Contents:
Create security groups in Entra ID
Assign rights to the subscription and role assignment
Create an resource group for your AVD environment
Create hostpool, VM and workspace
Add assignment to the application group
Edit RDP properties in the host pool
Prerequisites
In this tutorial we’re going to create an Azure Virtual Desktop (=AVD) and assign access to it.
Before we start, let’s check through Microsoft’s website what’s needed to set-up an AVD.
- An Azure account with an active subscription
- A supported identity provider (Microsoft Entra ID)
- A supported operating system for session host virtual machines
- Appropriate licenses (in this case E3)
- Network connectivity
- A Remote Desktop client
Resource: Prerequisites for Azure Virtual Desktop | Microsoft Learn
Create security groups in Entra ID
Create 2 groups:
- AVD Users
- AVD Administrators
Group Type: Security
Membership type: Assigned
Add the right members to the right groups.
We’ve created both groups now:
Assign rights to the subscription and role assignment
Go to Access control (IAM) in your subscription options
And click on Add -> Add-Role assignment
Search for “Virtual Machine login”
AVD Users -> Virtual Machine User Login
AVD Administrators -> Virtual Machine Administrator Login
Select the right group and click on Review + assign
Repeat the whole process for the AVD Administrators.
After you did the assignment you can double check this under
Subscription -> Access Control (IAM) -> Role assignments
Create an resource group for your AVD environment
Go to portal.azure.com
Search under resources “resource groups”
Click on create
Give a logical resource group name and chose your region wisely ! you cannot change your region afterwards and it’s important for your other resources that they’re in the same region
Add tags if you’re going to use it (recommended)
- Review + create if validation is passed
Create in resources rg-AVD
Create VNET
search on virtual networks and create one
Create hostpool, VM and workspace
- Search for Azure Virtual Desktop
- Click on create hostpool
- Basics settings:
Host Pool name: AVD-HP
Location: North-Europe (again very important!)
Preferred app group type: Desktop (in this tutorial we’re going to show only the desktop type not the remoteApp type)
Host pool type: Pooled (if it’s a AVD for one person you can change it to Personal)
Load-balancing: Depth first (this one is more cost efficient because you’re jumping on the next VM when the first has reached it’s max session limit).
Max session limit: 5 - Virtual machines
Add virtual machines
Name prefix: AVD-SH01
Virtual machine type: Azure virtual machine
Virtual machine location: North Europe
Availability options: No infrastructure redundancy required
Security type: Trusted launch virtual machines
Enable secure boot: YES
Enable vTPM: YES
Integrity monitoring: YES
image: Windows 11 Enterprise multi-session, version 23H2 – Gen2
virtual machine size: D2as v5 (test purposes)
number of vm’s: 1
OS disk type: standard SSD (in a real production environment premium ssd is the way to go)
OS disk size: default
Boot diagnostics: disabled
Vnet: AVD-VNET
Subnet: Default
Network security group type: Basic
Select which directory you would like to join: Microsoft Entra ID
User name: choose one for yourself
Password: choose one for yourself - Workspace
Register desktop app group: YES
Click on create new - Advanced
Nothing changed, click on next - Tags
- Click on next and click on create after validation = passed.
Add assignment to the application group
- Go to the application group linked to your newly created host pool
- Click on manage
- Click on Add and add the AVD Users and AVD Administrators
Edit RDP properties in the host pool
- Change Microsoft Entra SSO settings
- Go to the advanced tab and add “;targetisaadjoined:i:1;”
Test connection to your AVD
- Install the remote desktop app
you can download it from: Get started with the Remote Desktop app for Azure Virtual Desktop | Microsoft Learn - Click on subscribe
It will ask for credentials you added to AVD Users or AVD Administrators - After authenticating yourself, the AVD will be available
- Try to connect by double clicking on it and voila