SOLVED
Home

Different between Windows Virtual Desktop and Client Application Assignments in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-382873%22%20slang%3D%22en-US%22%3EDifferent%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382873%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20someone%20explain%20the%20difference%20of%20these%20two%20apps%20in%20AD%3F%26nbsp%3B%20It%20seems%20like%20at%20some%20point%20today%20something%20changed%20and%20I%20have%20to%20set%20my%20test%20users%20to%20be%20Tenant%20Creators%20in%20the%20Windows%20Virtual%20Desktop%20Application%20to%20use%20the%20web%20URL.%26nbsp%3B%20Adding%20users%20to%20the%20client%20app%20seems%20to%20do%20nothing.%26nbsp%3B%20We've%20had%20no%20issue%20with%20the%20windows%20and%20mac%20RDP%20apps%20using%20the%20web%20feed%20URLs.%26nbsp%3B%20Unless%20this%20is%20what%20we%20have%20to%20do%20for%20the%20time%20being%20but%20it%20just%20seems%20a%20little%20confusing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I%20don't%20know%20if%20I'm%20missing%20something%20but%20I%20can%20only%20deploy%20apps%20and%20desktops%20per%20UPN%20and%20cannot%20apply%20a%20security%20group.%26nbsp%3B%20Would%20be%20nice%20to%20have%20the%20app%20groups%20set%20up%20to%20look%20for%20a%20security%20group%20and%20simply%20adding%20the%20users%20to%20the%20group%20in%20AD%20and%20when%20things%20sync%20up%2C%20you%20have%20your%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393390%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393390%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bof%20course.%20Thanks%20for%20helping%20me%20through%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393388%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393388%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%20%3A%20Can%20we%20follow%20up%20in%20a%20Private%20Message%3F%20It's%20really%20strange%20that%20you're%20hitting%20this%20and%20would%20like%20to%20get%20to%20the%20bottom%20of%20this.%20Although%20you%20are%20seeing%20this%20behavior%2C%20you%20should%20not%20have%20to%20be%20adding%20users%20to%20the%20TenantCreators%20role%20to%20access%20their%20desktops%20or%20applications%2C%20so%20I%20just%20want%20to%20better%20understand%20your%20environment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392505%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bthe%20rdweb%20link%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20it%20doesnt%20matter.%20Even%20when%20using%20the%20wvd%20desktop%20client%2C%20every%20user%20has%20to%20be%20a%20tenant%20creator%20in%20the%20WVD%20app%20in%20Azure.%20%26nbsp%3BIf%20they%20are%20only%20assigned%20to%20the%20WVD%20client%20app%20in%20Azure%2C%20they%20have%20no%20access.%20%26nbsp%3BEverything%20works%20fine%20but%20the%20permissions%20seem%20backwards.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20added%20some%20screen%20caps%20of%20what%20I'm%20talking%20about.%26nbsp%3B%20You%20can%20see%2C%20all%20users%20marked%20as%20Tenant%20Creators%20in%20the%20WVD%20app%20have%20access.%26nbsp%3B%20All%20users%20in%20the%20WVD%20client%20app%20set%20with%20a%20role%20of%20default%20access%20cannot%20log%20into%20the%20web%20URL%20nor%20the%20WVD%20client%20app.%26nbsp%3B%20If%20I%20move%20them%20to%20creators%2C%20they%20have%20access%20without%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392437%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%20%3A%20And%20when%20you%20say%20%22%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3Egoing%20to%20the%20website%3C%2FSPAN%3E%22%2C%20which%20website%20are%20you%20referring%20to%3F%20Can%20you%20post%20the%20link%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391297%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391297%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E.%20I%20have%20allowed%20admin%20and%20client%20rights%20using%20my%20global%20admin%20account%20in%20azure.%20When%20I%20add%20a%20user%20to%20the%20WVD%20client%20app%2C%20going%20to%20the%20website%20attempts%20to%20log%20them%20in%20but%20kicks%20them%20back%20out.%20Same%20with%20the%20desktop%20client.%20In%20order%20to%20get%20them%20access%2C%20I%20have%20to%20add%20them%20as%20a%20tenant%20creator%20in%20the%20WVD%20application%20in%20Azure.%20Actually%2C%20I%20can%20only%20add%20them%20as%20tenant%20creators.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391100%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391100%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3BThe%20only%20user%20that%20needs%20to%20be%20assigned%20the%20TenantCreator%20role%20is%20the%20one%20who%20wants%20to%20run%20%22New-RdsTenant%22.%20Otherwise%2C%20standard%20users%20shouldn't%20have%20to%20be%20assigned.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20did%20the%20admin%20consent%20on%20both%20apps%20(%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3E%20and%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%20client%3C%2FSTRONG%3E)%2C%20there%20should%20be%20nothing%20else%20you%20need%20to%20do%20to%20get%20the%20standard%20users%20working.%20What%20exactly%20do%20you%20mean%20by%20%22When%20I%20add%20them%20as%20tenant%20creator%20all%20is%20well%22%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391092%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391092%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bgot%20it%2C%20thank%20you.%26nbsp%3B%20Is%20there%20a%20reason%20why%20all%20my%20test%20users%20have%20to%20be%20assigned%20TenantCreator%20roles%20in%20the%20Windows%20Virtual%20Desktop%20app%20to%20even%20use%20the%20service%3F%26nbsp%3B%20It%20seems%20like%20adding%20a%20user%20to%20the%20client%20app%20as%20a%20user%20role%20fails%20to%20log%20them%20in%20with%20an%20error%20stating%20they%20are%20not%20assigned%20the%20app.%26nbsp%3B%20When%20I%20add%20them%20as%20a%20tenant%20creator%20all%20is%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391090%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20the%20testing%20so%20far!%20To%20address%20some%20of%20your%20questions%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDifference%20between%20apps%3A%20the%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3E%20app%20is%20for%20the%20management%20of%20the%20service%2C%20and%20includes%20granting%20permission%20for%20the%20service%20to%20call%20your%20Azure%20AD%20for%20user%20validation%2C%20service%20principal%20validation%2C%20etc.%20The%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%20client%3C%2FSTRONG%3E%20app%20is%20for%20the%20end-user%20login%2C%20where%20you%20can%20control%20MFA%2FConditional%20Access%20policies.%20I%20agree%20that%20we%20should%20highlight%20this%20a%20bit%20more%20with%20some%20examples.