03-22-2019 12:29 PM
03-22-2019 12:29 PM
Can someone explain the difference of these two apps in AD? It seems like at some point today something changed and I have to set my test users to be Tenant Creators in the Windows Virtual Desktop Application to use the web URL. Adding users to the client app seems to do nothing. We've had no issue with the windows and mac RDP apps using the web feed URLs. Unless this is what we have to do for the time being but it just seems a little confusing.
And I don't know if I'm missing something but I can only deploy apps and desktops per UPN and cannot apply a security group. Would be nice to have the app groups set up to look for a security group and simply adding the users to the group in AD and when things sync up, you have your apps.
03-29-2019 12:51 PM
@stevenzelenko : Thanks for the testing so far! To address some of your questions:
03-29-2019 12:55 PM
@christianmontoya got it, thank you. Is there a reason why all my test users have to be assigned TenantCreator roles in the Windows Virtual Desktop app to even use the service? It seems like adding a user to the client app as a user role fails to log them in with an error stating they are not assigned the app. When I add them as a tenant creator all is well.
03-29-2019 01:10 PM
@stevenzelenko The only user that needs to be assigned the TenantCreator role is the one who wants to run "New-RdsTenant". Otherwise, standard users shouldn't have to be assigned.
If you did the admin consent on both apps (Windows Virtual Desktop and Windows Virtual Desktop client), there should be nothing else you need to do to get the standard users working. What exactly do you mean by "When I add them as tenant creator all is well"?
03-30-2019 08:03 AM
04-01-2019 04:58 PM
@stevenzelenko : And when you say "going to the website", which website are you referring to? Can you post the link?
04-01-2019 05:07 PM - edited 04-02-2019 07:07 AM
but it doesnt matter. Even when using the wvd desktop client, every user has to be a tenant creator in the WVD app in Azure. If they are only assigned to the WVD client app in Azure, they have no access. Everything works fine but the permissions seem backwards.
I've added some screen caps of what I'm talking about. You can see, all users marked as Tenant Creators in the WVD app have access. All users in the WVD client app set with a role of default access cannot log into the web URL nor the WVD client app. If I move them to creators, they have access without issue.
04-02-2019 04:05 PM
@stevenzelenko : Can we follow up in a Private Message? It's really strange that you're hitting this and would like to get to the bottom of this. Although you are seeing this behavior, you should not have to be adding users to the TenantCreators role to access their desktops or applications, so I just want to better understand your environment.
04-02-2019 04:07 PM
@christianmontoya of course. Thanks for helping me through this.
05-17-2019 08:33 AM
Did you ever get this resolved? Im running into the exact same issue, if i make them tenant
05-17-2019 08:37 AM - edited 05-17-2019 08:38 AM
05-17-2019 08:48 AM
Thanks for the quick reply. Seeing exactly what you are, unless i add them as a tenantcreator in the Windows Virtual Desktop app after adding the user via Add-RdsAppGroupUser, they cannot login. The WVD website just keeps kicking you to the login page (i see something in the address bar quickly about access denied), and the RD app says it cannot authenticate the user.
The Windows Virtual Desktop Client app doesnt seem to do anything.
Once i add the user as tenantcreator, everything works fine. Definitely dont want to do this for users.
05-17-2019 08:53 AM
@Feffen Exactly the same thing we see. You will have an error in the WVD client app of this too I bet:
Sign-In error code:
06-03-2019 02:38 PM
@stevenzelenko same issue here... glad I found this link.
06-03-2019 03:37 PM
06-04-2019 03:57 AM
Wow, glad I saw this post too - thanks Steven. See mine below - ignore all the older posts. Same situation, except I though it had something to do with the fact that my Tenant Creator user didn't have MFA while the regular user account who is in the Desktop Application Group does have MFA enabled.
I just did what you guys have done - added the regular user to the Tenant Creator role in the Windows Virtual Desktop application and tried the RD Client again. I can see my pool now....
@christianmontoya- this is messed up :) . Following this post closely now too. Thanks - have a good day, all.
