Mar 29 2019 03:02 PM
Mar 29 2019 03:02 PM
We are considering leveraging Windows Virtual Desktop for our customer base where we will expose 1 or more applications in kiosk mode via a multi-tenant scenario. To clarify....
Admin authentication (to manage the desktop as needed and to run background processes) would be done via the abc.com domain. We can create another VM to run a windows domain server (as is currently required) for hybrid identity for these abc.com admin domain accounts. However, for end user authentication, which is multi-tenant, each user will authenticate via their own domain which is on Azure Active Directory. For example, we have 3 client organizations: xxx.com, yyy.com, and zzz.com
So a user firstname.lastname@example.org should be able to authenticate into the kiosk we have configured and run 2 desktop applications we have exposed for him to use.
Is this scenario currently feasible? I have read that kiosk mode of regular Windows 10 professional/enterprise permits this. Also, will Windows Virtual Desktop ever be able to operate solely on Azure Active Directory?
If not, please contact me if it would be of value to provide more details about our solution. We are looking to implement this with potentially hundreds to thousands of Azure AD domains and thousands to 10's of thousands of users in total.
Apr 01 2019 11:05 AM
@Matt_Shanaman If I can breakdown the question support WVD VMs joining Azure Active Directory is on the road map and will be announce around GA. However at the moment having different users from different (non related domain) authenticating to the same VM via WVD is not supported. Background process however can be ran in the local admin context if that helps.
Apr 01 2019 01:49 PM
Thanks, @Stefan Georgiev . Upon doing further research, it looks like part of what I was asking for existed in a prior preview for RDmi: https://www.brianmadden.com/opinion/An-overview-of-multi-tenancy-in-Remote-Desktop-modern-infrastruc...
From the latest MSFT documentation I've seen, RDmi is now part of WVD. Or, maybe what that article describes is something that would be a level down (ie the underlying functionality for WVD) where we could modify the WVD hosting? If the functionality described in the article still exists, that would enable us to achieve what we are looking to do. However, the ADDS requirement would be an issue due to the cost. If there would be a way to create more pricing options for ADDS such as for 50 objects, 100 objects, 200 objects, etc. it would open up new opportunities for the SMB client base.
If you have any additional information regarding what happened with RDmi, it would be greatly appreciated!
Apr 21 2020 04:28 PM
@Matt_Shanaman, I think we should test the Multi-App Kiosk Mode by applying a provisioning package to the session hosts or even the image first. The MA Kiosk CSP allows assigning profiles to AD groups so if it is allowed to be applied to Windows 10 for Enterprise Virtual Desktop, it should work to lock down users.