%3C%2FLI%3E%0A%3CLI%3ECorrect%2C%20right%20now%20you%20can%20only%20assign%20users%20through%26nbsp%3B%3CSTRONG%3EAdd-RdsAppGroupUser%3C%2FSTRONG%3E%20by%20individual%20user%20UPNs%20and%20not%20a%20security%20group.%20We're%20working%20on%20this.%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-582995%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582995%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20ever%20get%20this%20resolved%3F%20Im%20running%20into%20the%20exact%20same%20issue%2C%20if%20i%20make%20them%20tenant%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-582997%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-582997%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3Bnot%20yet.%26nbsp%3B%20We%20have%20an%20azure%20ticket%20open%20and%20they%20captured%20the%20fiddler%20trace.%26nbsp%3B%20Might%20have%20something%20soon.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Blooks%20like%20another%20admin%20has%20our%20same%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-583027%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-583027%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20quick%20reply.%20Seeing%20exactly%20what%20you%20are%2C%20unless%20i%20add%20them%20as%20a%20tenantcreator%20in%20the%20Windows%20Virtual%20Desktop%20app%20after%20adding%20the%20user%20via%20%3CSTRONG%3EAdd-RdsAppGroupUser%3C%2FSTRONG%3E%2C%20they%20cannot%20login.%20The%20WVD%20website%20just%20keeps%20kicking%20you%20to%20the%20login%20page%20(i%20see%20something%20in%20the%20address%20bar%20quickly%20about%20access%20denied)%2C%20and%20the%20RD%20app%20says%20it%20cannot%20authenticate%20the%20user.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Windows%20Virtual%20Desktop%20Client%20app%20doesnt%20seem%20to%20do%20anything.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20i%20add%20the%20user%20as%20tenantcreator%2C%20everything%20works%20fine.%20Definitely%20dont%20want%20to%20do%20this%20for%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-583032%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-583032%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3BExactly%20the%20same%20thing%20we%20see.%26nbsp%3B%20You%20will%20have%20an%20error%20in%20the%20WVD%20client%20app%20of%20this%20too%20I%20bet%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESign-In%20error%20code%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CDIV%20class%3D%22fxc-section-control%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-formElementSubLabelContainer%22%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3E50105%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22fxc-section-control%20fxc-base%20msportalfx-customHtml%20msportalfx-form-formelement%20fxc-left-label%22%3E%3CDIV%20class%3D%22azc-form-labelcontainer%20azc-text-label%22%3E%3CSTRONG%3EFailure%20reason%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22azc-formElementSubLabelContainer%22%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3EThe%20signed%20in%20user%20is%20not%20assigned%20to%20a%20role%20for%20the%20signed%20in%20application.%20Assign%20the%20user%20to%20the%20application.%20For%20more%20information%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%3C%2FA%3E.%3C%2FDIV%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22azc-formElementContainer%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bis%20on%20top%20of%20this%20issue.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-665826%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-665826%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3Bsame%20issue%20here...%20glad%20I%20found%20this%20link.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-665913%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-665913%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174307%22%20target%3D%22_blank%22%3E%40Rob%20Blankers%3C%2FA%3E%26nbsp%3BThanks%20for%20reporting%20this.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Blooks%20like%20we%20have%20another%20one.%26nbsp%3B%20Just%20reporting%20it%20to%20Microsoft%20so%20we%20can%20have%20some%20ammunition%20to%20get%20down%20to%20the%20bottom%20of%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-666969%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-666969%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWow%2C%20glad%20I%20saw%20this%20post%20too%20-%20thanks%20Steven.%26nbsp%3B%20See%20mine%20below%20-%20ignore%20all%20the%20older%20posts.%26nbsp%3B%20Same%20situation%2C%20except%20I%20though%20it%20had%20something%20to%20do%20with%20the%20fact%20that%20my%20Tenant%20Creator%20user%20didn't%20have%20MFA%20while%20the%20regular%20user%20account%20who%20is%20in%20the%20Desktop%20Application%20Group%20does%20have%20MFA%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20did%20what%20you%20guys%20have%20done%20-%20added%20the%20regular%20user%20to%20the%20Tenant%20Creator%20role%20in%20the%20Windows%20Virtual%20Desktop%20application%20and%20tried%20the%20RD%20Client%20again.%26nbsp%3B%20I%20can%20see%20my%20pool%20now....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FError-deploying-WVD-to-a-subscription%2Fm-p%2F664274%2Fhighlight%2Ftrue%23M709%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Virtual-Desktop%2FError-deploying-WVD-to-a-subscription%2Fm-p%2F664274%2Fhighlight%2Ftrue%23M709%3C%2FA%3E%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E-%20this%20is%20messed%20up%20%3A)%3C%2Fimg%3E%20.%26nbsp%3B%20Following%20this%20post%20closely%20now%20too.%26nbsp%3B%20Thanks%20-%20have%20a%20good%20day%2C%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668249%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668249%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F325067%22%20target%3D%22_blank%22%3E%40jaycrumpgp%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3A%20Oh%20man%2C%20yes%2C%20this%20is%20definitely%20still%20an%20error.%20Let%20me%20followup%20with%20the%20team%20and%20get%20back%20to%20you%20to%20see%20how%20we%20can%20address%2Fresolve%20this.%20Full%20disclosure%2C%20I%20definitely%20want%20to%20get%20to%20the%20bottom%20of%20this%20because%20I%20don't%20want%20this%20error%20happening%20in%20the%20future%2C%20especially%20GA.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20get%20back%20to%20you%2C%20but%20definitely%20thank%20you%20both%20for%20reporting.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-668301%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-668301%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20there%20are%202%20enterprise%20apps%20created%20in%20AAD%3A%20Windows%20Virtual%20Desktop%20and%20Windows%20Virtual%20Desktop%20Client.%26nbsp%3B%20In%20my%20experience%20adding%20a%20user%20to%20my%20app%20group%20using%20the%20PowerShell%20cmdlet%20does%20not%20add%20the%20user%20to%20either%20enterprise%20app.