Skip to content

Commit 5c1fdad

Browse files
Merge pull request #286366 from dknappettmsft/avd-sfi-global-admin
AVD SFI global admin references
2 parents 42eefbc + 58a0cae commit 5c1fdad

File tree

5 files changed

+15
-18
lines changed

5 files changed

+15
-18
lines changed

articles/virtual-desktop/virtual-desktop-fall-2019/manage-resources-using-ui-powershell.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -143,11 +143,11 @@ To verify the Microsoft Entra application configuration and provide consent:
143143
3. Select **All applications** and search the unique app name you provided for the PowerShell script in [Create a Microsoft Entra app registration](#create-an-azure-active-directory-app-registration).
144144
4. In the panel on the left side of the browser, select **Authentication** and make sure the redirect URI is the same as the web app URL for the management tool, as shown in the following image.
145145

146-
:::image type="content" source="../media/management-ui-redirect-uri-inline.png" alt-text="Screenshot of the Configure Web page on the Authentication tab for an app registration."
146+
:::image type="content" source="../media/management-ui-redirect-uri-inline.png" alt-text="Screenshot of the Configure Web page on the Authentication tab for an app registration.":::
147147

148-
5. In the left panel, select **API permissions** to confirm that permissions were added. If you're a global admin, select the **Grant admin consent for `tenantname`** button and follow the dialog prompts to provide admin consent for your organization.
148+
5. In the left panel, select **API permissions** to confirm that permissions were added. If you're providing admin consent for all users, select the **Grant admin consent for `tenantname`** button and follow the dialog prompts.
149149

150-
:::image type="content" source="../media/management-ui-permissions-inline.png" alt-text="Screenshot of the API permissions page for an app registration that highlights the option to grant admin consent for Contoso." lightbox="../media/management-ui-permissions-expanded.png"
150+
:::image type="content" source="../media/management-ui-permissions-inline.png" alt-text="Screenshot of the API permissions page for an app registration that highlights the option to grant admin consent for Contoso." lightbox="../media/management-ui-permissions-expanded.png":::
151151

152152
You can now start using the management tool.
153153

articles/virtual-desktop/virtual-desktop-fall-2019/manage-resources-using-ui.md

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -72,14 +72,13 @@ To determine which user you can use to sign in to the tool, go to your [Microsof
7272
:::image type="content" source="../media/management-ui-user-consent-allowed-inline.png" alt-text="A screenshot showing if users can grant consent to applications for just their user." lightbox="../media/management-ui-user-consent-allowed-expanded.png":::
7373

7474
- If the value is set to **Yes**, you can sign in with any user account in the Microsoft Entra ID and provide consent for that user only. However, if you sign in to the management tool with a different user later, you must perform the same consent again.
75-
- If the value is set to **No**, you must sign in as a Global Administrator in the Microsoft Entra ID and provide admin consent for all users in the directory. No other users will face a consent prompt.
76-
75+
- If the value is set to **No**, you must sign in using an account with the required permissions to provide consent for all users in the tenant. No other users will face a consent prompt. For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent).
7776

7877
Once you decide which user you'll use to provide consent, follow these instructions to provide consent to the tool:
7978

8079
1. Go to your Azure resources, select the Azure App Services resource with the name you provided in the template (for example, Apr3UX) and navigate to the URL associated with it; for example, `https://rdmimgmtweb-210520190304.azurewebsites.net`.
8180
2. Sign in using the appropriate Microsoft Entra user account.
82-
3. If you authenticated with a Global Administrator, you can now select the checkbox to **Consent on behalf of your organization**. Select **Accept** to provide consent. This will now take you to the management tool.
81+
3. If you providing consent for all users, you can now select the checkbox to **Consent on behalf of your organization**. Select **Accept** to provide consent. This will now take you to the management tool.
8382

8483
## Use the management tool
8584

articles/virtual-desktop/virtual-desktop-fall-2019/manual-delete.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ This article describes how to delete Azure Virtual Desktop (classic).
1919

2020
Before you begin, make sure you have the following things ready:
2121

22-
- A global administrator account within the Microsoft Entra tenant
22+
- A user administrator account within the Microsoft Entra tenant with permissions to manage your Azure Virtual Desktop (classic) resources.
2323

2424
- [Download and import the Azure Virtual Desktop module](/powershell/windows-virtual-desktop/overview/) to use in your PowerShell session if you haven't already
2525

articles/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-active-directory.md

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ ms.custom: docs_inherited
1212
> [!IMPORTANT]
1313
> - This content applies to Azure Virtual Desktop (classic), which doesn't support Azure Resource Manager Azure Virtual Desktop objects.
1414
>
15-
> - Beginning **September 30 2023**, you will no longer be able to create new Azure Virtual Desktop (classic) tenants. Azure Virtual Desktop (classic) will retire on **September 30, 2026**. You should transition to [Azure Virtual Desktop](../index.yml) before that date. For more information, see [Azure Virtual Desktop (classic) retirement](classic-retirement.md).
15+
> - You can no longer be able to create new Azure Virtual Desktop (classic) tenants. Azure Virtual Desktop (classic) will retire on **September 30, 2026**. You should transition to [Azure Virtual Desktop](../index.yml) before that date. For more information, see [Azure Virtual Desktop (classic) retirement](classic-retirement.md).
1616
1717
Creating a tenant in Azure Virtual Desktop is the first step toward building your desktop virtualization solution. A tenant is a group of one or more host pools. Each host pool consists of multiple session hosts, running as virtual machines in Azure and registered to the Azure Virtual Desktop service. Each host pool also consists of one or more application groups that are used to publish desktop and application resources to users. With a tenant, you can build host pools, create application groups, assign users, and make connections through the service.
1818

