MicrosoftDocs
diff --git a/‎articles/virtual-desktop/delegated-access-virtual-desktop.md
Lines changed: 17 additions & 27 deletions b/‎articles/virtual-desktop/delegated-access-virtual-desktop.md
Lines changed: 17 additions & 27 deletions
diff --git a/‎articles/virtual-desktop/diagnostics-log-analytics.md
Lines changed: 189 additions & 53 deletions b/‎articles/virtual-desktop/diagnostics-log-analytics.md
Lines changed: 189 additions & 53 deletions
@@ -6,7 +6,7 @@ author: Heidilohr
 
 ms.service: virtual-desktop
 ms.topic: conceptual
-ms.date: 03/21/2019
+ms.date: 04/30/2020
 ms.author: helohr
 manager: lizross
 ---
@@ -24,48 +24,38 @@ Windows Virtual Desktop delegated access supports the following values for each
 
 * Security principal
     * Users
+    * User groups
     * Service principals
 * Role definition
     * Built-in roles
+    * Custom roles
 * Scope
-    * Tenant groups
-    * Tenants
     * Host pools
     * App groups
-
-## Built-in roles
-
-Delegated access in Windows Virtual Desktop has several built-in role definitions you can assign to users and service principals.
-
-* An RDS Owner can manage everything, including access to resources.
-* An RDS Contributor can manage everything, but can't access to resources.
-* An RDS Reader can view everything, but can't make any changes.
-* An RDS Operator can view diagnostic activities.
+    * Workspaces
 
 ## PowerShell cmdlets for role assignments
 
-You can run the following cmdlets to create, view, and remove role assignments:
+Before you start, make sure to follow the instructions in [Set up the PowerShell module](powershell-module.md) to set up the Windows Virtual Desktop PowerShell module if you haven't already.
 
-* **Get-RdsRoleAssignment** displays a list of role assignments.
-* **New-RdsRoleAssignment** creates a new role assignment.
-* **Remove-RdsRoleAssignment** deletes role assignments.
+Windows Virtual Desktop uses Azure role-based access control (RBAC) while publishing app groups to users or user groups. The Desktop Virtualization User role is assigned to the user or user group and the scope is the app group. This role gives the user special data access on the app group.  
 
-### Accepted parameters
+Run the following cmdlet to add Azure Active Directory users to an app group:
 
-You can modify the basic three cmdlets with the following parameters:
+```powershell
+New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <hostpoolname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'  
+```
 
-* **AadTenantId**: specifies the Azure Active Directory tenant ID from which the service principal is a member.
-* **AppGroupName**: name of the Remote Desktop app group.
-* **Diagnostics**: indicates the diagnostics scope. (Must be paired with either the **Infrastructure** or **Tenant** parameters.)
-* **HostPoolName**: name of the Remote Desktop host pool.
-* **Infrastructure**: indicates the infrastructure scope.
-* **RoleDefinitionName**: name of the Remote Desktop Services role-based access control role assigned to the user, group, or app. (For example, Remote Desktop Services Owner, Remote Desktop Services Reader, and so on.)
-* **ServerPrincipleName**: name of the Azure Active Directory application.
-* **SignInName**: the user's email address or user principal name.
-* **TenantName**: name of the Remote Desktop tenant.
+Run the following cmdlet to add Azure Active Directory user group to an app group:
+
+```powershell
+New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <hostpoolname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups' 
+```
 
 ## Next steps
 
 For a more complete list of PowerShell cmdlets each role can use, see the [PowerShell reference](/powershell/windows-virtual-desktop/overview).
 
+For a complete list of roles supported in Azure RBAC, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).
+
 For guidelines for how to set up a Windows Virtual Desktop environment, see [Windows Virtual Desktop environment](environment-setup.md).
@@ -6,7 +6,7 @@ author: Heidilohr
 
 ms.service: virtual-desktop
 ms.topic: conceptual
-ms.date: 12/18/2019
+ms.date: 04/30/2020
 ms.author: helohr
 manager: lizross
 ---
@@ -18,119 +18,255 @@ manager: lizross
 > The Windows Virtual Desktop Spring 2020 update is currently in public preview. This preview version is provided without a service level agreement, and we don't recommend using it for production workloads. Certain features might not be supported or might have constrained capabilities. 
 > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
-Windows Virtual Desktop offers a diagnostics feature that allows the administrator to identify issues through a single interface. This feature logs diagnostics information whenever someone assigned Windows Virtual Desktop role uses the service. Each log contains information about which Windows Virtual Desktop role was involved in the activity, any error messages that appear during the session, tenant information, and user information. The diagnostics feature creates activity logs for both user and administrative actions. Each activity log falls under three main categories: 
+Windows Virtual Desktop uses [Azure Monitor](../azure-monitor/overview.md) for monitoring and alerts like many other Azure services. This lets admins identify issues through a single interface. The service creates activity logs for both user and administrative actions. Each activity log falls under the following categories:  
 
-- Feed subscription activities: when a user tries to connect to their feed through Microsoft Remote Desktop applications.
-- Connection activities: when a user tries to connect to a desktop or RemoteApp through Microsoft Remote Desktop applications.
-- Management activities: when an administrator performs management operations on the system, such as creating host pools, assigning users to app groups, and creating role assignments.
+- Management Activities:  
+
+   - Track whether attempts to change Windows Virtual Desktop objects using APIs or PowerShell are successful. For example, can someone successfully create a host pool using PowerShell?
+
+- Feed: 
+
+   - Can users successfully subscribe to workspaces? 
+
+   - Do users see all resources published in the Remote Desktop client?
+
+- Connections: 
+
+   - When users initiate and complete connections to the service. 
+
+- Host registration: 
+
+   - Was the session host successfully registered with the service upon connecting?
+
+- Errors: 
+
+   - Are users encountering any issues with specific activities? This feature can generate a table that tracks activity data for you as long as the information is joined with the activities.
+
+- Checkpoints:  
+
+   - Specific steps in the lifetime of an activity that were reached. For example, during a session, a user was load balanced to a particular host, then the user was signed on during a connection, and so on.
 
 Connections that don't reach Windows Virtual Desktop won't show up in diagnostics results because the diagnostics role service itself is part of Windows Virtual Desktop. Windows Virtual Desktop connection issues can happen when the user is experiencing network connectivity issues.
 
-## Why you should use Log Analytics
+Azure Monitor lets you analyze Windows Virtual Desktop data and review virtual machine (VM) performance counters, all within the same tool. This article will tell you more about how to enable diagnostics for your Windows Virtual Desktop environment. 
 
-We recommend you use Log Analytics to analyze diagnostics data in the Azure client that goes beyond single-user troubleshooting. As you can pull in VM performance counters into Log Analytics you have one tool to gather information for your deployment.
+>[!NOTE] 
+>To learn how to monitor your VMs in Azure, see [Monitoring Azure virtual machines with Azure Monitor](../azure-monitor/insights/monitor-vm-azure.md). Also, make sure to [review the performance counter thresholds](../virtual-desktop/virtual-desktop-fall-2019/deploy-diagnostics.md#windows-performance-counter-thresholds) for a better understanding of your user experience on the session host.
 
 ## Before you get started
 
-Before you can use Log Analytics with the diagnostics feature, you'll need to [create a workspace](../azure-monitor/learn/quick-collect-windows-computer.md#create-a-workspace).
+Before you can use Log Analytics, you'll need to create a workspace. To do that, follow the instructions in one of the following two articles:
+
+- If you prefer using Azure portal, see [Create a Log Analytics workspace in Azure portal](../azure-monitor/learn/quick-create-workspace.md).
+- If you prefer PowerShell, see [Create a Log Analytics workspace with PowerShell](../azure-monitor/learn/quick-create-workspace-posh.md).
 