06-04-2019 09:34 AM
@jaycrumpgp @stevenzelenko : Oh man, yes, this is definitely still an error. Let me followup with the team and get back to you to see how we can address/resolve this. Full disclosure, I definitely want to get to the bottom of this because I don't want this error happening in the future, especially GA.
Let me get back to you, but definitely thank you both for reporting.
06-04-2019 09:48 AM
So there are 2 enterprise apps created in AAD: Windows Virtual Desktop and Windows Virtual Desktop Client. In my experience adding a user to my app group using the PowerShell cmdlet does not add the user to either enterprise app. At least you can't see them in the AAD GUI. I've used the following:
Add-RdsAppGroupUser -TenantName <tenant> -HostPoolName <hostpool> -appgroupname "Desktop Application Group" -UserPrincipalName
Manually adding a user to only the "Windows Virtual Desktop Client" app does not work. Users get stuck in a login loop, with a message in the URL advising the user "is not assigned to a role for the application". The application ID presented in this error is the ID for the "Windows Virtual Desktop" app. If I add the user to that app, it works. But, if I then remove the user from the "Windows Virtual Desktop Client" group, I get the same error, referencing the app ID for it.
Currently I need to add users to both Enterprise Applications in AAD for them to successfully access a session.
08-06-2019 08:18 AM
@Rob Blankers I'm bumping this again. We still have this issue. Microsoft told me that they would escalate internally but haven't heard anything yet. @christianmontoya Do you know anything? Everything else is fine but this issue seems weird. Attaching the error we are still seeing again if it helps.
8/6/2019, 9:23:38 AM
Sign-in error code
The signed in user is not assigned to a role for the signed in application. Assign the user to the application. For more information: https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-problem-federated-sso-ga....
Mobile Apps and Desktop clients
08-06-2019 08:22 AM
@stevenzelenko Still happening here as well. Have to make users tenant creators and manually add to the desktop users group via powershell before they can login. Really not fun to Admin this thing.
08-06-2019 08:25 AM
@Feffen The powershell piece isn't bad since I'm in powershell almost all day. It's just one of those things that previews find...odd behavior. Glad it's not just us and there are others out there following this thread.
08-07-2019 04:26 PM
@Rob Blankers , @stevenzelenko , @Feffen : Thanks for bringing this back up. Can you actually all check one thing? As mentioned here or in other threads, we don't expect users to be assigned specific app roles for the two Azure AD Applications (Windows Virtual Desktop and Windows Virtual Desktop Client), but there may be something in your directory that automatically set these.
Can you...go to Enterprise applications, select each application, and select Properties? Your app should mirror my screenshot of User assignment required? set to No.
08-07-2019 04:30 PM
Just checked and both of my apps are set to Yes for user assignment. Ill change them to no and test again in the morning.
Im a bit confused by the language here i guess, wouldnt i want to have to assign users to this app to control access?
08-07-2019 04:38 PMSolution
08-07-2019 04:42 PM
@christianmontoya Mine was set to yes too. That makes sense. You are handling the permission from the app group, if you aren't part of the permission to that group, no access. Makes perfect sense now. We'll test tomorrow and report back our findings. Thanks for the reply! Greatly appreciated.
08-07-2019 04:54 PM
@christianmontoya Had some time to test this. I removed my account from the Azure application and got right in. When I went to open an app, I got this error shown in the screen cap. We do have a conditional access policy applied to require MFA off of our network. But even on our network, this same error presents itself.
08-07-2019 05:11 PM
@christianmontoya Looks like I spoke too soon. For some reason, our session host crashed and I had to reboot the VM. All works now, even CA. Great and simple discovery. Thank you.
08-13-2019 10:51 AM
@stevenzelenko @christianmontoya SUCCESS!!! I flipped the 'User assignment required' switch to No on each Enterprise Application, removed all the users from those apps and verified that all users in the Desktop Application Group (administered through PowerShell) can login without issue. Appreciate the follow up on this unsupported service and can't wait for GA!! Thanks again!
08-13-2019 10:58 AM