Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

No Active Directory for your AVD? Not an issue with Azure AD Join

  • March 24, 2022
  • 6 min read
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.
Cloud and Virtualization Architect. Florent is specializing in public, hybrid, and private cloud technologies. He is a Microsoft MVP in Cloud and Datacenter Management and an MCSE in Private Cloud.


In previous article (How to start with Azure Virtual Desktop) we deployed a host pool using Active Directory.

In a case where you don’t have Active Directory, but only Azure AD, it is possible to do a domain join for an AVD, to this Azure AD. Some known limitations are present: Deploy Azure AD joined VMs in Azure Virtual Desktop – Azure | Microsoft Docs

Let’s start by adding a new host pool, dedicated for this tutorial:

New host pool

We will now add a new virtual machine to this host pool:

Add a new virtual machine to this host pool

Choose the VNet part:

Choose the VNet part

And the most important part, the domain join. Choose Azure AD instead of Active Directory. You can enroll the VM if you need, to manage software, etc. in the VM.

Choose Azure AD instead of Active Directory

The deployment is finished and VM are Azure AD join:

All devices

Now, edit the RDP properties of your host pool and, in advanced, add targetisaadjoined:i:1

RDP properties

After few minutes, we can now see that the 2 hosts are up:

We can now see that the 2 hosts are up

Now that AVD session hosts are up and running, we need to add more permissions before trying to login. On each session host, you need to add accounts/groups that need to connect to this host pool, as Virtual Machine User Login in Azure RBAC. I will add this right at the resource group level:

Virtual Machine User Login

I will try to connect to https://rdweb.wvd.microsoft.com/arm/webclient

I have the following error:

Error

I need to assign a session host to this user:

Individual assignments

And after, I can assign this user to a VM:

Session hosts

And create a workspace associated to this Application group:

Application group

I can now see the application:

All resources

If I try to connect, I have the following error:

Following error

Same issue with the fat client:

Windows Security

It is a normal error. I’m using per-assigned MFA. To start, we will create a new conditional policy, based on the following article:

Azure multifactor authentication for Azure Virtual Desktop – Azure | Microsoft Docs

Go to Conditional Access – Microsoft Azure and create a new policy. Assign this policy to a group, a user or all users:

Assign this policy to a group

Select an app for which it will be applied, in this case the Azure Virtual Desktop one, with the id 9cdead84-a844-4324-93f2-b2e6bb768d07:

Select an app for which it will be applied

In the Conditions, select to which client app we need to apply this:

Conditions

For the control, select Grant access and check the box Require multi-factor authentication:

Grant access

In session, I will tell that we need to reauthenticate with MFA every 15 days:

We need to reauthenticate with MFA every 15 days

Enable the policy and save it:

Enable the policy and save it

Now, go to your users in Azure AD and click on Per-User MFA. On the new tab, disable the MFA for the users that you want to allow the connection to AVD:

MFA

Reconnect to the web interface. You need to login with your account and the MFA. And for the SessionDesktop, it now works:

SessionDesktop

SessionDesktop

As you can see, if you have only cloud based directory (Azure AD), you can use Azure Virtual Desktop, in combination with Intune/Conditional Access, to do not deploy an Active Directory only to join a domain and connect with a domain account.

Found Florent’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!