Monday, 23 March 2020

Creating a Windows Virtual Desktop host pool and MFA

For now you can't. It's not supported to use an MFA enabled account when creating a WVD host pool. That's a little tricky. Most production accounts should at this stage be MFA enabled. So what do we do? It's easy, we can use an Azure AD service principal.

What is that about? 

It's not a user account. Rather, an Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources.

So how do we use it?

These are the steps we will follow:
  • Create a service principal in Azure Active Directory.
  • Create a role assignment in Windows Virtual Desktop.
  • Sign in to Windows Virtual Desktop by using the service principal.
  • Create the WVD host pool.
The first steps involve using PowerShell.
  • First install the Azure AD and WVD PoSH modules.
Install-Module AzureAD

Install-Module -Name Microsoft.RDInfra.RDPowerShell

Import-Module -Name Microsoft.RDInfra.RDPowerShell
  • Next create the service principal in Azure AD.
Import-Module AzureAD
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

  • Now that you've created the service principal you'll need some details before you can continue.
Check the service principal password (you need to do this now as you won't be able to retrieve it once you close this PoSH session).

$svcPrincipalCreds.Value (this will be Result 1)

Tenant ID:

$aadContext.TenantId.Guid (Result 2)

Application ID:

$svcPrincipal.AppId (Result 3)
  • Now create a role assignment for the service principal in Azure AD
First get your tenant name

Add-RdsAccount -DeploymentUrl ""

Add the role assignment

$myTenantName = "<Windows Virtual Desktop Tenant Name>"
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantName $myTenantName

Test the service principal by signing into Azure AD

$creds = New-Object System.Management.Automation.PSCredential($svcPrincipal.AppId, (ConvertTo-SecureString $svcPrincipalCreds.Value -AsPlainText -Force))
Add-RdsAccount -DeploymentUrl "" -Credential $creds -ServicePrincipal -AadTenantId $aadContext.TenantId.Guid
  • Finally we can use the service principal to create the WVD host pool
On the Windows Virtual Desktop information page, choose Service principal as the Windows Virtual Desktop RDS owner.

Enter the results from the previous PoSH cmdlets and continue to create the WVD host pool.

I hope this helps. Until next time....

No comments:

Post a comment