Dear Azure Virtual Desktop friends,
Imagine the following Szeanrio. You have decided to build Azure Virtual Desktop in the cloud only variant. With all the pros and cons. You have decided to set up a first test environment. Of course, all necessary licenses are also available! The provisioning of resources in Azure is done.
For the DAG (Desktop Application Group), you have added a group from Azure Active Directory.
There are two persons in this group.
You start the Remote Desktop Client and log in as a user who exists in this group (as seen before).
Double click on SessionDesktop and you will get an error message.
Sorry, this is in German! The login attempt has failed!
Why does the connection not work? The group has been added to the DAG what is still missing? What is missing now are the infrastructure permissions. What is not quite obvious, but unfortunately often forgotten. But one after the other.
1. If the host you are using to connect is not Azure AD Joined in the same tenant, the Advanced RDP settings must be extended. With the following value: targetisaadjoined:i:1
Next, other permissions need to be set up. I like to use the resources group for this. You can of course also set this up on the subscription. The following permissions are required:
Desktop Virtualization Application Group Reader
and
Virtual Machine User Login
Now back to the Remote Desktop Client and voila, the connection to the session host is now working.
I hope this information helps you and you can successfully build an Azure Virtual Desktop "cloud only" infrastructure. The example here is of course not a finished setup, there are still apps, profiles, etc. missing. But it should help you get started.
Thank you for taking the time to read the article.
Best regards, Tom Wechsler
P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler