Skip to content

Academy

Azure Virtual Desktop End-User Experience and Multi-Factor Authentication

Azure Virtual Desktop (AVD) introduces a new end-user experience via a brand-new Remote Desktop application.  Unlike previous versions of Remote Desktop Connection that were included in every version of Windows OS, this one must be downloaded and installed.  The new client also requires .NET framework 4.7.2 or later to be downloaded and installed on a Windows machine before installing the client.  Once in General Availability (GA), client apps will be available for MacOS, iOS, Android and HTML 5.  Suffice it to say, AVD will be accessible from almost any modern, internet-connected device.

In this article, we will focus on the end-user experience when using a Windows PC with a special focus on how multi-factor authentication plays into the user login experience.  We will review the user login process in detail using the latest version of the Remote Desktop app v1.2 available today.  The user interface will likely change slightly in future releases, but the overall authentication and login flow is likely to stay consistent.

Azure AD

One of the many advantages of AVD over previous RDS implementations is that Azure AD is natively supported, and in fact required, for AVD to work.  This brings with it many benefits including:

  • Consistent set of credentials for local Active Directory (when synced to AAD with ADConnect), Office 365 and other Azure AD services, and Azure Virtual Desktop. No more maintaining independent sets of user credentials.
  • Support for Azure MFA (multi-factor authentication) in its native form. User experience is identical to that of accessing Office 365 resources.  Something that most users are well familiar with at this point.
  • Support for Azure Conditional Access (CA). This is great for administrators who want to control AVD access by users based on their location, device, and other conditions.

Azure MFA is available as part of the Azure AD Premium license.  It is also included as part of E3/E5 Office 365 and Microsoft 365 products.  Most users with Office 365 accounts should be able to start taking advantage of MFA with AVD right away.  To take advantage of Conditional Access policies, users will need Azure AD Premium licenses.

Remote Desktop App

The AVD Remote Desktop app replaces the RemoteApp and Desktop Connections (RADC) and the Remote Desktop Connection (MSTSC) clients built into Windows.  After downloading and installing the .NET framework and the new Remote Desktop app, the first step is to Subscribe to virtual desktops and RemoteApps using Azure AD credentials.

Clicking Subscribe takes the user to the standard Microsoft cloud login screen:

Here you specify the user’s Azure AD credentials and all MFA and CA policies apply.  For instance, here is what the next prompt looks like when MFA with phone-based authentication is enabled:

Once authenticated, the Remote Desktop app will subscribe the user’s PC to desktops and RemoteApps that the user is entitled to.

This subscription is persistent, meaning that even if you close and Remote Desktop app or reboot the PC, the user will not be required the re-subscribe again and therefore not prompted for password and MFA credentials.

RemoteApp Integration

If a user is entitled to RemoteApps, these will become automatically integrated into the Start Menu and will appear like regular apps that are locally installed, even though they are running in Azure Virtual Desktop.  Once a user connects to a RemoteApp the icon in the task bar will have an indicator that the app is a RemoteApp but otherwise it will appear like a native, locally-installed application.

Full Desktops

If a user is entitled to a full, published AVD desktop then double-clicking on the desktop icon will open it using a familiar Remote Desktop Connection (MSTSC) interface in full screen, spanning multiple monitors.  Monitor configuration can be set by the administrator on the AVD Host Pool configuration.  At this time, it is not yet possible to configure this from the client, but it will be possible in the future.

Remote Desktop App Update

When a new version of the client is available, the user will be notified by the client and the Windows Action Center.  Selecting the notification will start the update process. This is a welcome feature that allows administrators to install the app only once and rely on Microsoft to keep it up to date.  Keep in mind that for the update to run, the user must have local administrator rights on the PC where the app is installed.

Clicking on the “…” next to the AVD Tenant name (getnerdio in the screenshot below) you can see the version settings and have a button to trigger a manual subscription update in case new RemoteApps or desktops have been published to the user.

In conclusion, the end-user experience in AVD is a welcome change and will be much appreciated by users and admins everywhere.  Full integration with Azure MFA and CA is going to allow administrators to create highly secure virtual desktop environment in Azure that are still easily accessible by end-users.  Start Menu integration for RemoteApps, persistent subscriptions, and automatic updates of the client app are going to limit the number of clicks an end-user will have to go through on a regular basis and improve the user experience.

AVD MANAGEMENT

Multi-Cloud and On-Premises Deployment with Azure Stack HCI (Coming Soon)

Deploy Azure Virtual Desktop in Azure and extend the session host VM placement to on-premises and other cloud using Azure Stack HCI. Nerdio Manager automates deployment of session hosts, AVD agent installation, and full integration into the AVD deployment in Azure.

