AVD Adding users to Remote Desktop User Group

Copper Contributor

Hi all,


From my understanding AVD uses port 443 (HTTPS) to connect users to their virtualized environment. However, I have noticed that AVD automatically adds users to the Remote Desktop Users Group, which is meant originally for port 3389 (RDP). I spoke with a Microsoft Support Specialist regarding this and it was mentioned this was used as a break-glass method in case users cannot connect through 443. My question is then, is it necessary to have users added to the Remote Desktop Users Group? And is there any way we could stop the automation in adding users to that group?


Best Regards


4 Replies

@XerxesH Just tested on an Azure Virtual Desktop host pool Entra ID join and you are right.
But my RDP direct access is also working without being part of Remote Desktop Users Group, as soon my Entra ID user is having the Virtual Machine User Login role on the AVD VMs


Why do you want to remove that automation mechanism ?

Security purpose ?

Hi @jlou65535 


Yes correct! Thanks for verifying! When a user receives a session by opening remote app or virtual desktop, they are automatically added into that group, giving them RDP access. In my opinion they should not be added to the group as normal users should not have direct RDP to the session hosts as it does pose as a security risk.


Best Regards

Xerxes Hansen



How about to control in network or port level?

Hi @Kidd_Ip,


Absolutely. I was thinking Just-In-Time Access and/or restriction through firewall, but just wondering why that automatic procedure was there in the first place x) I find it weird to have to have a solution/work-around on something not in use (unless it is proven that it is). Thanks for the answers tho!


Best Regards