教學課程:在 Windows 虛擬桌面 (傳統) 中建立租用戶Tutorial: Create a tenant in Windows Virtual Desktop (classic)

重要

此內容適用於不支援 Azure Resource Manager Windows 虛擬桌面物件的 Windows 虛擬桌面 (傳統)。This content applies to Windows Virtual Desktop (classic), which doesn't support Azure Resource Manager Windows Virtual Desktop objects.

在 Windows 虛擬桌面中建立租用戶是建置桌面虛擬化解決方案的第一個步驟。Creating a tenant in Windows Virtual Desktop is the first step toward building your desktop virtualization solution. 租用戶是包含一或多個主機集區的群組。A tenant is a group of one or more host pools. 每個主機集區是由多個工作階段主機所組成,這些主機會在 Azure 中當作虛擬機器執行並向 Windows 虛擬桌面服務註冊。Each host pool consists of multiple session hosts, running as virtual machines in Azure and registered to the Windows Virtual Desktop service. 每個主機集區也是由一或多個應用程式群組所組成,這些群組用來對使用者發佈遠端桌面和遠端應用程式資源。Each host pool also consists of one or more app groups that are used to publish remote desktop and remote application resources to users. 透過租用戶,您可以建置主機集區、建立應用程式群組、指派給使用者,以及透過服務進行連線。With a tenant, you can build host pools, create app groups, assign users, and make connections through the service.

在本教學課程中,您將了解如何:In this tutorial, learn how to:

  • 將 Azure Active Directory 權限授與給 Windows 虛擬桌面服務。Grant Azure Active Directory permissions to the Windows Virtual Desktop service.
  • 將 TenantCreator 應用程式角色指派給 Azure Active Directory 租用戶中的使用者。Assign the TenantCreator application role to a user in your Azure Active Directory tenant.
  • 建立 Windows 虛擬桌面租用戶。Create a Windows Virtual Desktop tenant.

要設定租用戶所需具備的項目What you need to set up a tenant

在開始設定 Windows 虛擬桌面租用戶之前,請確定您有下列項目:Before you start setting up your Windows Virtual Desktop tenant, make sure you have these things:

  • Windows 虛擬桌面使用者的 Azure Active Directory 租用戶識別碼。The Azure Active Directory tenant ID for Windows Virtual Desktop users.
  • Azure Active Directory 租用戶中的全域管理員帳戶。A global administrator account within the Azure Active Directory tenant.
    • 這也適用於為其客戶建立 Windows 虛擬桌面租用戶的雲端解決方案提供者 (CSP) 組織。This also applies to Cloud Solution Provider (CSP) organizations that are creating a Windows Virtual Desktop tenant for their customers. 如果您在 CSP 組織中,則必須能夠以客戶的 Azure Active Directory 執行個體全域管理員身分登入。If you're in a CSP organization, you must be able to sign in as global administrator of the customer's Azure Active Directory instance.
    • 系統管理員帳戶必須來自要在其中建立 Windows 虛擬桌面租用戶的 Azure Active Directory 租用戶。The administrator account must be sourced from the Azure Active Directory tenant in which you're trying to create the Windows Virtual Desktop tenant. 此程序不支援 Azure Active Directory B2B (來賓) 帳戶。This process doesn't support Azure Active Directory B2B (guest) accounts.
    • 系統管理員帳戶必須是公司或學校帳戶。The administrator account must be a work or school account.
  • Azure 訂用帳戶。An Azure subscription.

您必須已備妥租用戶識別碼、全域管理員帳戶和 Azure 訂用帳戶,才能讓教學課程所述的程序正常運作。You must have the tenant ID, global administrator account, and Azure subscription ready so that the process described in this tutorial can work properly.

授與權限給 Windows 虛擬桌面Grant permissions to Windows Virtual Desktop

如果您已經將此 Azure Active Directory 執行個體的權限授與 Windows 虛擬桌面,請略過本節。If you have already granted permissions to Windows Virtual Desktop for this Azure Active Directory instance, skip this section.

將權限授與 Windows 虛擬桌面服務,可讓它查詢 Azure Active Directory 以便進行系統管理和使用者工作。Granting permissions to the Windows Virtual Desktop service lets it query Azure Active Directory for administrative and end-user tasks.

若要授與服務權限:To grant the service permissions:

  1. 開啟瀏覽器,並開始進行 Windows 虛擬桌面伺服器應用程式的管理員同意流程。Open a browser and begin the admin consent flow to the Windows Virtual Desktop server app.

