Deploy Azure AD joined virtual machines in Azure Virtual Desktop

Important

Azure AD joined VM support is currently in public preview. This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

This article will walk you through the process of deploying and accessing Azure Active Directory joined virtual machines in Azure Virtual Desktop. This removes the need to have line-of-sight from the VM to an on-premise or virtualized Active Directory Domain Controller (DC) or to deploy Azure AD Domain services (Azure AD DS). In some cases, it can remove the need for a DC entirely, simplifying the deployment and management of the environment. These VMs can also be automatically enrolled in Intune for ease of management.

Note

Azure Virtual Desktop (Classic) doesn't support this feature.

Supported configurations

The following configurations are currently supported with Azure AD-joined VMs:

  • Personal desktops with local user profiles.
  • Pooled desktops used as a jump box. In this configuration, users first access the Azure Virtual Desktop VM before connecting to a different PC on the network. Users should not save data on the VM.
  • Pooled desktops or apps where users don't need to save data on the VM. For example, for applications that save data online or connect to a remote database.

User accounts can be cloud-only or hybrid users from the same Azure AD tenant. External users are not supported at this time.

Deploy Azure AD-joined VMs

Important

During public preview, you must configure your host pool to be in the validation environment.

You can deploy Azure AD-joined VMs directly from the Azure portal when creating a new host pool or expanding an existing host pool. On the Virtual Machines tab, select whether to join the VM to Active Directory or Azure Active Directory. Selecting Azure Active Directory gives you the option to Enroll the VM with Intune automatically so you can easily manage Windows 10 ENT and Windows 10 ENT multi-session VMs. Keep in mind that the Azure Active Directory option will join VMs to the same Azure AD tenant as the subscription you're in.

Note

  • Host pools should only contain VMs of the same domain join type. For example, AD-joined VMs should only be with other AD VMs, and vice-versa.
  • The host pool VMs must be Windows 10 single-session or multi-session, version 2004 or later.

After you've created the host pool, you must assign user access. For Azure AD-joined VMs, you'll need to do two things: give users access to both the App Group and VMs.

Follow the instructions in Manage app groups to assign user access to apps and desktops. We recommend that you use user groups instead of individual users wherever possible.

To grant users access to Azure AD-joined VMs, you must configure role assignments for the VM. You can assign the Virtual Machine User Login or Virtual Machine Administrator Login role either on the VMs, the resource group containing the VMs, or the subscription. We recommend assigning the Virtual Machine User Login role to the same user group you used for the app group at the resource group level to make it apply to all the VMs in the host pool.

Access Azure AD-joined VMs

This section explains how to access Azure AD-joined VMs from different Azure Virtual Desktop clients.

Note

Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs.

Connect using the Windows Desktop client

The default configuration supports connections from Windows 10 using the Windows Desktop client. You can use your credentials, smart card, Windows Hello for Business certificate trust or Windows Hello for Business key trust with certificates to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:

  • The local PC is Azure AD-joined to the same Azure AD tenant as the session host
  • The local PC is hybrid Azure AD-joined to the same Azure AD tenant as the session host
  • The local PC is running Windows 10, version 2004 and later, and is Azure AD registered to the same Azure AD tenant as the session host

To enable access from Windows devices not joined to Azure AD, add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.

Connect using the other clients

To access Azure AD-joined VMs using the web, Android, macOS, iOS, and Microsoft Store clients, you must add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.

User profiles

Azure Virtual Desktop currently only supports local profiles for Azure AD-joined VMs.

Next steps

Now that you've deployed some Azure AD joined VMs, you can sign in to a supported Azure Virtual Desktop client to test it as part of a user session. If you want to learn how to connect to a session, check out these articles: