You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-desktop/deploy-azure-ad-joined-vm.md
+10-7Lines changed: 10 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ manager: lizross
7
7
8
8
ms.service: virtual-desktop
9
9
ms.topic: how-to
10
-
ms.date: 07/23/2021
10
+
ms.date: 07/27/2021
11
11
ms.author: helohr
12
12
---
13
13
# Deploy Azure AD joined virtual machines in Azure Virtual Desktop
@@ -37,7 +37,7 @@ User accounts can be cloud-only or hybrid users from the same Azure AD tenant. E
37
37
> [!IMPORTANT]
38
38
> During public preview, you must configure your host pool to be in the [validation environment](create-validation-host-pool.md).
39
39
40
-
You can deploy Azure AD-joined VMs directly from the Azure portal when [creating a new host pool](create-host-pools-azure-marketplace.md) or [expanding an existing host pool](expand-existing-host-pool.md). On the Virtual Machines tab, select whether to join the VM to Active Directory or Azure Active Directory. Selecting **Azure Active Directory** gives you the option to **Enroll the VM with Intune** automatically so you can easily manage [Windows 10 ENT](/mem/intune/fundamentals/windows-virtual-desktop) and [Windows 10 ENT multi-session](/mem/intune/fundamentals/windows-virtual-desktop-multi-session) VMs. Keep in mind that the Azure Active Directory option will join VMs to the same Azure AD tenant as the subscription you're in.
40
+
You can deploy Azure AD-joined VMs directly from the Azure portal when [creating a new host pool](create-host-pools-azure-marketplace.md) or [expanding an existing host pool](expand-existing-host-pool.md). On the Virtual Machines tab, select whether to join the VM to Active Directory or Azure Active Directory. Selecting **Azure Active Directory** gives you the option to **Enroll the VM with Intune** automatically so you can easily manage [Windows 10 Enterprise](/mem/intune/fundamentals/windows-virtual-desktop) and [Windows 10 Enterprise multi-session](/mem/intune/fundamentals/windows-virtual-desktop-multi-session) VMs. Keep in mind that the Azure Active Directory option will join VMs to the same Azure AD tenant as the subscription you're in.
41
41
42
42
> [!NOTE]
43
43
> - Host pools should only contain VMs of the same domain join type. For example, AD-joined VMs should only be with other AD VMs, and vice-versa.
@@ -53,12 +53,15 @@ To grant users access to Azure AD-joined VMs, you must [configure role assignmen
53
53
54
54
This section explains how to access Azure AD-joined VMs from different Azure Virtual Desktop clients.
55
55
56
+
> [!NOTE]
57
+
> Connecting to Azure AD-joined VMs isn't currently supported using the Windows Store client.
58
+
56
59
> [!NOTE]
57
60
> Azure Virtual Desktop doesn't currently support single sign-on for Azure AD-joined VMs.
58
61
59
62
### Connect using the Windows Desktop client
60
63
61
-
The default configuration supports connections from Windows 10 using the Windows Desktop client. You can use your credentials, smart card, [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) or [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:
64
+
The default configuration supports connections from Windows 10 using the [Windows Desktop client](user-documentation/connect-windows-7-10.md). You can use your credentials, smart card, [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) or [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:
62
65
63
66
- The local PC is Azure AD-joined to the same Azure AD tenant as the session host
64
67
- The local PC is hybrid Azure AD-joined to the same Azure AD tenant as the session host
@@ -68,11 +71,11 @@ To enable access from Windows devices not joined to Azure AD, add **targetisaadj
68
71
69
72
### Connect using the other clients
70
73
71
-
To access Azure AD-joined VMs using the web, Android, macOS, iOS, and Microsoft Store clients, you must add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
74
+
To access Azure AD-joined VMs using the web, Android, macOSand iOS clients, you must add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
72
75
73
76
### Enabling MFA for Azure AD joined VMs
74
77
75
-
You can enable [multifactor authentication](set-up-mfa.md) for Azure AD joined VMs by setting a Conditional Access policy on the "Azure Virtual Desktop" app. Unless you want to restrict sign in to strong authentication methods like Windows Hello, you should exclude the "Azure Windows VM Sign-In" app from the list of cloud apps as described in the [MFA sign-in method requirements](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required) for Azure AD joined VMs. If you are using non-Windows clients, you must disable the MFA policy on "Azure Windows VM Sign-In".
78
+
You can enable [multifactor authentication](set-up-mfa.md) for Azure AD joined VMs by setting a Conditional Access policy on the "Azure Virtual Desktop" app. Unless you want to restrict sign in to strong authentication methods like Windows Hello, you should exclude the "Azure Windows VM Sign-In" app from the list of cloud apps as described in the [MFA sign-in method requirements](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required) for Azure AD joined VMs. If you're using non-Windows clients, you must disable the MFA policy on "Azure Windows VM Sign-In".
76
79
77
80
## User profiles
78
81
@@ -82,6 +85,6 @@ Azure Virtual Desktop currently only supports local profiles for Azure AD-joined
82
85
83
86
Now that you've deployed some Azure AD joined VMs, you can sign in to a supported Azure Virtual Desktop client to test it as part of a user session. If you want to learn how to connect to a session, check out these articles:
84
87
85
-
-[Connect with the Windows Desktop client](connect-windows-7-10.md)
86
-
-[Connect with the web client](connect-web.md)
88
+
-[Connect with the Windows Desktop client](user-documentation/connect-windows-7-10.md)
89
+
-[Connect with the web client](user-documentation/connect-web.md)
87
90
-[Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md)
0 commit comments