In the previous article we built an Azure Virtual Desktop lab that consisted of cloud only infrastructure. We deployed Storage accounts ready for FSLogix profile containers and we created an instance of Azure Active Directory Services (AADDS) so we can use domain join/NTFS and other benefits we would get if we had synced an on premise domain via AD Connect.
We then deployed a host pool with a session host via the "create a host pool" wizard
If you missed that article or need a reference of what's been deployed or refresher you can check the link out below!
For this article, we are going to cover how we connect our users to the deployment so they can log into the workspace and then login to a pooled desktop machine.
There are two main methods you can use to get your workforce into AVD and working:
Remote Desktop Client
Lets look at each in depth.
Remote Desktop Client
OS Support = Windows 7 / 10 / 11
Simply install. You will need to select install for yourself or per-machine. Per-machine would be required for a thin terminal shared by a number of users, so bear that in mind.
After installation, you will be greeted with the "Getting Started" page where you will need to subscribe to a workplace.
You can subscribe with the workspace URL or sign in with your user account. In this instance I will use testuser1 who we created back in the lab setup. For reference you can find the workspace URLs below, most will use "Azure virtual Desktop" link.
![workspace urls.jpg] (cdn.hashnode.com/res/hashnode/image/upload/.. align="left")
Remember: testuser1 is a member of FSLogix-Profiles and AVD_USERS group
After using the Workspace link for "Azure Virtual Desktop" you will be prompted to sign in. Once signed in notice we have no resources assigned for access.
lets fix this now.
Assign User Permissions
Firstly we need to add AVD_USERS to our hostpool1-DAG (Application Group)
Give AVD_USERS "Virtual Machine User Login" permissions to our session host VMs
For point 1 navigate to:
RG_VirtualDesktop > Hostpool1-DAG > Assignments > +Add
The second point needs a bit more thought. We can obviously add the permissions to each session host (ok when we have 1) but if your in an environment with a large number of session hosts this will be easier to apply the permissions at the resource group level. Why? Because it will allow access to all sessionhosts in our resource group, and our users in a busy environment may be spread across a number of different hosts so it's vital permissions are set correctly at the correct level.
We will do this here. Navigate to the following:
RG_VirtualDesktop > Access Control (IAM)
You want to create a "Role Assignment" and assign AVD_USERS to "Virtual Machine User Login" role.
Navigate back to your Remote desktop Client and we are going to refresh the workspace.
And magically you will now see the desktop session available for logon:
Double Click this to connect to your AVD session.
The following HTML5 capable browsers are supported. Note there is currently NO mobile support for web client.
Navigate to the following URL:
You will be prompted to login. If you followed the instructions for the Remote Desktop Client and already setup the user permissions and role assignments you will be greeted with the Session host on the workspace.
If your Workspace is blank and you skipped the "Remote Desktop Client" section above go back and review the "Assign User Permissions" section then try again.
Administer User Connections
The following lets you view current sessions and disconnected sessions on your session host. Navigate to the following for an overview:
RG_VirtualDesktop > Hostpool1
The image below was after I disconnected from the session Host.
Alternatively navigate to the following for a full list of user connections
Here I have an active connection to the session host.
RG_VirtualDesktop > Hostpool1 > Session Host > Select your Session host > Select "Users" tab
From this screen you have a number of options:
- Notify users, This will allow you to write a message to session host users that will display in the session. e.g Planned maintenance.
- Log Off/Force Log Off Users - remove a session or by force.
- Drain Mode, You may want to prepare the session host for maintenance, you send out a notification for current users and you don't want new users to connect. Drain mode is for you. Don't forget to turn it back off after Maintenance or no new sessions can occur.
Remember - To have control of these functions with "least privilege" in mind you need to allocate:
Desktop Virtualization User Session Operator = Send notifications/Sign off/Disconnect sessions
Desktop Virtualization Session Host Operator = Use Drain Mode/ Add + Remove Session Hosts
We have covered how to connect users to AVD sessions by using both the Remote Desktop Client, the Web Client and how to administrate user connections from the Azure Portal.
Next Article we will look at locking Azure Virtual Desktop connections down using Conditional Access Policies.
Don't forget to turn off any running session hosts or decommission your environment to save on costs.
Did you find this article valuable?
Support Ash Roberts by becoming a sponsor. Any amount is appreciated!