SOLVED
Home

Different between Windows Virtual Desktop and Client Application Assignments in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-382873%22%20slang%3D%22en-US%22%3EDifferent%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382873%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20someone%20explain%20the%20difference%20of%20these%20two%20apps%20in%20AD%3F%26nbsp%3B%20It%20seems%20like%20at%20some%20point%20today%20something%20changed%20and%20I%20have%20to%20set%20my%20test%20users%20to%20be%20Tenant%20Creators%20in%20the%20Windows%20Virtual%20Desktop%20Application%20to%20use%20the%20web%20URL.%26nbsp%3B%20Adding%20users%20to%20the%20client%20app%20seems%20to%20do%20nothing.%26nbsp%3B%20We've%20had%20no%20issue%20with%20the%20windows%20and%20mac%20RDP%20apps%20using%20the%20web%20feed%20URLs.%26nbsp%3B%20Unless%20this%20is%20what%20we%20have%20to%20do%20for%20the%20time%20being%20but%20it%20just%20seems%20a%20little%20confusing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I%20don't%20know%20if%20I'm%20missing%20something%20but%20I%20can%20only%20deploy%20apps%20and%20desktops%20per%20UPN%20and%20cannot%20apply%20a%20security%20group.%26nbsp%3B%20Would%20be%20nice%20to%20have%20the%20app%20groups%20set%20up%20to%20look%20for%20a%20security%20group%20and%20simply%20adding%20the%20users%20to%20the%20group%20in%20AD%20and%20when%20things%20sync%20up%2C%20you%20have%20your%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393390%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393390%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bof%20course.%20Thanks%20for%20helping%20me%20through%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393388%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393388%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%20%3A%20Can%20we%20follow%20up%20in%20a%20Private%20Message%3F%20It's%20really%20strange%20that%20you're%20hitting%20this%20and%20would%20like%20to%20get%20to%20the%20bottom%20of%20this.%20Although%20you%20are%20seeing%20this%20behavior%2C%20you%20should%20not%20have%20to%20be%20adding%20users%20to%20the%20TenantCreators%20role%20to%20access%20their%20desktops%20or%20applications%2C%20so%20I%20just%20want%20to%20better%20understand%20your%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392505%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bthe%20rdweb%20link%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20it%20doesnt%20matter.%20Even%20when%20using%20the%20wvd%20desktop%20client%2C%20every%20user%20has%20to%20be%20a%20tenant%20creator%20in%20the%20WVD%20app%20in%20Azure.%20%26nbsp%3BIf%20they%20are%20only%20assigned%20to%20the%20WVD%20client%20app%20in%20Azure%2C%20they%20have%20no%20access.%20%26nbsp%3BEverything%20works%20fine%20but%20the%20permissions%20seem%20backwards.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20added%20some%20screen%20caps%20of%20what%20I'm%20talking%20about.%26nbsp%3B%20You%20can%20see%2C%20all%20users%20marked%20as%20Tenant%20Creators%20in%20the%20WVD%20app%20have%20access.%26nbsp%3B%20All%20users%20in%20the%20WVD%20client%20app%20set%20with%20a%20role%20of%20default%20access%20cannot%20log%20into%20the%20web%20URL%20nor%20the%20WVD%20client%20app.%26nbsp%3B%20If%20I%20move%20them%20to%20creators%2C%20they%20have%20access%20without%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392437%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%20%3A%20And%20when%20you%20say%20%22%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Egoing%20to%20the%20website%3C%2FSPAN%3E%22%2C%20which%20website%20are%20you%20referring%20to%3F%20Can%20you%20post%20the%20link%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391297%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391297%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E.%20I%20have%20allowed%20admin%20and%20client%20rights%20using%20my%20global%20admin%20account%20in%20azure.%20When%20I%20add%20a%20user%20to%20the%20WVD%20client%20app%2C%20going%20to%20the%20website%20attempts%20to%20log%20them%20in%20but%20kicks%20them%20back%20out.%20Same%20with%20the%20desktop%20client.%20In%20order%20to%20get%20them%20access%2C%20I%20have%20to%20add%20them%20as%20a%20tenant%20creator%20in%20the%20WVD%20application%20in%20Azure.%20Actually%2C%20I%20can%20only%20add%20them%20as%20tenant%20creators.