    注意

    如果您管理客戶,而需要為客戶的目錄授與管理員同意,請在瀏覽器中輸入下列 URL,並將 {tenant} 取代為客戶的 Azure AD 網域名稱。If you manage a customer and need to grant admin consent for the customer's directory, enter the following URL into the browser and replace {tenant} with the Azure AD domain name of the customer. 例如,如果客戶的組織已註冊 contoso.onmicrosoft.com 的 Azure AD 網域名稱,請將 {tenant} 取代為 contoso.onmicrosoft.com。For example, if the customer's organization has registered the Azure AD domain name of contoso.onmicrosoft.com, replace {tenant} with contoso.onmicrosoft.com.

    https://login.microsoftonline.com/{tenant}/adminconsent?client_id=5a0aa725-4958-4b0c-80a9-34562e23f3b7&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback
    
  2. 使用全域管理員帳戶登入 Windows 虛擬桌面同意頁面。Sign in to the Windows Virtual Desktop consent page with a global administrator account. 例如,如果您屬於 Contoso 組織,您的帳戶可能是 admin@contoso.com 或 admin@contoso.onmicrosoft.com。For example, if you were with the Contoso organization, your account might be admin@contoso.com or admin@contoso.onmicrosoft.com.

  3. 選取 [接受]。Select Accept.

  4. 請稍後片刻,讓 Azure AD 可記錄同意。Wait for one minute so Azure AD can record consent.

  5. 開啟瀏覽器,並開始進行 Windows 虛擬桌面用戶端應用程式的管理員同意流程。Open a browser and begin the admin consent flow to the Windows Virtual Desktop client app.

    注意

    如果您管理客戶,而需要為客戶的目錄授與管理員同意,請在瀏覽器中輸入下列 URL,並將 {tenant} 取代為客戶的 Azure AD 網域名稱。If you manage a customer and need to grant admin consent for the customer's directory, enter the following URL into the browser and replace {tenant} with the Azure AD domain name of the customer. 例如,如果客戶的組織已註冊 contoso.onmicrosoft.com 的 Azure AD 網域名稱,請將 {tenant} 取代為 contoso.onmicrosoft.com。For example, if the customer's organization has registered the Azure AD domain name of contoso.onmicrosoft.com, replace {tenant} with contoso.onmicrosoft.com.

    https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fa4345a4-a730-4230-84a8-7d9651b86739&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback
    
  6. 如同步驟 2 一樣,以全域管理員身分登入 Windows 虛擬桌面同意頁面。Sign in to the Windows Virtual Desktop consent page as global administrator, as you did in step 2.

  7. 選取 [接受]。Select Accept.

指派 TenantCreator 應用程式角色Assign the TenantCreator application role

將 TenantCreator 應用程式角色指派給 Azure Active Directory 使用者,可讓該使用者建立與 Azure Active Directory 執行個體相關聯的 Windows 虛擬桌面租用戶。Assigning an Azure Active Directory user the TenantCreator application role allows that user to create a Windows Virtual Desktop tenant associated with the Azure Active Directory instance. 您必須使用全域管理員帳戶來指派 TenantCreator 角色。You'll need to use your global administrator account to assign the TenantCreator role.

若要指派 TenantCreator 應用程式角色:To assign the TenantCreator application role:

  1. 移至 Azure 入口網站以管理 TenantCreator 應用程式角色。Go to the Azure portal to manage the TenantCreator application role. 搜尋並選取 [企業應用程式]。Search for and select Enterprise applications. 如果您正在處理多個 Azure Active Directory 租用戶,最佳做法是開啟私人瀏覽器工作階段,然後將 URL 複製並貼入位址列中。If you're working with multiple Azure Active Directory tenants, it's a best practice to open a private browser session and copy and paste the URLs into the address bar.

    在 Azure 入口網站中搜尋企業應用程式的螢幕擷取畫面Screenshot of searching for Enterprise applications in the Azure portal

  2. 在 [企業應用程式] 中,搜尋 [Windows 虛擬桌面]。Within Enterprise applications, search for Windows Virtual Desktop. 您會看到您在上一節中同意的兩個應用程式。You'll see the two applications that you provided consent for in the previous section. 在這兩個應用程式中,選取 [Windows 虛擬桌面]。Of these two apps, select Windows Virtual Desktop.

    在 企業應用程式 中搜尋「Windows 虛擬桌面」時的搜尋結果螢幕擷取畫面。A screenshot of the search results when searching for "Windows Virtual Desktop" in "Enterprise applications." 已醒目提示名為「Windows 虛擬桌面」的應用程式。The app named "Windows Virtual Desktop" is highlighted.

  3. 選取 [使用者和群組]。Select Users and groups. 您可能會看到對應用程式授與同意權的系統管理員已列出,並且已獲派預設存取角色。You might see that the administrator who granted consent to the application is already listed with the Default Access role assigned. 這還不足以建立 Windows 虛擬桌面租用戶。This is not enough to create a Windows Virtual Desktop tenant. 請繼續遵循這些指示來對使用者新增 TenantCreator 角色。Continue following these instructions to add the TenantCreator role to a user.

