What is the WVD domain-join account?
This account has to be entered during the provisioning of a WVD host pool.
One of the required items is the AD domain join UPN. This is the account that will be used to join the VMs to your on-premises Active Directory. If you look at the tooltip you will see the following text:
"UPN of an Active Directory user that has permissions and will be used to join the virtual machines to your domain. For example, firstname.lastname@example.org. A local user account with this name will be created on each virtual machine. Do not enter a user who has MFA enabled. See https://aka.ms/vmUsernameReq for invalid usernames".
There are a few takeways here.
- the account must have permissions to join AD (this is obvious)
- a local account is actually created on each VM
- the account cannot be MFA enabled
- take note of the URL for invalid usernames (see next section)
Requirement #1: MFA cannot be enabled on the WVD AD join account.
(tip: you should create a service account for this).
The official WVD docs don't tell us much about the requirements for this account.
"Enter the user principal name and password. This account must be the domain account that will join the virtual machines to the Active Directory domain. This same username and password will be created on the virtual machines as a local account. You can reset these local accounts later".
However there are some specific requirements around invalid usernames, which are actually enforced by Azure (this was my problem). You can find them in the Azure VMs FAQ docs
These are the blacklisted usernames. There are a number of popular contenders in there.
Requirement #2: the username cannot be one of the blacklisted usernames.
You will find the password requirements in the same doc
Requirement #3: in general the password must be complex with a minimum of 12 characters.
I hope this helps you when implementing WVD. Until next time.....