question

PLPro avatar image
0 Votes"
PLPro asked PLPro edited

Azure AD-only Azure Virtual Desktop (AVD) Deployment

Post added at the request of Microsoft support:

I understand that previously AVD/WVD deployments required that AVD vm's be domain-joined, but now there's an option to add vm's to host pools using Azure AD auth. However, even if the tenant ID for the host pool VM corresponds with the default Azure AD tenant ID, when the Azure AD option is selected on creating the host pool, hosts added to the pool are marked "unavailable", with the health check returning the following:

{
"healthCheckName": "DomainJoinedCheck",
"healthCheckResult": "HealthCheckFailed",
"additionalFailureDetails": {
"message": "SessionHost unhealthy: SessionHost is not joined to a domain",
"errorCode": -2147467259,
"lastHealthCheckDateTime": "2021-07-18T02:45:30.0910788Z"
}
}

This may just be a case where the configuration flow in the UI is allowing for new functionality (Azure AD-only configuration) but the vm verification as reflected in the portal hasn't been updated to allow the new configuration, but as I am new to AVD it's very possible that something less obvious is happening. Any pointers would be much-appreciated.

azure-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

For reference, I'm having the problem described above despite having set the "Validation Environment" Host Pool property to "Yes" after creating the host pool.

0 Votes 0 ·

Thanks for reaching out.

We are checking on this thread with internal team and will get back to you. Thanks !

0 Votes 0 ·

Thank you! Restarting the VM as suggested in the accepted answer addressed the issue described here- the remaining auth-related issue that seems to be affecting the AVD web client in particular for this AAD-only deployment is described in another forum post- I believe it is being escalated internally by MS Support.


0 Votes 0 ·

1 Answer

PawelG-8052 avatar image
2 Votes"
PawelG-8052 answered PLPro edited

hi i had the same issue and i was able to resolve it by :
- check if your hostpool is a Validation enviroment - https://docs.microsoft.com/en-us/azure/virtual-desktop/create-validation-host-pool?WT.mc_id=Portal-Microsoft_Azure_WVD
- make sure that you granted proper roles on a reasource where your AVD is located. you need to grant AVD users (or a group) Virtual Machine User Login role

After that just restart the VM and it should be fine.

However after doing all that im still unable to access my AADJ HP from a Remote Desktop client app.
Im getting an error 0x9735.
What is more i can connect to HP from a RD web client just fine.

It seems that AADJ on a Hostpool is still a unmatured feature.






· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Restarting did it- thank you!!! After all these years you'd think I would have tried "turning it off and back on again"!

Kidding aside, absent evidence (like what you shared) that something else might work, with this being a new service I figured I'd stop-when-the-happy-path-breaks-down to preserve the "broken" state for Microsoft support. As it is, the AVD team may just want to update the validation environment docs you link to above to suggest restarting all HP VM's after a change to the Validation Environment setting.

I'll work on trying to get an RD client connection going and will update if I get anywhere toward hopefully returning the kindness.

Thanks again!

1 Vote 1 ·

Interestingly, it seems that due to the fact that an AAD endpoint containing the AAD default tenant GUID is returning a 400 error (I posted about that to the forums separately), the web client isn't working for me.

The Windows Desktop AVD client available here, however, is working fine for me against the same HP.


1 Vote 1 ·

Hey. Thanks a lot for the tip to install RD insider client.
Niw it works perfectly. Even from my own laptop which is not joined to the same tenant...

As for your issue with rd web client i think i know how to solve it.

Go to AVD console , select your aadj hostpool, rdp properties, advanced and in rdp properties window just type : targetisaadjoined:i:1 Save and it shoul work fine.

2 Votes 2 ·

That works- thank you (again)!!! I missed the notification for your reply all those days ago or I would have pointed you to my other post and accepted your answer there; the accepted answer came through a couple of days back. That said, the link therein to Dean Cefola's video(s) has proven a handy reference.

Next stop: getting external users invited to the AzureAD tenant working!



0 Votes 0 ·

That did the trick for me as well, very anexious to get this working to avoid lighting up any connections to AD or ADDS. Have you had any sucesss on the RC app on iOS?

Our instance with AD seems ok but the azure ad ones error out iOS and iPad OS.

iOS - error code 0x2607
iPAD OS won't take my login just keeps going back to the user account used to connect to the remote pc did not work try again

0 Votes 0 ·
PLPro avatar image PLPro AndrewTrevisani-2712 ·

I encountered a similar problem with the RDWeb client, which I posted about here. The accepted answer to that post addressed it in my case, specifically tip 2 about setting the targetisaadjoined:i:1 RDP property in the host pool settings as demonstrated in Dean Cefola's video (linked to in the answer to that post).

I just noticed that PawelG-8052 provided the same tip above- I didn't see a notification come through!

I hope this helps.


0 Votes 0 ·