AVD Entra ID Joined Steps
AVD Entra ID-Joined Steps
CG has standardized on Intune-managed and Entra ID- joined workstations. Azure virtual desktop supports this setup.
The difference between a traditional domain-joined AVD setup and an entra-joined AVD setup mainly boils down to the setup of the fslogix profile storage account and the way the golden image is prepared.
This document will focus on the new methods of setting up an entra-joined AVD. Where there are no differences like setting up host pools, application groups, workspaces, scaling plans, and azure compute gallery – these topics are not covered.
Create a new dedicated resource.
- Create a resource group entirely separate from any legacy AVD setup you may have.
- Ex: ca2-prdavdentra-rg
Create a storage account for AVD user profiles – fslogix
https://learn.microsoft.com/en-us/azure/virtual-desktop/create-profile-container-azure-ad
- Create a premium azure files storage account with LRS replication.
- Ex: ca2avdentrafslogix1
- Create a file share for the fslogix user profiles.
- Ex: userprofiles
- Enable Azure AD Kerberos
- Canaccord.com 19f849c2-c549-4d39-b15e-d67e5c8d33a9
- A service principal or app registration will be auto-created, where a Global Admin will need to grant the admin consent for read permissions.
- Add this app registration/enterprise app to be excluded from global MFA conditional access policies like:
- Grant permissions to this azure file user profile share as you intend for AVD users.
- Share level: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal#share-level-permissions-for-specific-microsoft-entra-users-or-groups
- Secure this storage account to not be accessible publicly, in networking: restrict the allowed sources and add a private links
- After storage account is private linked, you need to adjust the app registration manifest to list the private link URLs, like so:
Create golden image
Depending on the use-case if you need multiple golden images because you need multiple AVD host pools, you will create an image for each ABD host pool.
In order for the end workstation to be Intune-managed properly, the golden image needs to be un-joined from any domain or azure ad, essentially you build the image from the stock marketplace windows image.
- Create a stock marketplace windows multi-session with m365 apps VM.
- Do not join it to anything, or enable any azure login capability.
- Only create a local account
- Login locally to the PC and start building the workstation as you intend it to be.
- Any apps requiring line-of-sight to the Canaccord.com domain will not work during this build process you need to configure that after its been deployed to host pools
- You can set this in an Intune policy or run it manually now – enable the workstation to talk to the azure files storage account
- reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1
- reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1
Snapshot and publish the golden image to gallery
- As you normally would for AVD, shutdown the golden image VM and make a disk snapshot before imaging so that you have a backup of the golden image which you can edit in the future.
- Publish the golden image to a azure compute gallery
- Sysprep the golden image %windir%\system32\sysprep > sysprep.exe
- Select capture on the azure VM
Create the AVD VM in host pool
- Add a VM to your AVD pool, and select the golden image you captured earlier from your compute gallery.
- VM size and networking is as per usual.
- For Domain to join section, select Microsoft Entra ID and enroll with Intune.
Your AVD with Entra ID joined setup is completed. One final thing to note is that being Entra ID joined, the policies deployed to these AVD workstations are from Intune. AVD specific settings are needed so that the workstation can communicate with things like fslogix. For reference please look at the settings in Intune for policy name: CA-Windows-AVDEntra-1.0.