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391100%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391100%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3BThe%20only%20user%20that%20needs%20to%20be%20assigned%20the%20TenantCreator%20role%20is%20the%20one%20who%20wants%20to%20run%20%22New-RdsTenant%22.%20Otherwise%2C%20standard%20users%20shouldn't%20have%20to%20be%20assigned.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20did%20the%20admin%20consent%20on%20both%20apps%20(%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3E%20and%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%20client%3C%2FSTRONG%3E)%2C%20there%20should%20be%20nothing%20else%20you%20need%20to%20do%20to%20get%20the%20standard%20users%20working.%20What%20exactly%20do%20you%20mean%20by%20%22When%20I%20add%20them%20as%20tenant%20creator%20all%20is%20well%22%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391092%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391092%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bgot%20it%2C%20thank%20you.%26nbsp%3B%20Is%20there%20a%20reason%20why%20all%20my%20test%20users%20have%20to%20be%20assigned%20TenantCreator%20roles%20in%20the%20Windows%20Virtual%20Desktop%20app%20to%20even%20use%20the%20service%3F%26nbsp%3B%20It%20seems%20like%20adding%20a%20user%20to%20the%20client%20app%20as%20a%20user%20role%20fails%20to%20log%20them%20in%20with%20an%20error%20stating%20they%20are%20not%20assigned%20the%20app.%26nbsp%3B%20When%20I%20add%20them%20as%20a%20tenant%20creator%20all%20is%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391090%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20the%20testing%20so%20far!%20To%20address%20some%20of%20your%20questions%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDifference%20between%20apps%3A%20the%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3E%20app%20is%20for%20the%20management%20of%20the%20service%2C%20and%20includes%20granting%20permission%20for%20the%20service%20to%20call%20your%20Azure%20AD%20for%20user%20validation%2C%20service%20principal%20validation%2C%20etc.%20The%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%20client%3C%2FSTRONG%3E%20app%20is%20for%20the%20end-user%20login%2C%20where%20you%20can%20control%20MFA%2FConditional%20Access%20policies.%20I%20agree%20that%20we%20should%20highlight%20this%20a%20bit%20more%20with%20some%20examples.%3C%2FLI%3E%0A%3CLI%3ECorrect%2C%20right%20now%20you%20can%20only%20assign%20users%20through%26nbsp%3B%3CSTRONG%3EAdd-RdsAppGroupUser%3C%2FSTRONG%3E%20by%20individual%20user%20UPNs%20and%20not%20a%20security%20group.%20We're%20working%20on%20this.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-582995%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582995%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20ever%20get%20this%20resolved%3F%20Im%20running%20into%20the%20exact%20same%20issue%2C%20if%20i%20make%20them%20tenant%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-582997%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582997%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3Bnot%20yet.%26nbsp%3B%20We%20have%20an%20azure%20ticket%20open%20and%20they%20captured%20the%20fiddler%20trace.%26nbsp%3B%20Might%20have%20something%20soon.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Blooks%20like%20another%20admin%20has%20our%20same%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-583027%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-583027%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20quick%20reply.%20Seeing%20exactly%20what%20you%20are%2C%20unless%20i%20add%20them%20as%20a%20tenantcreator%20in%20the%20Windows%20Virtual%20Desktop%20app%20after%20adding%20the%20user%20via%20%3CSTRONG%3EAdd-RdsAppGroupUser%3C%2FSTRONG%3E%2C%20they%20cannot%20login.%20The%20WVD%20website%20just%20keeps%20kicking%20you%20to%20the%20login%20page%20(i%20see%20something%20in%20the%20address%20bar%20quickly%20about%20access%20denied)%2C%20and%20the%20RD%20app%20says%20it%20cannot%20authenticate%20the%20user.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Windows%20Virtual%20Desktop%20Client%20app%20doesnt%20seem%20to%20do%20anything.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20i%20add%20the%20user%20as%20tenantcreator%2C%20everything%20works%20fine.%20Definitely%20dont%20want%20to%20do%20this%20for%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-583032%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-583032%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3BExactly%20the%20same%20thing%20we%20see.