-After you've created your workspace, follow the instructions in [Connect Windows computers to Azure Monitor](../azure-monitor/platform/agent-windows.md#obtain-workspace-id-and-key) to get the following information: 
+After you've created your workspace, follow the instructions in [Connect Windows computers to Azure Monitor](../azure-monitor/platform/agent-windows.md#obtain-workspace-id-and-key) to get the following information:
 
 - The workspace ID
 - The primary key of your workspace
 
 You'll need this information later in the setup process.
 
-## Push diagnostics data to your workspace 
+Make sure to review permission management for Azure Monitor to enable data access for those who monitor and maintain your Windows Virtual Desktop environment. For more information, see [Get started with roles, permissions, and security with Azure Monitor](../azure-monitor/platform/roles-permissions-security.md). 
 
-You can push diagnostics data from your Windows Virtual Desktop tenant into the Log Analytics for your workspace. You can set up this feature right away when you first create your tenant by linking your workspace to your tenant, or you can set it up later with an existing tenant.
+## Push diagnostics data to your workspace
 
-To link your tenant to your Log Analytics workspace while you're setting up your new tenant, run the following cmdlet to sign in to Windows Virtual Desktop with your TenantCreator user account: 
+You can push diagnostics data from your Windows Virtual Desktop objects into the Log Analytics for your workspace. You can set up this feature right away when you first create your objects.
 
-```powershell
-Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com 
-```
+To set up Log Analytics for a new object:
 
-If you're going to link an existing tenant instead of a new tenant, run this cmdlet instead: 
+1. Sign in to the Azure portal and go to **Windows Virtual Desktop**. 
 
-```powershell
-Set-RdsTenant -Name <TenantName> -AzureSubscriptionId <SubscriptionID> -LogAnalyticsWorkspaceId <String> -LogAnalyticsPrimaryKey <String> 
-```
+2. Navigate to the object (such as a host pool, app group, or workspace) that you want to capture logs and events for. 
 
-You'll need to run these cmdlets for every tenant you want to link to Log Analytics. 
+3. Select **Diagnostic settings** in the menu on the left side of the screen. 
+
+4. Select **Add diagnostic setting** in the menu that appears on the right side of the screen. 
+   
+    The options shown in the Diagnostic Settings page will vary depending on what kind of object you're editing.
+
+    For example, when you're enabling diagnostics for an app group, you'll see options to configure checkpoints, errors, and management. For workspaces, these categories configure a feed to track when users subscribe to the list of apps. To learn more about diagnostic settings see [Create diagnostic setting to collect resource logs and metrics in Azure](../azure-monitor/platform/diagnostic-settings.md). 
+
+     >[!IMPORTANT] 
+     >Remember to enable diagnostics for each Azure Resource Manager object that you want to monitor. Data will be available for activities after diagnostics has been enabled. It might take a few hours after first set-up.  
+
+5. Enter a name for your settings configuration, then select **Send to Log Analytics**. The name you use shouldn't have spaces and should conform to [Azure naming conventions](../azure-resource-manager/management/resource-name-rules.md). As part of the logs, you can select all the options that you want added to your Log Analytics, such as Checkpoint, Error, Management, and so on.
+
+6. Select **Save**.
 
 >[!NOTE]
->If you don't want to link the Log Analytics workspace when you create a tenant, run the `New-RdsTenant` cmdlet instead. 
+>Log Analytics gives you the option to stream data to [Event Hubs](../event-hubs/event-hubs-about.md) or archive it in a storage account. To learn more about this feature, see [Stream Azure monitoring data to an event hub](../azure-monitor/platform/stream-monitoring-data-event-hubs.md) and [Archive Azure resource logs to storage account](../azure-monitor/platform/resource-logs-collect-storage.md). 
+
+## How to access Log Analytics
+
+You can access Log Analytics workspaces on the Azure portal or Azure Monitor.
+
+### Access Log Analytics on a Log Analytics workspace
+
+1. Sign in to the Azure portal.
+
+2. Search for **Log Analytics workspace**. 
+
+3. Under Services, select **Log Analytics workspaces**. 
+   
+4. From the list, select the workspace you configured for your Windows Virtual desktop object.
+
+5. Once in your workspace, select **Logs**. You can filter out your menu list with the **Search** function. 
+
+### Access Log Analytics on Azure Monitor
+
+1. Sign into the Azure portal
+
+2. Search for and select **Monitor**. 
+
+3. Select **Logs**.
+
+4. Follow the instructions in the logging page to set the scope of your query.  
+
+5. You are ready to query diagnostics. All diagnostics tables have a "WVD" prefix. 
+
+![]()
 
