AVD Federation with external identities
Spent months figuring out why federated SSO breaks for external users accessing Azure Virtual Desktop. Turns out Azure AD ignores custom federation when the user's domain is verified elsewhere—forces B2B routing, kills Windows SSO. Built a workaround using proxy domains and a federation hub. Curious—how are others solving this? Or just telling customers SSO isn't possible? I can't find any roadmap agenda.
Azure Virtual Desktop for Guest User / B2b Identity
All of our external customers have their own AAD / Entra ID and wish to not manage multiple identities. As we present our applications via AVD, it requires them to have a separate identity in our tenant currently. AVD should support guest accounts from another tenant to be able to sign in. Currently, per the documentation and per the ticket I just worked with Microsoft support: Azure Virtual Desktop doesn't support external identities, including guest accounts or business-to-business (B2B) identities. Whether you're serving internal commercial purposes or external users with Azure Virtual Desktop, you'll need to create and manage identities for those users yourself. Please continue development to allow guest accounts that have been invited into a tenant to sign in to AVD machines. Thanks!
AVD QuickStart - beware of Entra DS
Hi I recently received a notification from several customers whom had been billed for Entra DS - They had deployed AVD from the QuickStart menu. When attempting to deploy AVD - while going through the wizard, they get to a part that requires the VNET be pre-configured. Of course ,if they haven't properly planned AVD, this part of the wizard won't work. So they exit the wizard, then go to the QuickStart, and run through there.. Using this, they get what they wanted - easy deployment of AVD. However in this case, it enables Entra DS. Once added, it starts BILLING for Entra DS. The new AVD doesn't require Entra DS, it only requires Entra DS if there will be FSLogix containers). But the billing has started. To fix, we had to remove the Entra DS after validating that the credentials were indeed being helped. Monthly, this amounted for over $200 per month to the customer. We had to find a way to rebate the $$ to them. To ensure that this DOES not continue to happen - Can you add a piece to the QuickStart that enables Entra by itself without the entraDS or, at least WARN in the documentation that if you use QuickStart that this will be the side effect of launching this way? The client believes it should be articulated that this was a hidden fee they wouldn't have gotten if they had known the Wizard was going to bill this. So Customer request: Modify Azure Virtual Desktop Quickstart - ADD OPTION, Entra ONLY Add visual indicators that if chosen Entra DS option will bill Entra DS Entra DS is only required if using FSLogix or Entra DS as a domain for Hybrid Virtual desktop There is not an option to join the machine to Intune. Can you ADD one?
Windows App - Account Picker During Startup
Windows App is showing additional improvements to the overall VDI experience. As an Architect working for a consulting company, I have multiple clients with AVD environments I have to log into. One of the major benefits of Remote Desktop is that when opening, the window provides visibility to all signed in accounts. With Windows App, when opening the application, I'm in the most recent account. To benefit us that work in multiple environments, allow us the capability to choose which account I want to work in when opening the application. If Windows App only has one account associated, it can default to that account. But if there are two accounts present, allow the user to choose which one they want to go into at the onset.Something is preventing you from using Windows App right now.
After being auto-updated from Windows App version 2.0.327.0 to version 2.0.328.0, some of our users can't launch their Windows App anymore and get an error message says: "Something is preventing you from using Windows App right now." Since there is no way to control the update process, we could only let our desk users use MSRDC instead, as a temporary solution. For the frontline users, I could only pray that this problem will not take place until weekend. If any Microsoft person sees this post, please let the Windows App team know about this and fix this problem ASAP.
Change AVD Insights Workbooks to use VM Insights Queries
Currently the AVD Insights workbooks rely on the Microsoft Monitoring Agent which is being retired. Please release an AVD Insights solution that works with and utilises the VM Insights capabilities of Azure Monitor. This will allow us to decommission the use of the MMA.Frequent AVD Deployment Failures
Since June 2024, we have experienced occasional failures in AVD deployments. While most deployments succeed through adding session hosts to the host pool, there are instances where the deployment fails. Given this situation, we would like to request a change in behavior to reduce the burden of recreating AVDs when deployment fails.
More security around using Custom Script Extensions and Session Host Configuration
We are currently implementing and testing the new Session Host Configuration and Session Host Management features. We rely on Custom Script Extensions to implement some functionality immediately to the newly deployed Session Hosts instead of waiting for GPOs or other to take effect. We don't add these changes to the golden images. Currently the Custom Script Extensions functionality definable in the Session Host Configuration only allows to define a script URL. What is the intended mechanism of authentication for this solution? Currently it seems that its only possible to use an anonymous access level Blob. Defining a token within the script URL is not great due to the fact that the URL is viewable in plain text via the Azure Portal. Neither of those will satisfy. Key vault references are used when defining credentials for domain join and local admin accounts for the Session Hosts. Would it be possible to have key vault references for CSE Storage Account Name/Key or SAS token or the possibility to define a Managed Identity instead. These can be defined when deploying the CSEs manually. Please guide me as to what the best solution would be to this topic. Many thanks in advance.