%26nbsp%3B%20At%20least%20you%20can't%20see%20them%20in%20the%20AAD%20GUI.%26nbsp%3B%20I've%20used%20the%20following%3A%3C%2FP%3E%3CP%3E%3CEM%3EAdd-RdsAppGroupUser%20-TenantName%20%3CTENANT%3E%20-HostPoolName%20%3CHOSTPOOL%3E%20-appgroupname%20%22Desktop%20Application%20Group%22%20-UserPrincipalName%26nbsp%3B%3C%2FHOSTPOOL%3E%3C%2FTENANT%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EManually%20adding%20a%20user%20to%20only%20the%20%22Windows%20Virtual%20Desktop%20Client%22%20app%20does%20not%20work.%26nbsp%3B%20Users%20get%20stuck%20in%20a%20login%20loop%2C%20with%20a%20message%20in%20the%20URL%20advising%20the%20user%20%22is%20not%20assigned%20to%20a%20role%20for%20the%20application%22.%26nbsp%3B%20%3CSTRONG%3EThe%20application%20ID%20presented%20in%20this%20error%20is%20the%20ID%20for%20the%20%22Windows%20Virtual%20Desktop%22%20app%3C%2FSTRONG%3E.%26nbsp%3B%20If%20I%20add%20the%20user%20to%20that%20app%2C%20it%20works.%26nbsp%3B%20But%2C%20if%20I%20then%20remove%20the%20user%20from%20the%20%22Windows%20Virtual%20Desktop%20Client%22%20group%2C%20I%20get%20the%20same%20error%2C%20referencing%20the%20app%20ID%20for%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20I%20need%20to%20add%20users%20to%20both%20Enterprise%20Applications%20in%20AAD%20for%20them%20to%20successfully%20access%20a%20session.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790383%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790383%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174307%22%20target%3D%22_blank%22%3E%40Rob%20Blankers%3C%2FA%3E%26nbsp%3BI'm%20bumping%20this%20again.%26nbsp%3B%20We%20still%20have%20this%20issue.%26nbsp%3B%20Microsoft%20told%20me%20that%20they%20would%20escalate%20internally%20but%20haven't%20heard%20anything%20yet.%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3EDo%20you%20know%20anything%3F%26nbsp%3B%20Everything%20else%20is%20fine%20but%20this%20issue%20seems%20weird.%26nbsp%3B%20Attaching%20the%20error%20we%20are%20still%20seeing%20again%20if%20it%20helps.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDate%3CBR%20%2F%3E8%2F6%2F2019%2C%209%3A23%3A38%20AM%3CBR%20%2F%3EStatus%3CBR%20%2F%3EFailure%3CBR%20%2F%3ESign-in%20error%20code%3CBR%20%2F%3E50105%3CBR%20%2F%3EFailure%20reason%3CBR%20%2F%3EThe%20signed%20in%20user%20is%20not%20assigned%20to%20a%20role%20for%20the%20signed%20in%20application.%20Assign%20the%20user%20to%20the%20application.%20For%20more%20information%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fapplication-sign-in-problem-federated-sso-gallery%23user-not-assigned-a-role%3C%2FA%3E.%3CBR%20%2F%3EClient%20app%3CBR%20%2F%3EMobile%20Apps%20and%20Desktop%20clients%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790393%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790393%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3BStill%20happening%20here%20as%20well.%20Have%20to%20make%20users%20tenant%20creators%20and%20manually%20add%20to%20the%20desktop%20users%20group%20via%20powershell%20before%20they%20can%20login.%20Really%20not%20fun%20to%20Admin%20this%20thing.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-790396%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-790396%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3BThe%20powershell%20piece%20isn't%20bad%20since%20I'm%20in%20powershell%20almost%20all%20day.%26nbsp%3B%20It's%20just%20one%20of%20those%20things%20that%20previews%20find...odd%20behavior.%26nbsp%3B%20Glad%20it's%20not%20just%20us%20and%20there%20are%20others%20out%20there%20following%20this%20thread.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794221%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794221%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F174307%22%20target%3D%22_blank%22%3E%40Rob%20Blankers%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20bringing%20this%20back%20up.%20Can%20you%20actually%20all%20check%20one%20thing%3F%20As%20mentioned%20here%20or%20in%20other%20threads%2C%20we%20don't%20expect%20users%20to%20be%20assigned%20specific%20app%20roles%20for%20the%20two%20Azure%20AD%20Applications%20(%3CSTRONG%3EWindows%20Virtual%20Desktop%3C%2FSTRONG%3Eand%26nbsp%3B%3CSTRONG%3EWindows%20Virtual%20Desktop%20Client%3C%2FSTRONG%3E)%2C%20but%20there%20may%20be%20something%20in%20your%20directory%20that%20automatically%20set%20these.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you...go%20to%26nbsp%3B%3CSTRONG%3EEnterprise%20applications%3C%2FSTRONG%3E%2C%20select%20each%20application%2C%20and%20select%26nbsp%3B%3CSTRONG%3EProperties%3C%2FSTRONG%3E%3F%20Your%20app%20should%20mirror%20my%20screenshot%20of%26nbsp%3B%3CSTRONG%3EUser%20assignment%20required%3F%3C%2FSTRONG%3Eset%20to%20No.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126109i1C99FC53798D519B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794222%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794222%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20checked%20and%20both%20of%20my%20apps%20are%20set%20to%20Yes%20for%20user%20assignment.%20Ill%20change%20them%20to%20no%20and%20test%20again%20in%20the%20morning.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIm%20a%20bit%20confused%20by%20the%20language%20here%20i%20guess%2C%20wouldnt%20i%20want%20to%20have%20to%20assign%20users%20to%20this%20app%20to%20control%20access%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794225%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794225%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344025%22%20target%3D%22_blank%22%3E%40Feffen%3C%2FA%3E%3A%20The%20primary%20reason%20is%20that%20we%20only%20use%20Azure%20AD%20app%20role%20%2F%20assignments%20for%201%20action%2C%20and%20that's%20to%20create%20a%20tenant.%20Otherwise%2C%20because%20you%20can%20create%20numerous%20host%20pools%20and%20app%20groups%2C%20we%20handle%20end-user%20assignments%20through%20our%20own%20PowerShell%20and%20our%20own%20implementation.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794228%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794228%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BMine%20was%20set%20to%20yes%20too.%26nbsp%3B%20That%20makes%20sense.%26nbsp%3B%20You%20are%20handling%20the%20permission%20from%20the%20app%20group%2C%20if%20you%20aren't%20part%20of%20the%20permission%20to%20that%20group%2C%20no%20access.%26nbsp%3B%20Makes%20perfect%20sense%20now.%26nbsp%3B%20We'll%20test%20tomorrow%20and%20report%20back%20our%20findings.%26nbsp%3B%20Thanks%20for%20the%20reply!%26nbsp%3B%20Greatly%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794233%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BHad%20some%20time%20to%20test%20this.