 ## Cadence for sending diagnostic events
 
-Diagnostic events are sent to Log Analytics when completed.  
+Diagnostic events are sent to Log Analytics when completed.
+
+Log Analytics only reports in these intermediate states for connection activities:
+
+- Started
+- Connected
+- Completed
 
 ## Example queries
 
-The following example queries show how the diagnostics feature generates a report for the most frequent activities in your system:
+The following example queries show how the diagnostics feature generates a report for the most frequent activities in your system.
 
-This first example shows connection activities initiated by users with supported remote desktop clients:
+To get a list of connections made by your users, run this cmdlet:
 
 ```powershell
-WVDActivityV1_CL 
+WVDConnections 
+| project-away TenantId,SourceSystem 
+| summarize arg_max(TimeGenerated, *), StartTime =  min(iff(State== 'Started', TimeGenerated , datetime(null) )), ConnectTime = min(iff(State== 'Connected', TimeGenerated , datetime(null) ))   by CorrelationId 
+| join kind=leftouter ( 
+    WVDErrors 
+    |summarize Errors=makelist(pack('Code', Code, 'CodeSymbolic', CodeSymbolic, 'Time', TimeGenerated, 'Message', Message ,'ServiceError', ServiceError, 'Source', Source)) by CorrelationId 
+    ) on CorrelationId     
+| join kind=leftouter ( 
+   WVDCheckpoints 
+   | summarize Checkpoints=makelist(pack('Time', TimeGenerated, 'Name', Name, 'Parameters', Parameters, 'Source', Source)) by CorrelationId 
+   | mv-apply Checkpoints on 
+    ( 
+        order by todatetime(Checkpoints['Time']) asc 
+        | summarize Checkpoints=makelist(Checkpoints) 
+    ) 
+   ) on CorrelationId 
+| project-away CorrelationId1, CorrelationId2 
+| order by  TimeGenerated desc 
+```
 
-| where Type_s == "Connection" 
+To view feed activity of your users:
 
-| join kind=leftouter ( 
+```powershell
+WVDFeeds  
 
-    WVDErrorV1_CL 
+| project-away TenantId,SourceSystem  
 
-    | summarize Errors = makelist(pack('Time', Time_t, 'Code', ErrorCode_s , 'CodeSymbolic', ErrorCodeSymbolic_s, 'Message', ErrorMessage_s, 'ReportedBy', ReportedBy_s , 'Internal', ErrorInternal_s )) by ActivityId_g 
+| join kind=leftouter (  
 
-    ) on $left.Id_g  == $right.ActivityId_g   
+    WVDErrors  
 
-| join  kind=leftouter (  
+    |summarize Errors=makelist(pack('Code', Code, 'CodeSymbolic', CodeSymbolic, 'Time', TimeGenerated, 'Message', Message ,'ServiceError', ServiceError, 'Source', Source)) by CorrelationId  
 
-    WVDCheckpointV1_CL 
+    ) on CorrelationId      
 
-    | summarize Checkpoints = makelist(pack('Time', Time_t, 'ReportedBy', ReportedBy_s, 'Name', Name_s, 'Parameters', Parameters_s) ) by ActivityId_g 
+| join kind=leftouter (  
 
-    ) on $left.Id_g  == $right.ActivityId_g  
+   WVDCheckpoints  
 
-|project-away ActivityId_g, ActivityId_g1 
-```
+   | summarize Checkpoints=makelist(pack('Time', TimeGenerated, 'Name', Name, 'Parameters', Parameters, 'Source', Source)) by CorrelationId  
 
-This next example query shows management activities by admins on tenants:
+   | mv-apply Checkpoints on  
 
-```powershell
-WVDActivityV1_CL 
+    (  
 
-| where Type_s == "Management" 
+        order by todatetime(Checkpoints['Time']) asc  
 
-| join kind=leftouter ( 
+        | summarize Checkpoints=makelist(Checkpoints)  
 
-    WVDErrorV1_CL 
+    )  
 
-    | summarize Errors = makelist(pack('Time', Time_t, 'Code', ErrorCode_s , 'CodeSymbolic', ErrorCodeSymbolic_s, 'Message', ErrorMessage_s, 'ReportedBy', ReportedBy_s , 'Internal', ErrorInternal_s )) by ActivityId_g 
+   ) on CorrelationId  
 
-    ) on $left.Id_g  == $right.ActivityId_g   
+| project-away CorrelationId1, CorrelationId2  
 
-| join  kind=leftouter (  
+| order by  TimeGenerated desc 
+```
 
-    WVDCheckpointV1_CL 
+To find all connections for a single user: 
 
-    | summarize Checkpoints = makelist(pack('Time', Time_t, 'ReportedBy', ReportedBy_s, 'Name', Name_s, 'Parameters', Parameters_s) ) by ActivityId_g 
+```powershell
+|where UserName == "userupn" 
+|take 100 
+|sort by TimeGenerated asc, CorrelationId 
+```
+ 
 
-    ) on $left.Id_g  == $right.ActivityId_g  
+To find the number of times a user connected per day:
 
-|project-away ActivityId_g, ActivityId_g1 
+```powershell
+WVDConnections 
+|where UserName == "userupn" 
+|take 100 
+|sort by TimeGenerated asc, CorrelationId 
+|summarize dcount(CorrelationId) by bin(TimeGenerated, 1d) 
 ```
 