%26nbsp%3B%20You%20will%20have%20an%20error%20in%20the%20WVD%20client%20app%20of%20this%20too%20I%20bet%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESign-In%20error%20code%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CDIV%20class%3D%22fxc-section-control%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-formElementSubLabelContainer%22%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3E50105%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-section-control%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CSTRONG%3EFailure%20reason%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-formElementSubLabelContainer%22%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3EThe%20signed%20in%20user%20is%20not%20assigned%20to%20a%20role%20for%20the%20signed%20in%20application.%20Assign%20the%20user%20to%20the%20application.%20For%20more%20information%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%3C%2FA%3E.%3C%2FDIV%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bis%20on%20top%20of%20this%20issue.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-665826%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-665826%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3Bsame%20issue%20here...%20glad%20I%20found%20this%20link.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-665913%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-665913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174307%22%20target%3D%22_blank%22%3E%40Rob%20Blankers%3C%2FA%3E%26nbsp%3BThanks%20for%20reporting%20this.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Blooks%20like%20we%20have%20another%20one.%26nbsp%3B%20Just%20reporting%20it%20to%20Microsoft%20so%20we%20can%20have%20some%20ammunition%20to%20get%20down%20to%20the%20bottom%20of%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-666969%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-666969%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWow%2C%20glad%20I%20saw%20this%20post%20too%20-%20thanks%20Steven.%26nbsp%3B%20See%20mine%20below%20-%20ignore%20all%20the%20older%20posts.%26nbsp%3B%20Same%20situation%2C%20except%20I%20though%20it%20had%20something%20to%20do%20with%20the%20fact%20that%20my%20Tenant%20Creator%20user%20didn't%20have%20MFA%20while%20the%20regular%20user%20account%20who%20is%20in%20the%20Desktop%20Application%20Group%20does%20have%20MFA%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20did%20what%20you%20guys%20have%20done%20-%20added%20the%20regular%20user%20to%20the%20Tenant%20Creator%20role%20in%20the%20Windows%20Virtual%20Desktop%20application%20and%20tried%20the%20RD%20Client%20again.%26nbsp%3B%20I%20can%20see%20my%20pool%20now....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FError-deploying-WVD-to-a-subscription%2Fm-p%2F664274%2Fhighlight%2Ftrue%23M709%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FError-deploying-WVD-to-a-subscription%2Fm-p%2F664274%2Fhighlight%2Ftrue%23M709%3C%2FA%3E%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E-%20this%20is%20messed%20up%20%3A)%3C%2Fimg%3E%20.%26nbsp%3B%20Following%20this%20post%20closely%20now%20too.%26nbsp%3B%20Thanks%20-%20have%20a%20good%20day%2C%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668249%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668249%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F325067%22%20target%3D%22_blank%22%3E%40jaycrumpgp%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3A%20Oh%20man%2C%20yes%2C%20this%20is%20definitely%20still%20an%20error.%20Let%20me%20followup%20with%20the%20team%20and%20get%20back%20to%20you%20to%20see%20how%20we%20can%20address%2Fresolve%20this.%20Full%20disclosure%2C%20I%20definitely%20want%20to%20get%20to%20the%20bottom%20of%20this%20because%20I%20don't%20want%20this%20error%20happening%20in%20the%20future%2C%20especially%20GA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20get%20back%20to%20you%2C%20but%20definitely%20thank%20you%20both%20for%20reporting.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668301%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20there%20are%202%20enterprise%20apps%20created%20in%20AAD%3A%20Windows%20Virtual%20Desktop%20and%20Windows%20Virtual%20Desktop%20Client.%26nbsp%3B%20In%20my%20experience%20adding%20a%20user%20to%20my%20app%20group%20using%20the%20PowerShell%20cmdlet%20does%20not%20add%20the%20user%20to%20either%20enterprise%20app.