SOLVED

Azure VD - AD/AADDS Required?

Copper Contributor

I'm trying to set up an Azure Virtual Desktop test lab for evaluation purposes. I've created a new test Azure tenant with some M365 Business Premium licenses. I've added some dummy test users, assigned M365 licenses to them and ADD joined a couple of Windows 10 laptops using Autopilot. This is all work great.

 

From what i have read Azure Virtual Desktop either requires Active Directory or AADDS, therefore, i've deployed AADDS to the tenant. Next i've then deployed a new AVD host pool using the following settings:
 - Host Pool Type = Pooled
 - LB = Breath-first
 - Max Sessions limit = 10
 - Number of Hosts = 2
 - Image = Gallery / Win10Ent MultiSession 20H2 Gen2
 - Domain to join = Azure AD

The AVD deployment completes and i've assigned users to the application group. However, when i attempt to log into AVD (via browser or Remote Desktop app) it prompts me for logon credentials but then fails to connect with an error "invalid credentials". I know the credentials are correct! I've delete the AVD host pool, resource groups, vms, etc and set it all up again from scratch but i still get the same error! I'm obviously missing something here?

I can see the both the Azure VD hosts are shown in Azure AD > Device and both are listed in Intune as (managed by intune/compliant). I've also setup an Azure management VM (Win2016), joined this to AADDS and installed the RSAT tools. Using the AD Users and Computers console I can see all the users (which i created in Azure AD) have sync'd over but i cant see the two VD host devices?

Do i need actually need AD or AADDS as the Azure Virtual Desktop deployment wizard allows me to select 'Azure AD' under 'Domain to Join' and then there's no mention of AD/AADDS during the wizard.  If i can remove AADDS and the Win2016 management vm that would be great.

8 Replies
Hi,
For personal hostpool you don't need ADDS or AADDS but can use AAD only.
For pooled hostpools you still require ADDS or AADDS.

For your logon issue:

Have you given Virtual Machine User login role to the users?
Have you specified in the advanced properties that the session host is AAD joined?

Here is the link to the doc's. If you need help just contact me.
https://docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm

@PhilPreece1010Hey Phil.  Did you resolve this in the end?  I am also getting this same issue with the password.

 

I wonder if it's to do with MFA?

 

Thanks

Vince

best response confirmed by PhilPreece1010 (Copper Contributor)
Solution
Hi Vince, no still having issues.
Earlier today i cleaned up the Azure tenant once again. I deleted all the resources that were deployed by the AADDS wizard and the Azure Virtual Desktop wizard. I then successfully re-deployed AADDS, applied the recommended DNS fix and ran the AVD wizard again. This time i selected 'domain to join = AADDS' but the wizard failed again. This time with a different error:

easy-button-inputvalidation-job-linked-template - conflict

I do have MFA enabled for all users? Perhaps that is the issue then?
If you use the quickstart wizard you need to use an account that doesn't have MFA enabled. If you check the runbook behind the getting started wizard it will give you that error message.

If you create AADDS with the wizard you also need to make sure that your custom domain is added otherwise the wizard will fail also.
I think your right Vince, i've just stumbled across this article:

https://techcommunity.microsoft.com/t5/azure-virtual-desktop/getting-started-wizard-in-azure-virtual...

2. Requirements and limitations
Accounts used with getting started cannot have MFA.
Phil, correct it's my understanding that MFA is not yet supported when using AAD joined VM's and trying to login to them via AVD. I could be wrong but maybe worth a shot. I will also test this myself tomorrow and let you know.
Thanks all for the assistance. AVD has now deployed successfully.
Quick summary of the steps i took.
- Cleaned up Azure tenant (ie: deleted all the remnants of the failed AVD deployment, such as: adds, avd, all resources, etc).
- Used the AVD 'Getting Started' wizard (rather than 'deploy a host pool' option) and allowed this to build a new instance of Azure ADDS for me.
- Disabled MFA against the accounts i used in the AVD getting started wizard.
- Before logging into the AVD client i had to reset the test users password so the hash is sync'd back to ADDS.
Great News.
1 best response

Accepted Solutions
best response confirmed by PhilPreece1010 (Copper Contributor)
Solution
Hi Vince, no still having issues.
Earlier today i cleaned up the Azure tenant once again. I deleted all the resources that were deployed by the AADDS wizard and the Azure Virtual Desktop wizard. I then successfully re-deployed AADDS, applied the recommended DNS fix and ran the AVD wizard again. This time i selected 'domain to join = AADDS' but the wizard failed again. This time with a different error:

easy-button-inputvalidation-job-linked-template - conflict

I do have MFA enabled for all users? Perhaps that is the issue then?

View solution in original post