    指派來管理「Windows 虛擬桌面」企業應用程式的使用者和群組螢幕擷取畫面。A screenshot of the users and groups assigned to manage the "Windows Virtual Desktop" enterprise application. 螢幕擷取畫面顯示只有一個適用於「預設存取」的指派。The screenshot shows only one assignment, which is for "Default Access."

  4. 選取 [新增使用者],然後在 [新增指派] 索引標籤中選取 [使用者和群組]。Select Add user, and then select Users and groups in the Add Assignment tab.

  5. 搜尋您將建立 Windows 虛擬桌面租用戶的使用者帳戶。Search for a user account that will create your Windows Virtual Desktop tenant. 為了簡單起見,這可以是全域管理員帳戶。For simplicity, this can be the global administrator account.

    • 如果您使用的是 Microsoft 身分識別提供者,例如,contosoadmin@live.com 或 contosoadmin@outlook.com,您可能無法登入 Windows 虛擬桌面。If you're using a Microsoft Identity Provider like contosoadmin@live.com or contosoadmin@outlook.com, you might not be able to sign in to Windows Virtual Desktop. 我們建議使用類似 admin@contoso.com 或 admin@contoso.onmicrosoft.com 的網域特定帳戶。We recommend using a domain-specific account like admin@contoso.com or admin@contoso.onmicrosoft.com instead.

    選取要新增為 "TenantCreator" 的使用者螢幕擷取畫面。A screenshot of selecting a user to add as "TenantCreator."

    注意

    您必須選取來自此 Azure Active Directory 執行個體的使用者 (或包含使用者的群組)。You must select a user (or a group that contains a user) that's sourced from this Azure Active Directory instance. 您無法選擇來賓 (B2B) 使用者或服務主體。You can't choose a guest (B2B) user or a service principal.

  6. 選取使用者帳戶,選擇 [選取] 按鈕,然後選取 [指派]。Select the user account, choose the Select button, and then select Assign.

  7. 在 [Windows 虛擬桌面 - 使用者和群組] 頁面上,確認您有看到新項目,其中 TenantCreator 角色已指派給將要建立 Windows 虛擬桌面租用戶的使用者。On the Windows Virtual Desktop - Users and groups page, verify that you see a new entry with the TenantCreator role assigned to the user who will create the Windows Virtual Desktop tenant.

    指派來管理「Windows 虛擬桌面」企業應用程式的使用者和群組螢幕擷取畫面。A screenshot of the users and groups assigned to manage the "Windows Virtual Desktop" enterprise application. 螢幕擷取畫面現在包含使用者獲派 "TenantCreator" 角色的第二個項目。The screenshot now includes a second entry of a user assigned to the "TenantCreator" role.

在繼續建立您的 Windows 虛擬桌面租用戶之前,您需要兩項資訊:Before you continue on to create your Windows Virtual Desktop tenant, you need two pieces of information:

  • 您的 Azure Active Directory 租用戶識別碼 (或目錄識別碼)Your Azure Active Directory tenant ID (or Directory ID)
  • 您的 Azure 訂用帳戶 IDYour Azure subscription ID

若要尋找您的 Azure Active Directory 租用戶識別碼 (或目錄識別碼):To find your Azure Active Directory tenant ID (or Directory ID):

  1. 在相同的 Azure 入口網站工作階段中,搜尋並選取 Azure Active DirectoryIn the same Azure portal session, search for and select Azure Active Directory.

    在 Azure 入口網站中搜尋 "Azure Active Directory" 的結果螢幕擷取畫面。A screenshot of the search results for "Azure Active Directory" in the Azure portal. 服務 底下的搜尋結果已醒目提示。The search result under "Services" is highlighted.

  2. 向下捲動,直到您找到屬性,然後將其選取。Scroll down until you find Properties, and then select it.

  3. 尋找目錄識別碼,然後選取剪貼簿圖示。Look for Directory ID, and then select the clipboard icon. 將其貼在方便取得的位置,以便稍後用來作為 AadTenantId 值。Paste it in a handy location so you can use it later as the AadTenantId value.

    Azure Active Directory 屬性的螢幕擷取畫面。A screenshot of the Azure Active Directory properties. 滑鼠停留在 [目錄識別碼] 的剪貼簿圖示上,以便複製及貼上。The mouse is hovering over the clipboard icon for "Directory ID" to copy and paste.

若要尋找您的 Azure 訂用帳戶識別碼:To find your Azure subscription ID:

  1. 在相同的 Azure 入口網站工作階段中,搜尋並選取 [訂用帳戶]。In the same Azure portal session, search for and select Subscriptions.