%26nbsp%3B%20I%20removed%20my%20account%20from%20the%20Azure%20application%20and%20got%20right%20in.%26nbsp%3B%20When%20I%20went%20to%20open%20an%20app%2C%20I%20got%20this%20error%20shown%20in%20the%20screen%20cap.%26nbsp%3B%20We%20do%20have%20a%20conditional%20access%20policy%20applied%20to%20require%20MFA%20off%20of%20our%20network.%26nbsp%3B%20But%20even%20on%20our%20network%2C%20this%20same%20error%20presents%20itself.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20595px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126110iA66721BDD5B827BA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22connection%20error.PNG%22%20title%3D%22connection%20error.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794256%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BLooks%20like%20I%20spoke%20too%20soon.%26nbsp%3B%20For%20some%20reason%2C%20our%20session%20host%20crashed%20and%20I%20had%20to%20reboot%20the%20VM.%26nbsp%3B%20All%20works%20now%2C%20even%20CA.%26nbsp%3B%20Great%20and%20simple%20discovery.%26nbsp%3B%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803137%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803137%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F279502%22%20target%3D%22_blank%22%3E%40stevenzelenko%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BSUCCESS!!!%26nbsp%3B%20I%20flipped%20the%20'User%20assignment%20required'%20switch%20to%20No%20on%20each%20Enterprise%20Application%2C%20removed%20all%20the%20users%20from%20those%20apps%20and%20verified%20that%20all%20users%20in%20the%20Desktop%20Application%20Group%20(administered%20through%20PowerShell)%20can%20login%20without%20issue.%26nbsp%3B%20Appreciate%20the%20follow%20up%20on%20this%20unsupported%20service%20and%20can't%20wait%20for%20GA!!%26nbsp%3B%20Thanks%20again!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803152%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803152%22%20slang%3D%22en-US%22%3EGlad%20you're%20up%20and%20running!%20As%20we%20depend%20on%20Azure%20AD%20and%20other%20Azure%20services%2C%20we%20are%20learning%20as%20we%20go%20in%20certain%20scenarios.%20Thanks%20for%20the%20patience%20and%20validating!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803154%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803154%22%20slang%3D%22en-US%22%3EConfirmed%20it%E2%80%99s%20working%20for%20me%20now%20as%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014614%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014614%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bhey%20I%20am%20facing%20the%20same%20issue.%20i%20have%20added%20my%20users%20through%20powershell%20and%20also%20i%20have%20added%20them%20in%20my%20Entreprise%20application%20including%20%3CSTRONG%3Ewindows%20virtual%20desktop%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Ewindows%20virtual%20desktop%20client%3C%2FSTRONG%3E.%20Everthing%20is%20in%20place%20also%20in%20my%20Enterprise%26nbsp%3B%20applications%20in%20properties%20i%20have%20set%20the%20the%20users%20assigned%20tab%20to%20NO%20still%20my%20users%20are%20not%20able%20to%20access%20the%20WVD%20and%20throwing%20the%20folllowing%20error%3A-%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157664iBEA4039BCB140D2D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22error.PNG%22%20title%3D%22error.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3Bpls%20help%20me%20with%20it%20as%20soon%20as%20possible%20also%20wen%20i%20add%20those%20users%20in%20AADC%20group%20they%20are%20able%20to%20access%20it%20and%20does%20not%20throw%20any%20error%20but%20for%20my%20environment%20i%20dont%20want%20all%20users%20to%20have%20the%20the%20admin%20access%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1014887%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1014887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F455264%22%20target%3D%22_blank%22%3E%40sarahpotrick2573%3C%2FA%3E%26nbsp%3B%3A%20Can%20you%20run%20steps%20from%20our%20troubleshooting%20guide%20to%20see%20if%20there%20are%20specific%20errors%20from%20Diagnostics%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-client-connection%23troubleshooting-end-user-connectivity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-client-connection%23troubleshooting-end-user-connectivity%3C%2FA%3E%26nbsp%3B.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20would%20be%20the%20best%20way%20to%20understand%20what%20the%20initial%20errors%20are%20so%20that%20you%20don't%20need%20to%20add%20them%20as%20admins.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016364%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016364%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%20Yes%20i%20checked%20it%20out%20and%26nbsp%3B%20is%20telling%20that%20user%20does%20not%20exist%20and%20that%20the%20VM%20is%20not%20joined.%2CBut%20my%20VM%20is%20joined%20to%20my%20domain%20that%20i%20created%20through%26nbsp%3B%20Azure%20ADDS%20and%20also%20all%20of%20my%20users%20exists%20in%20the%20azure%20active%20directory%20and%20i%20have%20created%20that%20user%20in%20my%20azure%20active%20directory%20only.%26nbsp%3B%20I%20dont%20want%20all%20of%20my%20users%20to%20be%20in%20the%20AADC%20group%20i%20just%20want%20them%20to%20access%20the%20WVD%20environment%20Please%20find%20or%20help%20me%20out%20with%20some%20solution%20ASAP%20as%20i%20have%20been%20trying%20to%20resolve%20this%20from%20past%2010%20days%20and%20i%20need%20to%20deploy%20this%20in%20my%20client%20environment.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157821iFB3106D831AF924A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22rds.PNG%22%20title%3D%22rds.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1024607%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1024607%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F455264%22%20target%3D%22_blank%22%3E%40sarahpotrick2573%3C%2FA%3E%26nbsp%3B%3A%20How%20did%20you%20configure%20Azure%20AD%20Domain%20Services%3F%20Does%20the%20domain%20match%20the%20UPNs%20those%20for%20the%20Azure%20AD%20user%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1067618%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1067618%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%20%26nbsp%3BMy%20Users%20are%20not%20able%20to%20sign-in%20into%20thier%20hostpool%20virtual%20Machine.%20It%20is%20throwing%20the%20following%20error.%20The%20username%20and%20password%20is%20correct%20and%20also%20i%20have%20assigned%20them%20through%20powershell%2C%20Still%20it%20is%20throwing%20the%20same%20error%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161909i7E54FB301DE0A5E5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.jpeg%22%20title%3D%22clipboard_image_0.