%26nbsp%3B%20At%20least%20you%20can't%20see%20them%20in%20the%20AAD%20GUI.%26nbsp%3B%20I've%20used%20the%20following%3A%3C%2FP%3E%3CP%3E%3CEM%3EAdd-RdsAppGroupUser%20-TenantName%20%3CTENANT%3E%20-HostPoolName%20%3CHOSTPOOL%3E%20-appgroupname%20%22Desktop%20Application%20Group%22%20-UserPrincipalName%26nbsp%3B%3C%2FHOSTPOOL%3E%3C%2FTENANT%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EManually%20adding%20a%20user%20to%20only%20the%20%22Windows%20Virtual%20Desktop%20Client%22%20app%20does%20not%20work.%26nbsp%3B%20Users%20get%20stuck%20in%20a%20login%20loop%2C%20with%20a%20message%20in%20the%20URL%20advising%20the%20user%20%22is%20not%20assigned%20to%20a%20role%20for%20the%20application%22.%26nbsp%3B%20%3CSTRONG%3EThe%20application%20ID%20presented%20in%20this%20error%20is%20the%20ID%20for%20the%20%22Windows%20Virtual%20Desktop%22%20app%3C%2FSTRONG%3E.%26nbsp%3B%20If%20I%20add%20the%20user%20to%20that%20app%2C%20it%20works.%26nbsp%3B%20But%2C%20if%20I%20then%20remove%20the%20user%20from%20the%20%22Windows%20Virtual%20Desktop%20Client%22%20group%2C%20I%20get%20the%20same%20error%2C%20referencing%20the%20app%20ID%20for%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20I%20need%20to%20add%20users%20to%20both%20Enterprise%20Applications%20in%20AAD%20for%20them%20to%20successfully%20access%20a%20session.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790383%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790383%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174307%22%20target%3D%22_blank%22%3E%40Rob%20Blankers%3C%2FA%3E%26nbsp%3BI'm%20bumping%20this%20again.%26nbsp%3B%20We%20still%20have%20this%20issue.%26nbsp%3B%20Microsoft%20told%20me%20that%20they%20would%20escalate%20internally%20but%20haven't%20heard%20anything%20yet.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3EDo%20you%20know%20anything%3F%26nbsp%3B%20Everything%20else%20is%20fine%20but%20this%20issue%20seems%20weird.%26nbsp%3B%20Attaching%20the%20error%20we%20are%20still%20seeing%20again%20if%20it%20helps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDate%3CBR%20%2F%3E8%2F6%2F2019%2C%209%3A23%3A38%20AM%3CBR%20%2F%3EStatus%3CBR%20%2F%3EFailure%3CBR%20%2F%3ESign-in%20error%20code%3CBR%20%2F%3E50105%3CBR%20%2F%3EFailure%20reason%3CBR%20%2F%3EThe%20signed%20in%20user%20is%20not%20assigned%20to%20a%20role%20for%20the%20signed%20in%20application.%20Assign%20the%20user%20to%20the%20application.%20For%20more%20information%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%3C%2FA%3E.%3CBR%20%2F%3EClient%20app%3CBR%20%2F%3EMobile%20Apps%20and%20Desktop%20clients%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790393%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790393%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3BStill%20happening%20here%20as%20well.%20Have%20to%20make%20users%20tenant%20creators%20and%20manually%20add%20to%20the%20desktop%20users%20group%20via%20powershell%20before%20they%20can%20login.%20Really%20not%20fun%20to%20Admin%20this%20thing.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790396%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790396%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3BThe%20powershell%20piece%20isn't%20bad%20since%20I'm%20in%20powershell%20almost%20all%20day.%26nbsp%3B%20It's%20just%20one%20of%20those%20things%20that%20previews%20find...odd%20behavior.%26nbsp%3B%20Glad%20it's%20not%20just%20us%20and%20there%20are%20others%20out%20there%20following%20this%20thread.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794221%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794221%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174307%22%20target%3D%22_blank%22%3E%40Rob%20Blankers%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20bringing%20this%20back%20up.%20Can%20you%20actually%20all%20check%20one%20thing%3F%20As%20mentioned%20here%20or%20in%20other%20threads%2C%20we%20don't%20expect%20users%20to%20be%20assigned%20specific%20app%20roles%20for%20the%20two%20Azure%20AD%20Applications%20(%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3Eand%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%20Client%3C%2FSTRONG%3E)%2C%20but%20there%20may%20be%20something%20in%20your%20directory%20that%20automatically%20set%20these.