The process of deploy a WVD infrastructure is divided in to the following steps:
- Create a tenant in the WVD service
- Create a first host pool
- Grant User rights to the default Desktop Application group
Please be aware that you will need information from the PowerShell
responses of some commands (e.g. Tenant Group name, Tenant Name,...) -
best practice could be to copy the outputs in any kind of documentation
Important to know - you will need the Directory ID of the Azure AD to which the WVD Service should be registered. You will find the ID in the Azure Portal (see screenshot):
With the Directory ID in "mind" better in the clipboard, it is possible to register the server and client app for the Virtual Desktop Service under https://rdweb.wvd.microsoft.com/.
The next Step in the Doc is to assign special rights to the AAD User who will be the WVD AAD Admin. The WVD Admin do not need to have Enterprise Admin rights.
Detailed steps are provided in the docs:
Step by step guide Microsoft Docs to create a WDV Tenant
Before deploying the first host pool to the infrastructure there is one important fact to consider. As long as no directory synchronization is in place between the on prem AD (even if it is deploy in Azure) and the AAD, the only way to deploy the Host pool is to use a service principal for deployment (see https://docs.microsoft.com/de-de/azure/virtual-desktop/create-service-principal-role-PowerShell).
How to create a service principal
Open a PowerShell command and install the AzureAD Module. Afterward declare some variables
$myTenantGroupName = "<my-tenant-group-name>"
$myTenantName = "<my-tenant-name>"Next Step will be to create the service principal
Import-Module AzureAD
Import-Module -Name Microsoft.RDInfra.RDPowerShell
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectIdAt the end you can get all the values you need during the deployment of the host pool by executing the following PowerShell command:
## Login with the service principal
$creds = New-Object System.Management.Automation.PSCredential($svcPrincipal.AppId, (ConvertTo-SecureString $svcPrincipalCreds.Value -AsPlainText -Force))
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" -Credential $creds -ServicePrincipal -AadTenantId $aadContext.TenantId.Guid
## Show all IDs for the host pool
$svcPrincipalCreds.Value
$aadContext.TenantId.Guid
$svcPrincipal.AppIdAll other steps can be done as described in the Microsoft Docs, except the deployment credentials. In the step Windows Virtual Desktop Preview tenant information use the service principal instead of user credentials.
If not already done in the step above, you must now grant the user access to the default Desktop application group by using the following PowerShell commands:
## Login to the WDV service
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
## Set the User permission
Add-RdsAppGroupUser <tenantname> <hostpoolname> "Desktop Application Group" -UserPrincipalName <userupn>As far as this sample is based on having no synchronization between Azure AD and "host pool AD" - you should use the Web portal of the WVD service to access the RDP session. The URL is at the moment:
https://rdweb.wvd.microsoft.com/webclient/index.html
After login with Azure AD credentials of a user having the right permissions assigned:
After starting the connection and select the options (printer, clipboard) you will be prompted for the credentials:
Starting the Session Desktop the user will be connected to the session host via the browser:
Please note that in the current status of the preview version only the way over the web session allows to change the username during the log in on the session host.