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1068552%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1068552%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F455264%22%20target%3D%22_blank%22%3E%40sarahpotrick2573%3C%2FA%3E%26nbsp%3B%3A%20Can%20you%20run%20the%20following%20command%20to%20check%20the%20failed%20connections%3C%2FP%3E%0A%3CPRE%3EGet-RdsDiagnosticActivities%20-TenantName%20%26lt%3BtenantName%26gt%3B%20-ActivityType%20Connection%20-Outcome%20Failure%20-Detailed%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%2C%20you%20can%20look%20at%20each%20individually%20and%20expand%20their%26nbsp%3B%3CSTRONG%3EErrors%3C%2FSTRONG%3E%20property.%20You%20can%20do%20this%20by%20getting%20the%20exact%20ActivityId%2C%20then%3A%3C%2FP%3E%0A%3CPRE%3E%24activity%20%3D%20Get-RdsDiagnosticActivities%20-TenantName%20%3CTENANTNAME%3E%20-ActivityId%20%3CACTIVITYID%3E%20-Detailed%3CBR%20%2F%3E%24activity.Errors%3C%2FACTIVITYID%3E%3C%2FTENANTNAME%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071272%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071272%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BAfter%20running%20the%20following%20powershell%20command%2C%26nbsp%3B%20I%20get%20the%20following%20details%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20not%20able%20to%20understand%20what%20should%20i%20do%20next%3F%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20718px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162254i3E168A980D0B6218%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Capture.PNG%22%20title%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075348%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F455264%22%20target%3D%22_blank%22%3E%40sarahpotrick2573%3C%2FA%3E%26nbsp%3B%3A%20Did%20the%20users%20already%20reset%20their%20passwords%3F%20There%20needs%20to%20be%20at%20least%20one%20password%20reset%20so%20the%20password%20hashes%20sync%20down.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20so%2C%20you'll%20need%20to%20create%20a%20support%20ticket%20through%20the%20Azure%20portal%20so%20that%20our%20engineers%20can%20dive%20deeper%20to%20resolve.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076174%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076174%22%20slang%3D%22en-US%22%3EOk.%20I%20will%20try%20resetting%20the%20password%20as%20well.%20If%20this%20works%20out%20well%20and%20good%20and%20also%20support%20is%20not%20available%20for%20wvd%20yet%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1081923%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1081923%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F455264%22%20target%3D%22_blank%22%3E%40sarahpotrick2573%3C%2FA%3E%26nbsp%3B%3A%20Actually%2C%20support%26nbsp%3B%3CSTRONG%3Eis%3C%2FSTRONG%3E%20available%20for%20WVD.%20And%20you%20can%20file%20a%20ticket%20through%20the%20Azure%20portal.%20We%20also%20have%20some%20links%20from%20our%20docs%20site%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-set-up-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Ftroubleshoot-set-up-overview%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1211293%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211293%22%20slang%3D%22en-US%22%3EI%20am%20trying%20to%20automate%20the%20addition%20of%20users%20to%20the%20enterprise%20app%20using%20%3A%3CBR%20%2F%3E%3CBR%20%2F%3ENew-AzureADUserAppRoleAssignment%20-ObjectId%20%24user.ObjectId%20-PrincipalId%20%24user.ObjectId%20-ResourceId%20%24servicePrincipal.ObjectId%20-Id%20(%5BGuid%5D%3A%3AEmpty)%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%20I%20get%20the%20following%20%3A%3CBR%20%2F%3E%3CBR%20%2F%3ENew-AzureADUserAppRoleAssignment%20%3A%20Error%20occurred%20while%20executing%20NewUserAppRoleAssignment%3CBR%20%2F%3ECode%3A%20Request_BadRequest%3CBR%20%2F%3EMessage%3A%20Permission%20being%20assigned%20was%20not%20found%20on%20application%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3EWhen%20I%20get%20the%20service%20principal%20%3A%3CBR%20%2F%3EAppRoleAssignmentRequired%20%3A%20True%3CBR%20%2F%3EAppRoles%20%3A%20%7B%7D%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20this%20does%20not%20make%20any%20sense%20to%20me%20%3A(%3C%2Fimg%3E%3CBR%20%2F%3EThere%20are%20no%20roles%20so%20why%20would%20this%20fail%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1211729%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211729%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503977%22%20target%3D%22_blank%22%3E%40AT1991%3C%2FA%3E%26nbsp%3B%3A%20Why%20are%20you%20adding%20the%20users%20to%20the%20Enterprise%20App%3F%20If%20it's%20for%20user%20access%2C%20we%20don't%20use%20the%20Enterprise%20App%20for%20that%2C%20we%20use%20our%20Windows%20Virtual%20Desktop%20PowerShell%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fmanage-app-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Fmanage-app-groups%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1211760%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211760%22%20slang%3D%22en-US%22%3EBecause%20for%20some%20reason%20without%20it%2C%20a%20few%20of%20our%20users%20were%20not%20able%20to%20log%20in%20via%20the%20desktop%20client.%20Adding%20them%20resolved%20the%20issue%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1211764%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211764%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503977%22%20target%3D%22_blank%22%3E%40AT1991%3C%2FA%3E%26nbsp%3BWe%20had%20this%20exact%20same%20thing%20happen%20to%20us%20too.%26nbsp%3B%20Turn%20off%20the%20%22User%20Assignment%20Required%22%20toggle%20in%20the%20WVD%20apps%20in%20Azure.%26nbsp%3B%20You%20should%20only%20need%20to%20add%20the%20users%20via%20powershell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22stevenzelenko_0-1583428407181.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F175517i8021CAA995382F62%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22stevenzelenko_0-1583428407181.png%22%20alt%3D%22stevenzelenko_0-1583428407181.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1211782%22%20slang%3D%22en-US%22%3ERe%3A%20Different%20between%20Windows%20Virtual%20Desktop%20and%20Client%20Application%20Assignments%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211782%22%20slang%3D%22en-US%22%3EAwesome!%20I%20will%20give%20it%20a%20go.%20Thank%20you.%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Can someone explain the difference of these two apps in AD?  It seems like at some point today something changed and I have to set my test users to be Tenant Creators in the Windows Virtual Desktop Application to use the web URL.  Adding users to the client app seems to do nothing.  We've had no issue with the windows and mac RDP apps using the web feed URLs.  Unless this is what we have to do for the time being but it just seems a little confusing.