@@ -28,14 +28,12 @@ In this tutorial, learn how to:
2828
Before you start setting up your Azure Virtual Desktop tenant, make sure you have these things:
2929

3030
* The [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) tenant ID for Azure Virtual Desktop users.
31-
* A global administrator account within the Microsoft Entra tenant.
32-
* This also applies to Cloud Solution Provider (CSP) organizations that are creating an Azure Virtual Desktop tenant for their customers. If you're in a CSP organization, you must be able to sign in as global administrator of the customer's Microsoft Entra instance.
31+
* A account within the Microsoft Entra tenant with the required permissions to provide admin consent for for an application in the tenant. For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent).
32+
* This also applies to Cloud Solution Provider (CSP) organizations that are creating an Azure Virtual Desktop tenant for their customers. If you're in a CSP organization, you must be able to sign in with an appropriate account in the customer's Microsoft Entra instance.
3333
* The administrator account must be sourced from the Microsoft Entra tenant in which you're trying to create the Azure Virtual Desktop tenant. This process doesn't support Microsoft Entra B2B (guest) accounts.
3434
* The administrator account must be a work or school account.
3535
* An Azure subscription.
3636

37-
You must have the tenant ID, global administrator account, and Azure subscription ready so that the process described in this tutorial can work properly.
38-
3937
## Grant permissions to Azure Virtual Desktop
4038

4139
If you have already granted permissions to Azure Virtual Desktop for this Microsoft Entra instance, skip this section.
@@ -51,7 +49,7 @@ To grant the service permissions:
5149
>https://login.microsoftonline.com/{tenant}/adminconsent?client_id=5a0aa725-4958-4b0c-80a9-34562e23f3b7&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback
5250
>```
5351
54-
2. Sign in to the Azure Virtual Desktop consent page with a global administrator account. For example, if you were with the Contoso organization, your account might be [email protected] or [email protected].
52+
2. Sign in to the Azure Virtual Desktop consent page with the appropriate account.
5553
3. Select **Accept**.
5654
4. Wait for one minute so Microsoft Entra ID can record consent.
5755
5. Open a browser and begin the admin consent flow to the [Azure Virtual Desktop client app](https://login.microsoftonline.com/common/adminconsent?client_id=fa4345a4-a730-4230-84a8-7d9651b86739&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback).
@@ -61,12 +59,12 @@ To grant the service permissions:
6159
> https://login.microsoftonline.com/{tenant}/adminconsent?client_id=fa4345a4-a730-4230-84a8-7d9651b86739&redirect_uri=https%3A%2F%2Frdweb.wvd.microsoft.com%2FRDWeb%2FConsentCallback
6260
>```
6361
64-
6. Sign in to the Azure Virtual Desktop consent page as global administrator, as you did in step 2.
62+
6. Sign in to the Azure Virtual Desktop consent page, as you did in step 2.
6563
7. Select **Accept**.
6664
6765
## Assign the TenantCreator application role
6866
69-
Assigning a Microsoft Entra user the TenantCreator application role allows that user to create an Azure Virtual Desktop tenant associated with the Microsoft Entra instance. You'll need to use your global administrator account to assign the TenantCreator role.
67+
Assigning a Microsoft Entra user the `TenantCreator` application role allows that user to create an Azure Virtual Desktop tenant associated with the Microsoft Entra instance.
7068
7169
To assign the TenantCreator application role:
7270
@@ -80,8 +78,8 @@ To assign the TenantCreator application role:
8078
3. Select **Users and groups**. You might see that the administrator who granted consent to the application is already listed with the **Default Access** role assigned. This is not enough to create an Azure Virtual Desktop tenant. Continue following these instructions to add the **TenantCreator** role to a user.
8179
8280
4. Select **Add user**, and then select **Users and groups** in the **Add Assignment** tab.
83-
5. Search for a user account that will create your Azure Virtual Desktop tenant. For simplicity, this can be the global administrator account.
84-
- If you're using a Microsoft Identity Provider like [email protected] or [email protected], you might not be able to sign in to Azure Virtual Desktop. We recommend using a domain-specific account like [email protected] or [email protected] instead.
81+
5. Search for a user account that will create your Azure Virtual Desktop tenant.
82+
- If you're using a Microsoft Identity Provider like [email protected] or [email protected], you might not be able to sign in to Azure Virtual Desktop.
8583
8684
> [!NOTE]
8785
> You must select a user (or a group that contains a user) that's sourced from this Microsoft Entra instance. You can't choose a guest (B2B) user or a service principal.

articles/virtual-desktop/virtual-desktop-fall-2019/troubleshoot-management-tool.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ When you successfully set up services for the management tool but automated setu
2424

2525
This usually means one of the following two things:
2626

27-
- The user has owner permissions on their subscription and global admin at tenant level, but they can't sign in to Azure.
27+
- The user has the relevant permissions on their subscription and at the tenant level, but they can't sign in to Azure.
2828
- The user's account settings have multi-factor authentication enabled.
2929

3030
To fix this:

0 commit comments

Comments
 (0)