SOLVED

Add guest user to Windows Virtual Desktop app pool

Brass Contributor

Hello,

 

I'm trying to add guest user to my App pool but I always get the following error:

The identity provider for Tenant 'xxxxxxxxxx' did not recognize User '≤xxxxxxxxxx≥'.

 

Is there any restriction to add guest users?

My guess will be that because the guest user account password hash are not registered in AADDS, it will not be technically possible to enable this service for guest account but I will let the expert confirm....

 

Thank you for your help.

29 Replies
best response confirmed by ghonyme (Brass Contributor)
Solution

@ghonyme : Yes, unfortunately we do not support guest users yet in Windows Virtual Desktops. Users must be sourced from the Azure AD that you specify for your Windows Virtual Desktop tenant.

@ghonyme Facing the same issue. My WVD tenant with Azure subscription is connected using Vnet Peering to on-prem AD but the UPN is different.

@Radek V : Are you also synchronizing SIDs?

@Christian_Montoya 

AFAIK no.

 

How can I check this? In AAD Connect settings?

 

@Radek V : Actually, we have a current issue right now regarding user connections if the VMs are connected to Azure AD Domain Services and that user is sourced from your on-prem AD (synchronized to Azure AD, then replicated to the Azure AD Domain Services instance): https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/Announcement-Connectivity-issues-from... .

 

We're actively investigating options on how to unblock and fix.

My users appear as 'guests' in AAD with source being 'external azure active directory' or 'invited user'. When I try to add such an account using the Add-RdsAppGroupUser cmdlet then I get the message "the specfifed UPN does not exist in the AAD associated with the RD tenant". Account that have directly been created in the AAD does work.

 

Can anyone from Microsoft state if these type of users are or will be supported and if not, how I should proceed??

@Marcel A' Campo : Currently we do not support Azure AD B2B (guest) users. Primarily, there is no mechanism right now to synchronize them to the on-prem AD that will be recognized by the VM logon. There are some scripts and tools (including Microsoft Identity Manager (MIM) ), but that would also require those B2B users to create a new set of credentials for that on-prem.

 

We are investigating how to support Azure AD B2B (guest) users, with Azure AD Join as a potential option, but no specific dates as of yet. If this is something that is crucial for your workload, please create/upvote at our Uservoice page .

@Christian_Montoya 
Hi, have you any update of this? Thanks

No updates as of yet. This is a larger workitem, so I do not expect this feature to be made available in the next 3 to 6 months.

I was wondering on this we got to Azure Domains but have WVD in a separate domain the guest users can not be added as a appgroupuser hoping this is something they are actively working on @Christian_Montoya 

@tommy_barnes : We understand the ask of supporting Azure AD B2B, but unfortunately it's a little challenging at the moment because the user and their credentials are not known from the "inviting" directory.

 

We're looking at it, but don't expect to have a solution with Azure AD B2B any time soon.

@Christian_Montoya   Is there any other way for a user from a different AAD to log in to a host pool in my AAD tenant? Is B2B / Guest account the only way?

@Marc98052 : Unfortunately, this is not available at the moment. With Azure AD B2B, the inviting directory never receives the password hash and the on-prem AD never recognizes the user.

 

Currently, you'll have to create an account for that guest user so that the user is recognized in both AD and Azure AD.

 

We have taken this feature request (supporting Azure AD B2B )and have it in our backlog, but no specific ETA right now.

@Christian_Montoya do we have any update on this or any tentative plan to roll out the support for azure ad b2b guest users for wvd? thanks in advance! 

@bhushangawale : No update, and no timelines. I would not expect this feature anytime this calendar year (CY20).

Hello @Christian_Montoya how about users synced from Active Directory to Azure AD with a .onmicrosoft.com UPN

I have the same question and in need to have this feature. I was under the impression that, if a guest user can be added to an application according to the documentation then, the feature to add a guest user to application group in a host pool in WVD was also supported.

 

Our objective is to allow guest users (who are clients) to connect to VM in WVD so that they can use our software (already installed in VM) through Excel add-in. In this way, they can sign in to Excel with their Office 365 credentials (related to their Office 365 license).

 

If we add a guest user to our Azure AD (as another AD user) then, we have to add Office 365 license for every guest user, which is not acceptable.

 

Is there any workaround to achieve the objective? This is something, that is needed and expected to be implemented.

 

Many thanks.

 

Kind regards,

Misbah

@MisabhMHasan @Christian_Montoya that's exact use case we are also working upon. Extending access to guest users in AD would make more sense and would be a cost effective way to access the WVD environment for end customers as they then could make use of their existing license.

 

Right now, one needs to create all customers accounts in same Ad tenant as that of WVD setup and then need to procure and assign license to each one of the customer record which does not make sense because end customers essentially end up paying licensing un-necessarily when they do already have valid license within their home AD tenant. 

@bhushangawale 

 

It's almost 1 year now and WVD spring release is in GA, do we know when it will be available?

1 best response

Accepted Solutions
best response confirmed by ghonyme (Brass Contributor)
Solution

@ghonyme : Yes, unfortunately we do not support guest users yet in Windows Virtual Desktops. Users must be sourced from the Azure AD that you specify for your Windows Virtual Desktop tenant.

View solution in original post