SOLVED

PUBLIC PREVIEW: Announcing public preview of Azure AD joined VMs

Microsoft

We are excited to announce the public preview of Azure AD joined VMs support for Azure Virtual Desktop. This feature allows customers to easily deploy Azure AD joined session hosts from the Azure portal and access them from all clients. VMs can also be automatically enrolled in Intune for ease of management. Support for storing FSLogix profiles on Azure files will be available in a future update.

 

Getting started:

 

The documentation to deploy Azure AD joined session hosts will guide you through the key steps needed to enable this functionality.

45 Replies

@David Belanger Wohoo!

 

How does this fit with the recent announcement about Cloud PC?

https://www.youtube.com/watch?v=V14Ia2uwrtk

 

Trying to figure out if we are better off with AVD "Personal" machines. vs a CloudPC.

Windows 365 is your PC in the cloud. Securely stream your personalized Windows experience, including your desktop, apps, settings, and content, at any time t...
I'm also interested to have a good story to consult customers to use AVD (Flexibility) and Windows365 (Simplicity). I guess that one important point is the price of W365 (which I don't know)

@David Belanger 
Can someone please explain this statement from the documentation?
"Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs."

The whole point of setting up Azure AD Joined VM for me is to achieve single sign on end-to-end including my apps like Office, Teams etc.

 

FYI - SUPER DUPER Excited to get rid of domain controllers now ! This is great progress. Loving it.

I believe the correct answer is, "This preview version ... Certain features might not be supported or might have constrained capabilities." when it leaves preview, or during the preview that capability might be added.
best response confirmed by Jasjit Chopra (MVP)
Solution
End-to-end single sign-on is definitely something we are working on but isn't available in the first release due to the protocol we are using. We know how important that feature it.

That's pretty cool - even for cloud-only companies. I used the evening to build it into my community tool =)

 

MarcelMeurerDE_0-1626356929817.png

 

@David Belanger  Hi, I created a new host pool with AAD, it is a validation hostpool. I tried to access the AVD but getting error a "login attempt failed" error. I am trying with my UPN to login to the Azure AD VM. I have added myself as "Virtual machine user login" RBAC role but still no luck. Anyone experiencing the same issue?.

@amal_azurewvd I have the same issue.  I followed all the steps at this location and still got the error.

I finally got it working from webclient. I added targetisaadjoined:i:1 into customrdpproperties and it started working.

@amal_azurewvd I get this error in the web client:  We couldn't connect to the remote PC because of a security error. If this keeps happening, ask your admin or tech support for help.

I think the security error may be related to MFA. I was able to get around it in the desktop client by using a PIN to log in as advised in this link: 

 

https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#us...

 

I can't get in with the web client though, and have entered targetisaadjoined:i:1 in the RDP Properties, so not sure what the problem is.

I have the same issue. I can use PIN with the Desktop Client, but cannot access the VM via Web. We do have "MFA for everything" set as a conditional access, and if I could identify which of the two Windows Virtual Desktop enterprise apps need to bypass this setting, I could put it in as an exception.
I'm encountering "The sign-in method you're trying to use isn't allowed. Try a different sign-in method or contact your administrator" when attempting to authenticate with an M365 user account to an AAD Joined Session Host. I'm able to click "Ok", get back to the login prompt and log in with the local administrator account, though.

I also have targetisaadjoined:i:1 in the RDP Properties...

Anyone encountering this?
I believe I figured this out. We have a conditional access policy for all cloud apps: RequireDuoMFA. After removing the user account from the associated security group AND from the Duo Security console, I was able to authenticate.

Microsoft, can this be fixed?

@Chris_Gilles_1337 You just need to exclude „Azure Windows VM Sign-in“ from the CA policy requiring MFA beside the already mentioned RDP settings. At least this worked for me.

David, I am looking to use AVD AAD joined as base for a secure virtual workstation. Would it be an appropriate secure setup, if admins will be asked for for MFA for all cloud apps excluding „Azure Windows VM sign-in“? Therefore would attacker be able to bypass MFA to access the virtual desktop?
Will Intune now work with pooled host pools as well? https://docs.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop states that only VMs setup as personal desktops can be managed with Intune. If pooled host pools are not supported what are the plans to support this configuration as well?

@Xandven_ Your source is at least outdated. Latest technical information about the public preview can be found here: https://docs.microsoft.com/de-de/azure/virtual-desktop/deploy-azure-ad-joined-vm

 

I have both personal and pooled VMs in my lab setup AAD joined and Intune managed. Compliance policies are applied to both types correctly, so that you can eval them in CA policies accordingly.

 

So, my answer is not an official Microsoft one, but from all these observations I would say: Yes, host pools can be Intune managed in this public preview.

hi guys 

im experiencing an error when trying to connect to my AADJ VM using Remote Desktop app.

PaulGMVP_0-1626705620107.png

 

Prereqs are all met :

- device from which i try the connection is aadjoined to the same tenant.

- remote desktop app user is added via IAM with AVD User Login role

- targetisaadjoined:i:1 added to rdp advanced properties

- validation env checked

 

what else can be missing ?

i can only access my VM from the web client , there is no error there and it works from every device.

 

Device State |
+----------------------------------------------------------------------+

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Device Name : VM-AzureAD-0

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

DeviceId : 2b4f6a7b-02ab-4cb5-a220-1fdde507e7e4
Thumbprint : 4C5F4A2D4D8D55093DDE48F7453621FE8382F2B9
DeviceCertificateValidity : [ 2021-07-19 11:01:49.000 UTC -- 2031-07-19 11:31:49.000 UTC ]
KeyContainerId : 21313e88-443a-4391-b4ca-dcdda5e9ee38
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

TenantName : xxxxxx
TenantId : xxxxxx
Idp : login.windows.net
AuthCodeUrl : https://login.microsoftonline.com/xxx
AccessTokenUrl : https://login.microsoftonline.com/xxxx/oauth2/token
MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
SettingsUrl :
JoinSrvVersion : 2.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/xxx/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/xxx/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId : https://login.microsoft.com
WamDefaultGUID : {xxxx} (AzureAd)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2021-07-19 14:45:18.000 UTC
AzureAdPrtExpiryTime : 2021-08-02 14:45:17.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/xxx
EnterprisePrt : NO
EnterprisePrtAuthority :

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

AadRecoveryEnabled : NO
Executing Account Name : xxxxx
KeySignTest : PASSED

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

Access Type : DIRECT

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvision

For more information, please visit https://www.microsoft.com/aadjerrors