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you...go%20to%26nbsp%3B%3CSTRONG%3EEnterprise%20applications%3C%2FSTRONG%3E%2C%20select%20each%20application%2C%20and%20select%26nbsp%3B%3CSTRONG%3EProperties%3C%2FSTRONG%3E%3F%20Your%20app%20should%20mirror%20my%20screenshot%20of%26nbsp%3B%3CSTRONG%3EUser%20assignment%20required%3F%3C%2FSTRONG%3Eset%20to%20No.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126109i1C99FC53798D519B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794222%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794222%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20checked%20and%20both%20of%20my%20apps%20are%20set%20to%20Yes%20for%20user%20assignment.%20Ill%20change%20them%20to%20no%20and%20test%20again%20in%20the%20morning.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIm%20a%20bit%20confused%20by%20the%20language%20here%20i%20guess%2C%20wouldnt%20i%20want%20to%20have%20to%20assign%20users%20to%20this%20app%20to%20control%20access%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794225%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794225%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%3A%20The%20primary%20reason%20is%20that%20we%20only%20use%20Azure%20AD%20app%20role%20%2F%20assignments%20for%201%20action%2C%20and%20that's%20to%20create%20a%20tenant.%20Otherwise%2C%20because%20you%20can%20create%20numerous%20host%20pools%20and%20app%20groups%2C%20we%20handle%20end-user%20assignments%20through%20our%20own%20PowerShell%20and%20our%20own%20implementation.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794228%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BMine%20was%20set%20to%20yes%20too.%26nbsp%3B%20That%20makes%20sense.%26nbsp%3B%20You%20are%20handling%20the%20permission%20from%20the%20app%20group%2C%20if%20you%20aren't%20part%20of%20the%20permission%20to%20that%20group%2C%20no%20access.%26nbsp%3B%20Makes%20perfect%20sense%20now.%26nbsp%3B%20We'll%20test%20tomorrow%20and%20report%20back%20our%20findings.%26nbsp%3B%20Thanks%20for%20the%20reply!%26nbsp%3B%20Greatly%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794233%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BHad%20some%20time%20to%20test%20this.%26nbsp%3B%20I%20removed%20my%20account%20from%20the%20Azure%20application%20and%20got%20right%20in.%26nbsp%3B%20When%20I%20went%20to%20open%20an%20app%2C%20I%20got%20this%20error%20shown%20in%20the%20screen%20cap.%26nbsp%3B%20We%20do%20have%20a%20conditional%20access%20policy%20applied%20to%20require%20MFA%20off%20of%20our%20network.%26nbsp%3B%20But%20even%20on%20our%20network%2C%20this%20same%20error%20presents%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20595px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126110iA66721BDD5B827BA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22connection%20error.PNG%22%20title%3D%22connection%20error.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794256%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BLooks%20like%20I%20spoke%20too%20soon.%26nbsp%3B%20For%20some%20reason%2C%20our%20session%20host%20crashed%20and%20I%20had%20to%20reboot%20the%20VM.%26nbsp%3B%20All%20works%20now%2C%20even%20CA.%26nbsp%3B%20Great%20and%20simple%20discovery.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803137%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803137%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BSUCCESS!!!%26nbsp%3B%20I%20flipped%20the%20'User%20assignment%20required'%20switch%20to%20No%20on%20each%20Enterprise%20Application%2C%20removed%20all%20the%20users%20from%20those%20apps%20and%20verified%20that%20all%20users%20in%20the%20Desktop%20Application%20Group%20(administered%20through%20PowerShell)%20can%20login%20without%20issue.%26nbsp%3B%20Appreciate%20the%20follow%20up%20on%20this%20unsupported%20service%20and%20can't%20wait%20for%20GA!!%26nbsp%3B%20Thanks%20again!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803152%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803152%22%20slang%3D%22en-US%22%3EGlad%20you're%20up%20and%20running!%20As%20we%20depend%20on%20Azure%20AD%20and%20other%20Azure%20services%2C%20we%20are%20learning%20as%20we%20go%20in%20certain%20scenarios.%20Thanks%20for%20the%20patience%20and%20validating!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803154%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803154%22%20slang%3D%22en-US%22%3EConfirmed%20it%E2%80%99s%20working%20for%20me%20now%20as%20well.%3C%2FLINGO-BODY%3E
stevenzelenko
Contributor

Can someone explain the difference of these two apps in AD?  It seems like at some point today something changed and I have to set my test users to be Tenant Creators in the Windows Virtual Desktop Application to use the web URL.  Adding users to the client app seems to do nothing.  We've had no issue with the windows and mac RDP apps using the web feed URLs.  Unless this is what we have to do for the time being but it just seems a little confusing.

 

And I don't know if I'm missing something but I can only deploy apps and desktops per UPN and cannot apply a security group.  Would be nice to have the app groups set up to look for a security group and simply adding the users to the group in AD and when things sync up, you have your apps.

29 Replies

@stevenzelenko : Thanks for the testing so far! To address some of your questions:

  • Difference between apps: the Windows Virtual Desktop app is for the management of the service, and includes granting permission for the service to call your Azure AD for user validation, service principal validation, etc. The Windows Virtual Desktop client app is for the end-user login, where you can control MFA/Conditional Access policies. I agree that we should highlight this a bit more with some examples.
  • Correct, right now you can only assign users through Add-RdsAppGroupUser by individual user UPNs and not a security group. We're working on this.

@christianmontoya got it, thank you.  Is there a reason why all my test users have to be assigned TenantCreator roles in the Windows Virtual Desktop app to even use the service?  It seems like adding a user to the client app as a user role fails to log them in with an error stating they are not assigned the app.  When I add them as a tenant creator all is well.

@stevenzelenko The only user that needs to be assigned the TenantCreator role is the one who wants to run "New-RdsTenant". Otherwise, standard users shouldn't have to be assigned.

 

If you did the admin consent on both apps (Windows Virtual Desktop and Windows Virtual Desktop client), there should be nothing else you need to do to get the standard users working. What exactly do you mean by "When I add them as tenant creator all is well"? 

@christianmontoya. I have allowed admin and client rights using my global admin account in azure. When I add a user to the WVD client app, going to the website attempts to log them in but kicks them back out. Same with the desktop client. In order to get them access, I have to add them as a tenant creator in the WVD application in Azure. Actually, I can only add them as tenant creators.

@stevenzelenko : And when you say "going to the website", which website are you referring to? Can you post the link?

@christianmontoya the rdweb link here https://rdweb.wvd.microsoft.com/webclient

 

but it doesnt matter. Even when using the wvd desktop client, every user has to be a tenant creator in the WVD app in Azure.  If they are only assigned to the WVD client app in Azure, they have no access.  Everything works fine but the permissions seem backwards.  

 

I've added some screen caps of what I'm talking about.  You can see, all users marked as Tenant Creators in the WVD app have access.  All users in the WVD client app set with a role of default access cannot log into the web URL nor the WVD client app.  If I move them to creators, they have access without issue.

@stevenzelenko : Can we follow up in a Private Message? It's really strange that you're hitting this and would like to get to the bottom of this. Although you are seeing this behavior, you should not have to be adding users to the TenantCreators role to access their desktops or applications, so I just want to better understand your environment.

@stevenzelenko 

 

Did you ever get this resolved? Im running into the exact same issue, if i make them tenant

@Feffen not yet.  We have an azure ticket open and they captured the fiddler trace.  Might have something soon.

 

@christianmontoya looks like another admin has our same issue.

@stevenzelenko 

 

 

Thanks for the quick reply. Seeing exactly what you are, unless i add them as a tenantcreator in the Windows Virtual Desktop app after adding the user via Add-RdsAppGroupUser, they cannot login. The WVD website just keeps kicking you to the login page (i see something in the address bar quickly about access denied), and the RD app says it cannot authenticate the user. 

 

The Windows Virtual Desktop Client app doesnt seem to do anything. 

 

Once i add the user as tenantcreator, everything works fine. Definitely dont want to do this for users.

@Feffen Exactly the same thing we see.  You will have an error in the WVD client app of this too I bet:

 

Sign-In error code:

50105
Failure reason
The signed in user is not assigned to a role for the signed in application. Assign the user to the application. For more information: https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-problem-federated-sso-ga....
 
@christianmontoya is on top of this issue.

@stevenzelenko same issue here... glad I found this link.  

@Rob Blankers Thanks for reporting this.  @christianmontoya looks like we have another one.  Just reporting it to Microsoft so we can have some ammunition to get down to the bottom of this.

@stevenzelenko 

 

Wow, glad I saw this post too - thanks Steven.  See mine below - ignore all the older posts.  Same situation, except I though it had something to do with the fact that my Tenant Creator user didn't have MFA while the regular user account who is in the Desktop Application Group does have MFA enabled.

 

I just did what you guys have done - added the regular user to the Tenant Creator role in the Windows Virtual Desktop application and tried the RD Client again.  I can see my pool now....

