Microsoft announced public preview of Azure AD join support for AVD, this will remove the dependence of having on-premise DC or ADDS or DC in Azure, infact it can remove the need for a DC entirely, simplifying the deployment and management of the environment.
In this blog will walk through the process of deploying and accessing Azure Active Directory joined virtual machines in Azure Virtual Desktop.
Note: AVD with cloud user + Azure AD join VM doesn’t support fslogix profile solution because both ANF and azure files doesn’t support authentication over SMB with Azure active directory
AVD with hybrid user +Azure AD join VM supports fslogix because hybrid user account has the ability to contact domain controller and authenticate SMB shares of ANF/Azure files
Use cases :
- Dedicated/Personal desktop with local profile
- Pooled desktop where users not required to save data , example users with applications that saves data on remote DB or server , example call center environment
Deploy Azure AD-joined VMs
Browse to AVD blade and select create host pool
Follow the normal procedure to create host pool
Select Directory as Azure Active Directory
Note: In this log I am not enrolling the VM to Intune
Create a workspace and click on review and create
Once the deployment is complete browse to hostpool and check the status of Azure AD joined VDI
To confirm the VM is joined to Azure AD you can check the VM extension
Configuring access to users :
To grant access to AVD either you can use cloud-only user accounts or hybrid users from the same Azure AD tenant
To access AVD with AAD joined VM we should add the user group under Desktop application group-assignment and we need to assign virtual machine user login role to same user group either on VMs/resource group level/subscription level, so its always good to add on resource group level where our AAD joined VMs resides
so lets create a AAD group and add some test user
Browse to Azure active directory and select group -New Group
Go the resource group where we deployed our VM and select Access Control (IAM)-assign virtual machine user login role to AAD group created earlier
assign the same group under AVD application group
To enable access from Windows devices not joined to Azure AD or from other clients like ios/android , add targetisaadjoined:i:1 in custom rdp properties the host pool.
Azure Virtual Desktop doesn’t currently support single sign-on for Azure AD-joined VMs.
To verify the VM is joined to domain you can run dsregcmd/status
so we have logged into AAD joined VM with our cloud only user (we can use hybrid user account as well)
Now AVD market images comes with teams optimized as well so removing one task whcih we used to do manually
Conclusion: With support of AAD joined VM , now you don’t need on-premise DC or ADDS and these VMs can also be automatically enrolled in Intune for ease of management.