Azure Virtual Desktop (AVD) introduces a new end-user experience via a brand-new Remote Desktop application. Unlike previous versions of Remote Desktop Connection that were included in every version of Windows OS, this one must be downloaded and installed. The new client also requires .NET framework 4.7.2 or later to be downloaded and installed on a Windows machine before installing the client. Once in General Availability (GA), client apps will be available for MacOS, iOS, Android and HTML 5. Suffice it to say, AVD will be accessible from almost any modern, internet-connected device.
In this article, we will focus on the end-user experience when using a Windows PC with a special focus on how multi-factor authentication plays into the user login experience. We will review the user login process in detail using the latest version of the Remote Desktop app v1.2 available today. The user interface will likely change slightly in future releases, but the overall authentication and login flow is likely to stay consistent.
One of the many advantages of AVD over previous RDS implementations is that Azure AD is natively supported, and in fact required, for AVD to work. This brings with it many benefits including:
- Consistent set of credentials for local Active Directory (when synced to AAD with ADConnect), Office 365 and other Azure AD services, and Azure Virtual Desktop. No more maintaining independent sets of user credentials.
- Support for Azure MFA (multi-factor authentication) in its native form. User experience is identical to that of accessing Office 365 resources. Something that most users are well familiar with at this point.
- Support for Azure Conditional Access (CA). This is great for administrators who want to control AVD access by users based on their location, device, and other conditions.
Azure MFA is available as part of the Azure AD Premium license. It is also included as part of E3/E5 Office 365 and Microsoft 365 products. Most users with Office 365 accounts should be able to start taking advantage of MFA with AVD right away. To take advantage of Conditional Access policies, users will need Azure AD Premium licenses.
Remote Desktop App
The AVD Remote Desktop app replaces the RemoteApp and Desktop Connections (RADC) and the Remote Desktop Connection (MSTSC) clients built into Windows. After downloading and installing the .NET framework and the new Remote Desktop app, the first step is to Subscribe to virtual desktops and RemoteApps using Azure AD credentials.
Clicking Subscribe takes the user to the standard Microsoft cloud login screen:
Here you specify the user’s Azure AD credentials and all MFA and CA policies apply. For instance, here is what the next prompt looks like when MFA with phone-based authentication is enabled:
Once authenticated, the Remote Desktop app will subscribe the user’s PC to desktops and RemoteApps that the user is entitled to.
This subscription is persistent, meaning that even if you close and Remote Desktop app or reboot the PC, the user will not be required the re-subscribe again and therefore not prompted for password and MFA credentials.
If a user is entitled to RemoteApps, these will become automatically integrated into the Start Menu and will appear like regular apps that are locally installed, even though they are running in Azure Virtual Desktop. Once a user connects to a RemoteApp the icon in the task bar will have an indicator that the app is a RemoteApp but otherwise it will appear like a native, locally-installed application.
If a user is entitled to a full, published AVD desktop then double-clicking on the desktop icon will open it using a familiar Remote Desktop Connection (MSTSC) interface in full screen, spanning multiple monitors. Monitor configuration can be set by the administrator on the AVD Host Pool configuration. At this time, it is not yet possible to configure this from the client, but it will be possible in the future.
Remote Desktop App Update
When a new version of the client is available, the user will be notified by the client and the Windows Action Center. Selecting the notification will start the update process. This is a welcome feature that allows administrators to install the app only once and rely on Microsoft to keep it up to date. Keep in mind that for the update to run, the user must have local administrator rights on the PC where the app is installed.
Clicking on the “…” next to the AVD Tenant name (getnerdio in the screenshot below) you can see the version settings and have a button to trigger a manual subscription update in case new RemoteApps or desktops have been published to the user.
In conclusion, the end-user experience in AVD is a welcome change and will be much appreciated by users and admins everywhere. Full integration with Azure MFA and CA is going to allow administrators to create highly secure virtual desktop environment in Azure that are still easily accessible by end-users. Start Menu integration for RemoteApps, persistent subscriptions, and automatic updates of the client app are going to limit the number of clicks an end-user will have to go through on a regular basis and improve the user experience.