 

And I don't know if I'm missing something but I can only deploy apps and desktops per UPN and cannot apply a security group.  Would be nice to have the app groups set up to look for a security group and simply adding the users to the group in AD and when things sync up, you have your apps.

44 Replies
Highlighted

@stevenzelenko : Thanks for the testing so far! To address some of your questions:

  • Difference between apps: the Windows Virtual Desktop app is for the management of the service, and includes granting permission for the service to call your Azure AD for user validation, service principal validation, etc. The Windows Virtual Desktop client app is for the end-user login, where you can control MFA/Conditional Access policies. I agree that we should highlight this a bit more with some examples.
  • Correct, right now you can only assign users through Add-RdsAppGroupUser by individual user UPNs and not a security group. We're working on this.
Highlighted

@christianmontoya got it, thank you.  Is there a reason why all my test users have to be assigned TenantCreator roles in the Windows Virtual Desktop app to even use the service?  It seems like adding a user to the client app as a user role fails to log them in with an error stating they are not assigned the app.  When I add them as a tenant creator all is well.

Highlighted

@stevenzelenko The only user that needs to be assigned the TenantCreator role is the one who wants to run "New-RdsTenant". Otherwise, standard users shouldn't have to be assigned.

 

If you did the admin consent on both apps (Windows Virtual Desktop and Windows Virtual Desktop client), there should be nothing else you need to do to get the standard users working. What exactly do you mean by "When I add them as tenant creator all is well"? 

Highlighted
@christianmontoya. I have allowed admin and client rights using my global admin account in azure. When I add a user to the WVD client app, going to the website attempts to log them in but kicks them back out. Same with the desktop client. In order to get them access, I have to add them as a tenant creator in the WVD application in Azure. Actually, I can only add them as tenant creators.
Highlighted

@stevenzelenko : And when you say "going to the website", which website are you referring to? Can you post the link?

