SOLVED

Different between Windows Virtual Desktop and Client Application Assignments in Azure AD

Brass Contributor

Can someone explain the difference of these two apps in AD?  It seems like at some point today something changed and I have to set my test users to be Tenant Creators in the Windows Virtual Desktop Application to use the web URL.  Adding users to the client app seems to do nothing.  We've had no issue with the windows and mac RDP apps using the web feed URLs.  Unless this is what we have to do for the time being but it just seems a little confusing.

 

And I don't know if I'm missing something but I can only deploy apps and desktops per UPN and cannot apply a security group.  Would be nice to have the app groups set up to look for a security group and simply adding the users to the group in AD and when things sync up, you have your apps.

44 Replies

@Feffen The powershell piece isn't bad since I'm in powershell almost all day.  It's just one of those things that previews find...odd behavior.  Glad it's not just us and there are others out there following this thread.

@Rob Blankers , @stevenzelenko , @Feffen : Thanks for bringing this back up. Can you actually all check one thing? As mentioned here or in other threads, we don't expect users to be assigned specific app roles for the two Azure AD Applications (Windows Virtual Desktop and Windows Virtual Desktop Client), but there may be something in your directory that automatically set these.

 

Can you...go to Enterprise applications, select each application, and select Properties? Your app should mirror my screenshot of User assignment required? set to No.

clipboard_image_1.png

@Christian_Montoya 

 

Just checked and both of my apps are set to Yes for user assignment. Ill change them to no and test again in the morning. 

 

Im a bit confused by the language here i guess, wouldnt i want to have to assign users to this app to control access?

best response confirmed by stevenzelenko (Brass Contributor)
Solution
@Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.

@Christian_Montoya Mine was set to yes too.  That makes sense.  You are handling the permission from the app group, if you aren't part of the permission to that group, no access.  Makes perfect sense now.  We'll test tomorrow and report back our findings.  Thanks for the reply!  Greatly appreciated.

@Christian_Montoya Had some time to test this.  I removed my account from the Azure application and got right in.  When I went to open an app, I got this error shown in the screen cap.  We do have a conditional access policy applied to require MFA off of our network.  But even on our network, this same error presents itself.

 

connection error.PNG

 

 

@Christian_Montoya Looks like I spoke too soon.  For some reason, our session host crashed and I had to reboot the VM.  All works now, even CA.  Great and simple discovery.  Thank you.

@stevenzelenko @Christian_Montoya SUCCESS!!!  I flipped the 'User assignment required' switch to No on each Enterprise Application, removed all the users from those apps and verified that all users in the Desktop Application Group (administered through PowerShell) can login without issue.  Appreciate the follow up on this unsupported service and can't wait for GA!!  Thanks again!

Glad you're up and running! As we depend on Azure AD and other Azure services, we are learning as we go in certain scenarios. Thanks for the patience and validating!
Confirmed it’s working for me now as well.

@Christian_Montoya hey I am facing the same issue. i have added my users through powershell and also i have added them in my Entreprise application including windows virtual desktop and windows virtual desktop client. Everthing is in place also in my Enterprise  applications in properties i have set the the users assigned tab to NO still my users are not able to access the WVD and throwing the folllowing error:-error.PNG

 pls help me with it as soon as possible also wen i add those users in AADC group they are able to access it and does not throw any error but for my environment i dont want all users to have the the admin access

@sarahpotrick2573 : Can you run steps from our troubleshooting guide to see if there are specific errors from Diagnostics? https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-client-connection#troubleshooting-end-... .

 

This would be the best way to understand what the initial errors are so that you don't need to add them as admins.

@Christian_Montoya  Yes i checked it out and  is telling that user does not exist and that the VM is not joined.,But my VM is joined to my domain that i created through  Azure ADDS and also all of my users exists in the azure active directory and i have created that user in my azure active directory only.  I dont want all of my users to be in the AADC group i just want them to access the WVD environment Please find or help me out with some solution ASAP as i have been trying to resolve this from past 10 days and i need to deploy this in my client environment.rds.PNG

@sarahpotrick2573 : How did you configure Azure AD Domain Services? Does the domain match the UPNs those for the Azure AD user?

@Christian_Montoya   My Users are not able to sign-in into thier hostpool virtual Machine. It is throwing the following error. The username and password is correct and also i have assigned them through powershell, Still it is throwing the same error

clipboard_image_0.jpeg

@sarahpotrick2573 : Can you run the following command to check the failed connections

Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityType Connection -Outcome Failure -Detailed

 

Then, you can look at each individually and expand their Errors property. You can do this by getting the exact ActivityId, then:

$activity = Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityId <activityId> -Detailed
$activity.Errors

 

@Christian_Montoya After running the following powershell command,  I get the following details 

I am not able to understand what should i do next?Capture.PNG

@sarahpotrick2573 : Did the users already reset their passwords? There needs to be at least one password reset so the password hashes sync down.

 

If so, you'll need to create a support ticket through the Azure portal so that our engineers can dive deeper to resolve.

Ok. I will try resetting the password as well. If this works out well and good and also support is not available for wvd yet?

@sarahpotrick2573 : Actually, support is available for WVD. And you can file a ticket through the Azure portal. We also have some links from our docs site: https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-set-up-overview