Create a brand new Azure Virtual Desktop environment or allow Nerdio Manager to discover an existing deployment, connecting to existing resources, and manage them.

Deploy Nerdio Manager from Azure Marketplace and configure a new AVD environment with an easy to follow, step-by-step configuration wizard. First group of users can access their AVD desktop in less than 2 hours.

Service providers, system integrators, and consultants can leverage Nerdio Manager’s scripted AVD deployment template. Create complete environments with desktop images, host pools, and auto-scaling in minutes.

Create and manage AVD environments that span Azure regions and subscriptions. Quickly link Vnets and resource groups and manage AVD deployments world-wide from unified portal.

Link multiple Azure tenants under the same Nerdio Manager instance and manage AVD deployments that span Azure AD tenants. User identities and session host VMs can run in separate tenants for maximum flexibilty and security.

Deploy and manage AVD environments that span across sovereign Azure Clouds. Cross-sovereign cloud support allows identity (e.g. users and groups) to be in one Azure Cloud, while session host VMs are in another Azure Cloud.

Management of workspaces, host pools, app groups, RemoteApps & custom RDP settings

Administer every aspect of AVD with Nerdio Manager including workspaces, host pools, application groups, RemoteApp publishing, RDP properties, session time limits, FSLogix, and much, much more. Every Azure service that AVD relies on can be managed with Nerdio Manager.

Deploy and manage AVD session host VMs. Hosts can be created manually or with auto-scaling, deleted on-demand or on a schedule, re-imaged to apply updates, run a scripted action, resized, put into or taken out of drain mode, and more.

Manage user sessions across the entire AVD environment, within a workspace, host pool or on a single host. Monitor session status, disconnect or log off the user, shadow or remote control to provide support, or send user an on-screen message.

End users have the ability to log into Nerdio Manager with their Azure AD credentials and manage their own session, restart their desktop VM, or start a session host if none are started in a host pool. (Ability to resize and re-image own desktop is coming soon.)

Create, link, and manage Azure Files shares including AD domain join. Synchronize Azure Files permissions with host pools, configure quotas, and enable SMB multi-channel. Manage file lock handles and configure Azure Files auto-scaling to increase quota as needed.

Create, link, and manage Azure NetApp Files accounts, capacity pools and volumes. Configure provisioned volume size, monitor usage, and use auto-scaling to automatically adjust volume and capacity pool size to accommodate the needed capacity and latency requirements.

FSLogix configuration can be complex and overwheling, but not with Nerdio Manager. Create one or more FSLogix profiles with all the needed options, point at one or more Azure Files, Azure NetApp Files, or server locations and select from VHDLocations, CloudCache and Azure Blob storage modes.

Multiple identity source profiles can be set up and used automatically on different host pools. Active Directory, Azure AD DS, and Native Azure AD are all supported. Choose the appropriate directory profile when adding a host pool and all VMs will automatically join this directory when being created.

Create a copy of a host pool with all of its settings: auto-scale config, app groups and RemoteApps, MSIX AppAttach, user/group assignments, VM deployment settings, etc. Save time by creating host pool “templates” that can be cloned to any Workspace, Azure region or subscription instead of starting from scratch.

Apply user session time limits at host pool level. Automatically log off disconnected sessions, limit the duration of idle sessions, control empty RemoteApp session behavior and more.

Assign Azure AD users to personal desktops to ensure the user will log into a pre-configured VM. Un-assign personal desktops from users who leave the organization and re-use these VMs for new users.

Pre-configure custom Azure tags for all Azure resources associated with each host pool. Tags can be used for charge-back and cost allocation by host pool.

When creating session hosts using NV-series VMs NVIDIA and AMD GPU drivers are automatically installed.

Move existing host pools from Fall 2019 (Classic) object model to Spring 2020 (ARM) object model. Choose to whether to move or copy user assignments. Existing session hosts are automatically migrated or new ones can be created in the ARM host pool.

Automatically enable and configure AVD integration with Azure monitor. Zero configuration required. Azure Monitor Insights for AVD can be used instead of or in conjunction with Sepago Monitor.

AVD personal desktops to Windows 365 Cloud PC migration (Coming Soon)

Migrate users from AVD personal desktops to Windows 365 Enterprise Cloud PCs using an existing image and user assignment. (Coming soon)

WINDOWS 365 ENTERPRISE MANAGEMENT

Cloud PC License Usage Optimization (Coming Soon)

Cloud PC device lifecycle management

Cloud PC user group assignment

Intune primary user management on Cloud PCs

Migrate AVD personal desktops to Cloud PCs (Coming Soon)

Get Certified