Highlighted

@christianmontoya the rdweb link here https://rdweb.wvd.microsoft.com/webclient

 

but it doesnt matter. Even when using the wvd desktop client, every user has to be a tenant creator in the WVD app in Azure.  If they are only assigned to the WVD client app in Azure, they have no access.  Everything works fine but the permissions seem backwards.  

 

I've added some screen caps of what I'm talking about.  You can see, all users marked as Tenant Creators in the WVD app have access.  All users in the WVD client app set with a role of default access cannot log into the web URL nor the WVD client app.  If I move them to creators, they have access without issue.

Highlighted

@stevenzelenko : Can we follow up in a Private Message? It's really strange that you're hitting this and would like to get to the bottom of this. Although you are seeing this behavior, you should not have to be adding users to the TenantCreators role to access their desktops or applications, so I just want to better understand your environment.

Highlighted
Highlighted

@stevenzelenko 

 

Did you ever get this resolved? Im running into the exact same issue, if i make them tenant

Highlighted

@Feffen not yet.  We have an azure ticket open and they captured the fiddler trace.  Might have something soon.

 

@christianmontoya looks like another admin has our same issue.

Highlighted

@stevenzelenko 

 

 

Thanks for the quick reply. Seeing exactly what you are, unless i add them as a tenantcreator in the Windows Virtual Desktop app after adding the user via Add-RdsAppGroupUser, they cannot login. The WVD website just keeps kicking you to the login page (i see something in the address bar quickly about access denied), and the RD app says it cannot authenticate the user. 

 

The Windows Virtual Desktop Client app doesnt seem to do anything. 

 

Once i add the user as tenantcreator, everything works fine. Definitely dont want to do this for users.

Highlighted

@Feffen Exactly the same thing we see.  You will have an error in the WVD client app of this too I bet:

 

Sign-In error code:

50105
Failure reason
The signed in user is not assigned to a role for the signed in application. Assign the user to the application. For more information: https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-problem-federated-sso-ga....
 
@christianmontoya is on top of this issue.
Highlighted

@stevenzelenko same issue here... glad I found this link.  

Highlighted

@Rob Blankers Thanks for reporting this.  @christianmontoya looks like we have another one.  Just reporting it to Microsoft so we can have some ammunition to get down to the bottom of this.

Highlighted

@stevenzelenko 

 

Wow, glad I saw this post too - thanks Steven.  See mine below - ignore all the older posts.  Same situation, except I though it had something to do with the fact that my Tenant Creator user didn't have MFA while the regular user account who is in the Desktop Application Group does have MFA enabled.

 

I just did what you guys have done - added the regular user to the Tenant Creator role in the Windows Virtual Desktop application and tried the RD Client again.  I can see my pool now....

 

https://techcommunity.microsoft.com/t5/Windows-Virtual-Desktop/Error-deploying-WVD-to-a-subscription... 

 

@christianmontoya- this is messed up :) .  Following this post closely now too.  Thanks - have a good day, all.

Highlighted

@jaycrumpgp @stevenzelenko : Oh man, yes, this is definitely still an error. Let me followup with the team and get back to you to see how we can address/resolve this. Full disclosure, I definitely want to get to the bottom of this because I don't want this error happening in the future, especially GA.

 

Let me get back to you, but definitely thank you both for reporting.

Highlighted

@christianmontoya 

So there are 2 enterprise apps created in AAD: Windows Virtual Desktop and Windows Virtual Desktop Client.  In my experience adding a user to my app group using the PowerShell cmdlet does not add the user to either enterprise app.  At least you can't see them in the AAD GUI.  I've used the following:

Add-RdsAppGroupUser -TenantName <tenant> -HostPoolName <hostpool> -appgroupname "Desktop Application Group" -UserPrincipalName 

 

Manually adding a user to only the "Windows Virtual Desktop Client" app does not work.  Users get stuck in a login loop, with a message in the URL advising the user "is not assigned to a role for the application".  The application ID presented in this error is the ID for the "Windows Virtual Desktop" app.  If I add the user to that app, it works.  But, if I then remove the user from the "Windows Virtual Desktop Client" group, I get the same error, referencing the app ID for it. 

 

Currently I need to add users to both Enterprise Applications in AAD for them to successfully access a session.  

Highlighted

@Rob Blankers I'm bumping this again.  We still have this issue.  Microsoft told me that they would escalate internally but haven't heard anything yet.  @christianmontoya Do you know anything?  Everything else is fine but this issue seems weird.  Attaching the error we are still seeing again if it helps.

 

Date
8/6/2019, 9:23:38 AM
Status
Failure
Sign-in error code
50105
Failure reason
The signed in user is not assigned to a role for the signed in application. Assign the user to the application. For more information: https://docs.microsoft.com/en-us/azure/active-directory/application-sign-in-problem-federated-sso-ga....
Client app
Mobile Apps and Desktop clients

Highlighted

@stevenzelenko Still happening here as well. Have to make users tenant creators and manually add to the desktop users group via powershell before they can login. Really not fun to Admin this thing. 

Highlighted

@Feffen The powershell piece isn't bad since I'm in powershell almost all day.  It's just one of those things that previews find...odd behavior.  Glad it's not just us and there are others out there following this thread.

Highlighted

@Rob Blankers , @stevenzelenko , @Feffen : Thanks for bringing this back up. Can you actually all check one thing? As mentioned here or in other threads, we don't expect users to be assigned specific app roles for the two Azure AD Applications (Windows Virtual Desktop and Windows Virtual Desktop Client), but there may be something in your directory that automatically set these.

