Forum Discussion
DavidBelanger
Microsoft
Jul 14, 2021PUBLIC PREVIEW: Announcing public preview of Azure AD joined VMs
We are excited to announce the public preview of Azure AD joined VMs support for Azure Virtual Desktop. This feature allows customers to easily deploy Azure AD joined session hosts from the Azure portal and access them from all clients. VMs can also be automatically enrolled in Intune for ease of management. Support for storing FSLogix profiles on Azure files will be available in a future update.
Getting started:
The documentation to deploy Azure AD joined session hosts will guide you through the key steps needed to enable this functionality.
- End-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.
- ahart3Brass Contributor
Would just like to confirm that you can access/login to AAD-Joined session hosts from an Azure AD Registered Device using your AAD credentials?? The docs state it below (third point) but when I have tested this it doesn't work; it does however work fine when the local PC is AAD Joined.
Does it need to be a certain edition of Windows 10?
Connect using the Windows Desktop client
The default configuration supports connections from Windows 10 using the Windows Desktop client. You can use your credentials, smart card, Windows Hello for Business certificate trust or Windows Hello for Business key trust with certificates to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:
- The local PC is Azure AD-joined to the same Azure AD tenant as the session host
- The local PC is hybrid Azure AD-joined to the same Azure AD tenant as the session host
- The local PC is running Windows 10, version 2004 and later, and is Azure AD registered to the same Azure AD tenant as the session host
To enable access from Windows devices not joined to Azure AD, add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
https://docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm
- ahart3Brass ContributorI did make that change. I've tested again this morning and all seems to be working fine now, strange but hey that is a good result 🙂
- RaldPons11Copper Contributor
DavidBelanger Awesome! May we know, when will be the support for the FsLogix profiles on AzureFiles be available?
- DavidBelanger
Microsoft
We are hoping to start the public preview of support for FSLogix profiles on Azure Files for Hybrid users in Q4CY21. We are working on the Windows servicing update needed to support the feature.- RaldPons11Copper Contributor
DavidBelanger Thanks! but is there also any public preview for FSLogix profiles on Azure Files if we are only using purely Azure AD users? Also for the meantime, is there any work around to store a userprofiles other than localprofiles for Azure AD joined VMs?
- mcavalcantitecmicrosofCopper Contributor
Hello everyone,
A question, does this solution need to have local domain control?
my structure is 100% Azure- DavidBelanger
Microsoft
You can deploy this solution with cloud-only users and no domain controller as long as you don't have apps that might require it. But it sounds like you don't.- mcavalcantitecmicrosofCopper Contributor
Hi, David
I'm creating an environment through the azure portal following local steps, but putting the user's permission on the app when I try to access the remote desktop tool whenever I get error 0x30000047
Attached is the print of the permissions on the host and on the application
I don't know if there would be any other configuration to be done after deployment. what I
noticed is that whenever the deployment ends the host's status becomes Unavailable
NOTE: I don't have Azure AD DS enabled in my environment, only Azure Active Directory and Intune
- CloudMcStuffinsCopper Contributor
So I finally got in using the Windows 10 desktop app, exempting the vm login app from mfa AND using an account that is exempt from MFA.
I like where this is going for sure.
- DavidBelanger
Microsoft
Hi folks, are some of you still hitting the security prompt after disabling MFA on the Azure Windows VM sign-in? If so, anyone interested in filing a support request for it so we can engage and investigate? If you do, please send me the support ticket number.- nbird22Iron ContributorI am David. Happy to work with you on this. I'll send you a PM
- nbird22Iron Contributor
I have the same issue as other's here where I simply cannot login to the VM - Sign-In method not allowed. I've followed the guidance to the letter. Validation HostPool, PKU2U Setting is Enabled, RDP Properties updated, all my CA Policies have been disabled to rule it out, the correct Azure roles are assigned. I've tried this with 20H2 and 21H1 images, i've tried it with Intune enrolment on and Intune enrolment off. I'm out of ideas.
