing
      • Disk
      • VM
    • Prerequisite resource in RG ending in *prerequisite
      • 2 NICs
      • Load balancer
      • Public IP address
      • Azure AD Domain Services
      • Virtual network
      • Network security group
    • When the wizard is configured for multi-session
      • Storage account, used for FSLogix configuration.
      • Managed identity

 

7.3.          Resource group for Azure AD Domain Service (*prerequisites)

This screenshot shows the resource group where the getting started wizard deploys Azure AD Domain Service.

 

 

7.4.          AVD host pool

The screenshot below shows the host pool deployed with the getting started wizard.

 

 

7.5.          Host pool resource group (*wvd)

The screenshot below shows the *wvd resource group and the resource inside.

 

 

7.6.          Resource group containing Azure Automation Runbooks (*deployment)

This screenshot shows the content of the resource group ending on deployments, where the Automation Account and Runbooks that power the getting started wizard are created and stored.

 

 

8.   Known issues 

8.1.          Session host name collisions

Currently the getting started wizard can be ran multiple times on a subscription. When the wizard has deployed session hosts and is run a second time the session host names between the first and second deployment will be the same. This does not impact AVD but creates challenges with management in Azure and in the identity provider.

 

8.2.          MSDN subscription support

Using MSDN subscription with the getting started wizard is supported but the MSA user that is signed up for the the subscription cannot be used:

  • Navigate to Azure Active Directory and select Users
  • Select the user you are looking to use 
  • Confirm the user principal name (UPN) does not contain #EXT# (e.g. user_hotmail.com#EXT#@hotmail.onmicrosoft.com)

The solution to this limitation is to create a new Azure AD native user and assign both Global Admin and Subscription owner roles.

 

  • jlou65535's avatar
    jlou65535
    Iron Contributor
    Just tested yesterday in the different scenarios (null / Azure AD DS / AD)
    Very useful for starting quickly AVD
    I have to test now with some customized images
  • David Schrag's avatar
    David Schrag
    Iron Contributor
    You note that "AD Domain join UPN cannot include reserved words" as listed in the linked page. Are you referring to the account used to join the domain, or the domain itself? Specifically, when creating AADDS, can I use reservedword.mydomain.com for my domain? Does it matter if the the Azure AD user account being used to join the domain is useraccount@mydomain.com instead of useraccount@reservedword.mydomain.com, with reservedword.mydomain.com being specified as the domain to join when deploying a session host? (My situation is that I used a reserved word as part of my AADDS subdomain, and I'm wondering if I will need to start from scratch or perhaps try to rename it.)
    • Stefan Georgiev's avatar
      Stefan Georgiev
      Icon for Microsoft rankMicrosoft
      If just a part like admin* or *admin in the user name or admin.onmicrosoft.com in the domain name should work
  • Terry_Russell's avatar
    Terry_Russell
    Copper Contributor

    Stefan Georgiev 
    I have tried the Quick startup for AVD and I keep getting "Your Deployment Failed"

    Apparently there is a conflict.

      "status""Failed",
        "error": {
            "code""ResourceDeploymentFailure",
            "message""The resource operation completed with terminal provisioning state 'Failed'."
        }
    }
      • rymangan's avatar
        rymangan
        Brass Contributor

        rtccoupe Believe it or not, you can check the error within the runbook which will be deployed to the resource group. I had this issue and it turns out, I needed to change my password. Check the specific error in the automation logs.

  • PropellrHead's avatar
    PropellrHead
    Copper Contributor
    I've found the wizard does NOT yet factor in the preview AAD Join Identity provider that does not require on prem' AD DS or Azure AD DS. Any idea when it will be updated?

Resources