 

Can you...go to Enterprise applications, select each application, and select Properties? Your app should mirror my screenshot of User assignment required? set to No.

clipboard_image_1.png

Highlighted

@christianmontoya 

 

Just checked and both of my apps are set to Yes for user assignment. Ill change them to no and test again in the morning. 

 

Im a bit confused by the language here i guess, wouldnt i want to have to assign users to this app to control access?

Highlighted
Solution
@Feffen : The primary reason is that we only use Azure AD app role / assignments for 1 action, and that's to create a tenant. Otherwise, because you can create numerous host pools and app groups, we handle end-user assignments through our own PowerShell and our own implementation.
Highlighted

@christianmontoya Mine was set to yes too.  That makes sense.  You are handling the permission from the app group, if you aren't part of the permission to that group, no access.  Makes perfect sense now.  We'll test tomorrow and report back our findings.  Thanks for the reply!  Greatly appreciated.

Highlighted

@christianmontoya Had some time to test this.  I removed my account from the Azure application and got right in.  When I went to open an app, I got this error shown in the screen cap.  We do have a conditional access policy applied to require MFA off of our network.  But even on our network, this same error presents itself.

 

connection error.PNG

 

 

Highlighted

@christianmontoya Looks like I spoke too soon.  For some reason, our session host crashed and I had to reboot the VM.  All works now, even CA.  Great and simple discovery.  Thank you.

Highlighted

@stevenzelenko @christianmontoya SUCCESS!!!  I flipped the 'User assignment required' switch to No on each Enterprise Application, removed all the users from those apps and verified that all users in the Desktop Application Group (administered through PowerShell) can login without issue.  Appreciate the follow up on this unsupported service and can't wait for GA!!  Thanks again!

Highlighted
Glad you're up and running! As we depend on Azure AD and other Azure services, we are learning as we go in certain scenarios. Thanks for the patience and validating!
Highlighted
Confirmed it’s working for me now as well.
Highlighted

@christianmontoya hey I am facing the same issue. i have added my users through powershell and also i have added them in my Entreprise application including windows virtual desktop and windows virtual desktop client. Everthing is in place also in my Enterprise  applications in properties i have set the the users assigned tab to NO still my users are not able to access the WVD and throwing the folllowing error:-error.PNG

 pls help me with it as soon as possible also wen i add those users in AADC group they are able to access it and does not throw any error but for my environment i dont want all users to have the the admin access

Highlighted

@sarahpotrick2573 : Can you run steps from our troubleshooting guide to see if there are specific errors from Diagnostics? https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-client-connection#troubleshooting-end-... .

 

This would be the best way to understand what the initial errors are so that you don't need to add them as admins.

Highlighted

@christianmontoya  Yes i checked it out and  is telling that user does not exist and that the VM is not joined.,But my VM is joined to my domain that i created through  Azure ADDS and also all of my users exists in the azure active directory and i have created that user in my azure active directory only.  I dont want all of my users to be in the AADC group i just want them to access the WVD environment Please find or help me out with some solution ASAP as i have been trying to resolve this from past 10 days and i need to deploy this in my client environment.rds.PNG

Highlighted

@sarahpotrick2573 : How did you configure Azure AD Domain Services? Does the domain match the UPNs those for the Azure AD user?

Highlighted

@christianmontoya   My Users are not able to sign-in into thier hostpool virtual Machine. It is throwing the following error. The username and password is correct and also i have assigned them through powershell, Still it is throwing the same error

clipboard_image_0.jpeg

Highlighted

@sarahpotrick2573 : Can you run the following command to check the failed connections

Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityType Connection -Outcome Failure -Detailed

 

Then, you can look at each individually and expand their Errors property. You can do this by getting the exact ActivityId, then:

$activity = Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityId <activityId> -Detailed
$activity.Errors

 

Highlighted

@christianmontoya After running the following powershell command,  I get the following details 

I am not able to understand what should i do next?Capture.PNG

Highlighted

@sarahpotrick2573 : Did the users already reset their passwords? There needs to be at least one password reset so the password hashes sync down.

 

If so, you'll need to create a support ticket through the Azure portal so that our engineers can dive deeper to resolve.

Highlighted
Ok. I will try resetting the password as well. If this works out well and good and also support is not available for wvd yet?
Highlighted

@sarahpotrick2573 : Actually, support is available for WVD. And you can file a ticket through the Azure portal. We also have some links from our docs site: https://docs.microsoft.com/azure/virtual-desktop/troubleshoot-set-up-overview

Highlighted
I am trying to automate the addition of users to the enterprise app using :

New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)

However I get the following :

New-AzureADUserAppRoleAssignment : Error occurred while executing NewUserAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned was not found on application


When I get the service principal :
AppRoleAssignmentRequired : True
AppRoles : {}

So this does not make any sense to me :(
There are no roles so why would this fail?
Highlighted

@AT1991 : Why are you adding the users to the Enterprise App? If it's for user access, we don't use the Enterprise App for that, we use our Windows Virtual Desktop PowerShell: https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups

Highlighted
Because for some reason without it, a few of our users were not able to log in via the desktop client. Adding them resolved the issue
Highlighted

@AT1991 We had this exact same thing happen to us too.  Turn off the "User Assignment Required" toggle in the WVD apps in Azure.  You should only need to add the users via powershell.

 

stevenzelenko_0-1583428407181.png

 

Highlighted
Awesome! I will give it a go. Thank you.
Related Conversations