    在 Azure 入口網站中搜尋 "Azure Active Directory" 的結果螢幕擷取畫面。A screenshot of the search results for "Azure Active Directory" in the Azure portal. 「服務」的搜尋結果會反白顯示。The search result for "Services" is highlighted.

  2. 選取您想要用來接收 Windows 虛擬桌面服務通知的 Azure 訂用帳戶。Select the Azure subscription you want to use to receive Windows Virtual Desktop service notifications.

  3. 尋找訂用帳戶識別碼,然後將滑鼠移到該值上,直到剪貼簿圖示出現。Look for Subscription ID, and then hover over the value until a clipboard icon appears. 選取 [剪貼簿] 圖示,然後將其貼在方便取得的位置,以便稍後用來作為 AzureSubscriptionId 值。Select the clipboard icon and paste it in a handy location so you can use it later as the AzureSubscriptionId value.

    Azure 訂用帳戶屬性的螢幕擷取畫面。A screenshot of the Azure subscription properties. 滑鼠停留在 [訂用帳戶識別碼] 的剪貼簿圖示上,以便複製及貼上。The mouse is hovering over the clipboard icon for "Subscription ID" to copy and paste.

建立 Windows 虛擬桌面租用戶Create a Windows Virtual Desktop tenant

既然您已授與 Windows 虛擬桌面服務查詢 Azure Active Directory 的權限,並將 TenantCreator 角色指派給使用者帳戶,您可以建立 Windows 虛擬桌面租用戶。Now that you've granted the Windows Virtual Desktop service permissions to query Azure Active Directory and assigned the TenantCreator role to a user account, you can create a Windows Virtual Desktop tenant.

首先,下載並匯入 Windows 虛擬桌面的模組,以在您的 PowerShell 工作階段中使用 (如果您還沒這麼做的話)。First, download and import the Windows Virtual Desktop module to use in your PowerShell session if you haven't already.

透過此 Cmdlet,使用 TenantCreator 使用者帳戶登入 Windows 虛擬桌面:Sign in to Windows Virtual Desktop by using the TenantCreator user account with this cmdlet:

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

然後,建立與 Azure Active Directory 租用戶相關聯的新 Windows 虛擬桌面租用戶:After that, create a new Windows Virtual Desktop tenant associated with the Azure Active Directory tenant:

New-RdsTenant -Name <TenantName> -AadTenantId <DirectoryID> -AzureSubscriptionId <SubscriptionID>

以貴組織和租用戶相關的值取代以方括號括住的值。Replace the bracketed values with values relevant to your organization and tenant. 您選擇用於新 Windows 虛擬桌面租用戶的名稱應該要是全域唯一的。The name you choose for your new Windows Virtual Desktop tenant should be globally unique. 例如,假設您是 Contoso 組織的 Windows 虛擬桌面 TenantCreator。For example, let's say you're the Windows Virtual Desktop TenantCreator for the Contoso organization. 您會執行的 Cmdlet 如下所示:The cmdlet you'd run would look like this:

New-RdsTenant -Name Contoso -AadTenantId 00000000-1111-2222-3333-444444444444 -AzureSubscriptionId 55555555-6666-7777-8888-999999999999

您最好將系統管理存取權指派給第二名使用者,以免您遭到鎖定而無法進入自己的帳戶,或因為休假而需要讓某人在您不在時擔任租用戶的管理員。It's a good idea to assign administrative access to a second user in case you ever find yourself locked out of your account, or you go on vacation and need someone to act as the tenant admin in your absence. 若要指派管理員存取權給第二名使用者,請使用 <TenantName><Upn> (請將這兩項取代為您的租用戶名稱和第二名使用者的 UPN) 來執行下列 Cmdlet。To assign admin access to a second user, run the following cmdlet with <TenantName> and <Upn> replaced with your tenant name and the second user's UPN.

New-RdsRoleAssignment -TenantName <TenantName> -SignInName <Upn> -RoleDefinitionName "RDS Owner"

後續步驟Next steps

建立好您的租用戶後,您必須在 Azure Active Directory 中建立服務主體,並對其指派 Windows 虛擬桌面內的角色。After you've created your tenant, you'll need to create a service principal in Azure Active Directory and assign it a role within Windows Virtual Desktop. 服務主體可讓您順利部署 Windows 虛擬桌面的 Azure Marketplace 供應項目,進而建立主機集區。The service principal will allow you to successfully deploy the Windows Virtual Desktop Azure Marketplace offering to create a host pool. 若要深入了解主機集區,請繼續進行在 Windows 虛擬桌面中建立主機集區的教學課程。To learn more about host pools, continue to the tutorial for creating a host pool in Windows Virtual Desktop.