-## Stop sending data to Log Analytics 
 
-To stop sending data from an existing tenant to Log Analytics, run the following cmdlet and set empty strings:
+To find session duration by user:
+
+```powershell
+let Events = WVDConnections | where UserName == "userupn" ; 
+Events 
+| where State == "Connected" 
+| project CorrelationId , UserName, ResourceAlias , StartTime=TimeGenerated 
+| join (Events 
+| where State == "Completed" 
+| project EndTime=TimeGenerated, CorrelationId) 
+on CorrelationId 
+| project Duration = EndTime - StartTime, ResourceAlias 
+| sort by Duration asc 
+```
+
+To find errors for a specific user:
+
+```powershell
+WVDErrors
+| where UserName == "[email protected]" 
+|take 100
+```
+
+To find out whether a specific error occurred:
+
+```powershell
+WVDErrors 
+| where CodeSymbolic =="ErrorSymbolicCode" 
+| summarize count(UserName) by CodeSymbolic 
+```
+
+To find the occurrence of an error across all users:
 
 ```powershell
-Set-RdsTenant -Name <TenantName> -AzureSubscriptionId <SubscriptionID> -LogAnalyticsWorkspaceId <String> -LogAnalyticsPrimaryKey <String> 
+WVDErrors 
+| where ServiceError =="false" 
+| summarize usercount = count(UserName) by CodeSymbolic 
+| sort by usercount desc
+| render barchart 
 ```
 
-You'll need to run this cmdlet for every tenant you want to stop sending data from. 
+>[!NOTE]
+>The most important table for troubleshooting is WVDErrors. Use this query to understand which issues occur for user activities like connections or feeds when a user subscribes to the list of apps or desktops. The table will show you management errors as well as host registration issues.
+>
+>During public preview, if you need help with resolving an issue, make sure you give the CorrelationID for the error in your help request. Also, make sure your Service Error value always says ServiceError = “false”. A "false" value means the issue can be resolved by an admin task on your end. If ServiceError = “true”, you'll need to escalate the issue to Microsoft.
 
 ## Next steps