 

https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/Error-deploying-WVD-to-a-subscription... 

 

@christianmontoya- this is messed up :) .  Following this post closely now too.  Thanks - have a good day, all.

@jaycrumpgp @stevenzelenko : Oh man, yes, this is definitely still an error. Let me followup with the team and get back to you to see how we can address/resolve this. Full disclosure, I definitely want to get to the bottom of this because I don't want this error happening in the future, especially GA.

 

Let me get back to you, but definitely thank you both for reporting.

@christianmontoya 

So there are 2 enterprise apps created in AAD: Windows Virtual Desktop and Windows Virtual Desktop Client.  In my experience adding a user to my app group using the PowerShell cmdlet does not add the user to either enterprise app.  At least you can't see them in the AAD GUI.  I've used the following:

Add-RdsAppGroupUser -TenantName <tenant> -HostPoolName <hostpool> -appgroupname "Desktop Application Group" -UserPrincipalName 

 

Manually adding a user to only the "Windows Virtual Desktop Client" app does not work.  Users get stuck in a login loop, with a message in the URL advising the user "is not assigned to a role for the application".  The application ID presented in this error is the ID for the "Windows Virtual Desktop" app.  If I add the user to that app, it works.  But, if I then remove the user from the "Windows Virtual Desktop Client" group, I get the same error, referencing the app ID for it. 

 

Currently I need to add users to both Enterprise Applications in AAD for them to successfully access a session.  

@Rob Blankers I'm bumping this again.  We still have this issue.  Microsoft told me that they would escalate internally but haven't heard anything yet.  @christianmontoya Do you know anything?  Everything else is fine but this issue seems weird.  Attaching the error we are still seeing again if it helps.

 

Date
8/6/2019, 9:23:38 AM
Status
Failure
Sign-in error code
50105
Failure reason
The signed in user is not assigned to a role for the signed in application. Assign the user to the application. For more information: https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-problem-federated-sso-ga....
Client app
Mobile Apps and Desktop clients

@stevenzelenko Still happening here as well. Have to make users tenant creators and manually add to the desktop users group via powershell before they can login. Really not fun to Admin this thing. 

@Feffen The powershell piece isn't bad since I'm in powershell almost all day.  It's just one of those things that previews find...odd behavior.  Glad it's not just us and there are others out there following this thread.

@Rob Blankers , @stevenzelenko , @Feffen : Thanks for bringing this back up. Can you actually all check one thing? As mentioned here or in other threads, we don't expect users to be assigned specific app roles for the two Azure AD Applications (Windows Virtual Desktop and Windows Virtual Desktop Client), but there may be something in your directory that automatically set these.

 

Can you...go to Enterprise applications, select each application, and select Properties? Your app should mirror my screenshot of User assignment required? set to No.

clipboard_image_1.png

@christianmontoya 

 

Just checked and both of my apps are set to Yes for user assignment. Ill change them to no and test again in the morning. 

 

Im a bit confused by the language here i guess, wouldnt i want to have to assign users to this app to control access?

Solution
@Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.

@christianmontoya Mine was set to yes too.  That makes sense.  You are handling the permission from the app group, if you aren't part of the permission to that group, no access.  Makes perfect sense now.  We'll test tomorrow and report back our findings.  Thanks for the reply!  Greatly appreciated.

@christianmontoya Had some time to test this.  I removed my account from the Azure application and got right in.  When I went to open an app, I got this error shown in the screen cap.  We do have a conditional access policy applied to require MFA off of our network.  But even on our network, this same error presents itself.

 

connection error.PNG

 

 

@christianmontoya Looks like I spoke too soon.  For some reason, our session host crashed and I had to reboot the VM.  All works now, even CA.  Great and simple discovery.  Thank you.

@stevenzelenko @christianmontoya SUCCESS!!!  I flipped the 'User assignment required' switch to No on each Enterprise Application, removed all the users from those apps and verified that all users in the Desktop Application Group (administered through PowerShell) can login without issue.  Appreciate the follow up on this unsupported service and can't wait for GA!!  Thanks again!

Glad you're up and running! As we depend on Azure AD and other Azure services, we are learning as we go in certain scenarios. Thanks for the patience and validating!
Confirmed it’s working for me now as well.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies