question

PLPro avatar image
0 Votes"
PLPro asked PLPro edited

Is Azure Virtual Desktop working with AzureAD External Users in the Validation Environment/Preview for an AAD-only Host Pool?

I have an AVD Host Pool set up and working in AAD-only mode with internal AAD tenant users, but even after granting an external user the Virtual Machine User Login role and assigning an Application group to the external user in the Host Pool, neither the AVD Desktop RDP client nor the web client are displaying the assigned application group's remote app in the external user's feed (or even an entry for the application group).

For reference, Per-user access pricing was turned on for the subscription when AVD was set up. (This clarification was added subsequent to posting of Answer #1 below).

Has anyone managed to get AzureAD external accounts working in the validation environment for AAD-only AVD host pools?

It's always possible external accounts just aren't working yet, but since the per-user access promotion for external users went into effect on July 14, I suspect they're supposed to be. Hopefully someone else has had better luck and would be willing to share tips that might help me and others.

Thanks in advance!

Additional Details:

In the web RD client, when I open developer tools and check network traffic, I see the following error:

authRedirectFailure: ServerError: invalid_client: AADSTS650052: The app needs access to a service ('https://mrs-Prod.ame.gbl/mrs-RDInfra-prod') that your organization 'mysubdomain.onmicrosoft.com' has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service subscriptions.

In the error above, mysubdomain.microsoft.com is the domain name for the AAD tenant that is working fine with internal accounts (these authenticating from both the web client and desktop client). I've tried authenticating external users with both the primary domain and the secondary domain and encounter the same error.

[UPDATE]: Answer #2, below addresses the specific problem I encountered- specifically that I was attempting to use AAD guest accounts in an attempt to distinguish "internal" and "external" users for Per user access licensing, and that simply isn't how Per user access licensing works, technically, for AVD.


azure-active-directoryazure-virtual-desktop
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered PLPro commented

Hi anonymous user ,

did you enroll your Azure Subscription für AVD Per-User access pricing?

119516-image.png

More details you will find here:
https://docs.microsoft.com/en-us/azure/virtual-desktop/remote-app-streaming/licensing
https://docs.microsoft.com/en-us/azure/virtual-desktop/remote-app-streaming/per-user-access-pricing


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten




image.png (76.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your thoughtful reply, Andreas. Yes- I did that right at the start when originally setting up AVD under the subscription; I should have mentioned that when posting the question and will update the post to clarify.

0 Votes 0 ·
PLPro avatar image
0 Votes"
PLPro answered

I opened a ticket with Microsoft Support on this subject and it turns out that what I was contending with was a misunderstanding relating to what constituted an "external user" for Per user access licensing to apply for AVD. I thought that the users has to use external identities (e.g., be AAD guest users) in order for the per-user access to be licensed, but it turns out this is not supported:

"Azure Virtual Desktop doesn't currently support external identities, including business-to-business (B2B) or business-to-client (B2C) users. You'll need to create and manage these identities manually and provide the credentials to your users yourself. Users will then use these identities to access resources in Azure Virtual Desktop."

My incorrect assumptions were fundamentally a product of thinking that "double licensing" would automatically be avoided by the platform if "internal" and "external" users were distinguished in the AAD tenant, but that turns out not to be the case. The importance of managing deployments carefully toward avoiding paying twice in mixed-license scenarios is further discussed here:

"Azure Virtual Desktop will also charge users with separate assigned licenses that otherwise entitle them to Azure Virtual Desktop access. If you have internal users you're purchasing eligible licenses for, we recommend you give them access to Azure Virtual Desktop through a separate subscription that isn't enrolled in per-user access pricing to avoid effectively paying twice for those users."



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.