Is there a log/event somewhere that can nail down this issue further rather than the generic sign-in method not allowed error? - Richard HarrisonCopper Contributor
DavidBelanger We've managed to set this up with pin access just fine - everything looks good. However when using username/password it just won't work. I've read all the stuff around CA policies potentially causing this but adding the users to CA exclusion groups has no effect and there is no kind of error/failure logged at all in AAD sign in logs. Is there any other potential cause here? - can i get more debug out of the sign in process to see where the issue actually lies?
So to confirm username/password gets message below - pin works fine
Thanks,
Rich
- Richard HarrisonCopper ContributorOh - and to confirm we do have targetisaadjoined:i:1 set in rdp properties
- DavidBelanger
Microsoft
Richard Harrison looks like the CA policy is still triggering. Have you tried adding the "Azure Windows VM Sign-In" app to the Exclusion list to confirm you can get passed the issue? Once confirmed, we can review why adding the users to the exclusion list isn't working.
- NikonlineCopper ContributorDavidBelanger perhaps need to highlight the users that this solution doesn't support MFA, which to me is major blocker. I had to disable MFA related CA Policies ( organisation wide) to leverage AAD joining and Intune enrolment at the time of deployment. Any advice on security?
- Peter MeuserCopper ContributorNikonline You should be able to switch from the global setting "Require Multi-Factor Authentication to register or join devices with Azure AD" to a more recent approach based on a targeted CA policy for "Microsoft Intune Enrollment", that enforces MFA without scarifying security.
- NikonlineCopper ContributorAs i mentioned had to disable CA Policies that involved MFA. How can we secure access to VMs without MFA? unless there is something that i am missing
- tch0704Copper Contributor
DavidBelanger I failed to create hostpool with Azure AD joined VM. Every time I got the message:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'AADLoginForWindows'. Error message: \"AAD Join failed.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot "}]}
I tried on 2 different Azure tenants and from different PCs and got the same result. What did I miss?
- munich0815Copper Contributor
tch0704 I had the same problem. This issue was, that enabled the option to use Intune device management without having an Intune license in place. Disabling the option solved it.
- tch0704Copper ContributorYes it works after I turn off the Intune option. However, the user accounts actually have Enterprise Mobility + E5 license. Can I enable Intune after the host pool is created?
- Xandven_Copper ContributorWill Intune now work with pooled host pools as well? https://docs.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop states that only VMs setup as personal desktops can be managed with Intune. If pooled host pools are not supported what are the plans to support this configuration as well?
- Peter MeuserCopper Contributor
Xandven_ Your source is at least outdated. Latest technical information about the public preview can be found here: https://docs.microsoft.com/de-de/azure/virtual-desktop/deploy-azure-ad-joined-vm
I have both personal and pooled VMs in my lab setup AAD joined and Intune managed. Compliance policies are applied to both types correctly, so that you can eval them in CA policies accordingly.
So, my answer is not an official Microsoft one, but from all these observations I would say: Yes, host pools can be Intune managed in this public preview.
- DavidBelanger
Microsoft
Xandven_ As Peter mentioned, information on Intune support for multi-session is available here: https://docs.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session
- Chris_Gilles_1337Copper ContributorI'm encountering "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your administrator" when attempting to authenticate with an M365 user account to an AAD Joined Session Host. I'm able to click "Ok", get back to the login prompt and log in with the local administrator account, though.
I also have targetisaadjoined:i:1 in the RDP Properties...
Anyone encountering this?- Chris_Gilles_1337Copper ContributorI believe I figured this out. We have a conditional access policy for all cloud apps: RequireDuoMFA. After removing the user account from the associated security group AND from the Duo Security console, I was able to authenticate.
Microsoft, can this be fixed?- Peter MeuserCopper Contributor
Chris_Gilles_1337 You just need to exclude „Azure Windows VM Sign-in“ from the CA policy requiring MFA beside the already mentioned RDP settings. At least this worked for me.