How can I set up an Entra ID account using Azure Files with AADJ join script?
In Nerdio Manager, you can use Entra ID when creating an account. This allows you to create Entra ID-joined host pools.
Advantages of Entra ID-joined VMs are the following:
No dependency on traditional domain controllers: Remove the need for line-of-sight connectivity to on-premises or virtualized Active Directory Domain Controllers (DCs). In some scenarios, they can eliminate the need for a DC altogether, simplifying the deployment.
Reduced management complexity and costs: Streamline operations by reducing infrastructure requirements.
Integration with Intune: Can be automatically enrolled in Intune for seamless device and policy management.
Warning: The following procedures list only those steps that apply to setting up an Entra ID account, and are specific to using Azure Files with AADJ join script method. For full information about setting up the corresponding features, see references provided.
To set up an Entra ID account using Azure Files with AADJ join script method, complete the following steps:
Step 1: Add an account in Nerdio Manager
Note: To add an account, you must have the Entra ID credentials to the customer's tenant, with Global Administrator and Subscription Owner roles.
For more details about provisioning an account in Nerdio Manager, see:
To add an Entra ID account:
At the MSP level, navigate to Accounts, and then select Add account.
-
Step 1: Link to Customer's Entra ID Tenant:
-
Desktop deployment model: Select the appropriate deployment model.
Azure Virtual Desktop: Select this option to deploy personal and pooled Azure Virtual Desktops.
Windows 365 Enterprise Cloud PC (MEM-managed): Select this option to deploy Cloud PC desktops that are AD-joined and can be managed from the endpoint manager.
Windows 365 Business Cloud PC (Self-managed): Select this option to deploy Cloud PC desktops that are not AD-joined.
Endpoint Management with Intune: Select this option to manage physical and/or virtual endpoints with Intune that are Entra ID-joined.
-
Select subscription: Select from the list of Azure subscriptions available in the Entra ID tenant.
Note: Ensure you have the Owner role for any in-scope Azure subscriptions.
-
Indicate your Active Directory setup: From the drop-down list, select Entra ID.
Note: There is no option to specify a particular Entra ID. This is because the VMs are automatically joined to the same Entra ID that the Azure subscription is connected to.
In the warning message that is displayed for the Entra ID option, select the checkbox to confirm your understanding of the Entra-join limitations.
Select Save & next.
-
-
Step 2: Azure
-
Select Azure region: From the drop-down list, select the Azure region (location) where you would like to start your initial deployment.
Note:
Select a region that is the closest to the majority of your customer's users.
It is possible to link additional networks later and deploy resources to multiple networks and regions.
-
Select or create Resource Group: Select Create new, and then enter the new resource group's name.
Tip:
Abbreviate the resource group name to easily identify it in the future. For example, you can use your customer's name and append it with "-RG." For example, [Your customer's name]-RG.
This resource group should be used for the initial deployment. You may link additional resource groups later.
-
Select network: Select New Network, and then provide the following details:
-
Network name: Enter the network's name.
Tip: Abbreviate the VNet name to easily identify it in the future. For example, you can use your customer's name and append it with "-VNet." For example, [Your customer's name]-VNet.
Network address space: Enter the network's address space.
Subnet name: Enter the network's subnet name.
Subnet address prefix: Enter the network's subnet address prefix.
-
-
Select Save & next.
Note: Nerdio Manager starts creating a new network. This may take a few minutes. You can follow the progress of the provisioning task in the Account Provisioning Tasks section at the bottom of the page.
-
Complete the remaining steps as described in Add an Account.
Step 2: Configure FSLogix profile storage
Note: Configure the FSLogix profile storage before you add a host pool. You need to define the storage in the scripted action that should be used to create the host pool.
To set up the FSLogix profile storage:
Use the Azure Files Entra ID joined method as described in Use Azure Files with Entra ID Joined Method for AVD.
Step 3: Add a desktop image
You can now import a desktop image from the Azure library.
To import a desktop image from the Azure library:
At the Account level, navigate to Desktop Images.
Select Add from Azure library.
-
In the Add desktop image dialog box, enter the following details:
-
Name: Enter the desktop image name.
Note: The desktop image name you provide will also serve as the host name for the desktop image VM that is created.
-
Azure Image: From the drop-down list, select the image.
Note: Select the image based on the Windows OS supported by AVD. EVD = Enterprise Virtual Desktop (aka Windows 10 multi-session). Office Pro Plus contains a pre-installed Office 365 version of Pro Plus that is activated as users with appropriate licensing sign in to the desktop.
VM Size: The D2as_v5 option is predefined. Don't change it.
-
OS Disk: The E10 128GB standard SSD option is predefined. Don't change it.
Note: The OS disk size should match the VM OS disk size.
-
Use Trusted Launch: If the image you selected is Gen2, this option is selected by default. Don't clear this option.
Note:
Trusted Launch is required for Gen2 image versions. For details, see Trusted Launch for Azure virtual machines.
If Trusted Launch is enabled for your image, you must enable this option at the host pool level as well.
-
Provide custom credentials for a local administrator user: Enable this option to enter the username and password for a local admin.
Note:
This option is required to allow the RDP connection to the image VM.
When signing in to the desktop image, specify admin credentials using the following format: [image host name\Local-admin].
-
Geographic distribution and Azure compute gallery: If your selected image version is Gen2, and Trusted Launch is enabled, enable this option to store the image in the Azure Compute Gallery and automatically distribute it to the selected Azure region(s).
Note:
When defining the Azure compute gallery name, use the following pattern: [customer-name]ACG]. Don't include spaces in the name.
Leave other Azure compute gallery options set to their default values.
- Define other fields as described in Add an Image from an Existing VM.
-
Select OK.
Step 4: Create a group
Next, you need to create a new group.
To create a group:
At the Account level, navigate to Groups and select Add group.
-
Enter the following information:
-
Group Type: Select the Security group type.
Note:Security groups are used for granting access to resources, such as AVD desktops or RemoteApps desktops.
-
Name: Type the group's name.
Note: Define the following group name: AVD Users.
Define other required fields as described in Overview of Groups.
-
Step 5: Create a host pool
You can now create a host pool.
To create a host pool:
At the Account level, navigate to AVD > Host Pools.
-
Select Add host pool, and then enter the required details as described in Create a Host Pool.
-
Name: The host pool name you enter is also the Display Name of the AVD VM that end users should access.
Note: You can modify the Display Name value after the host pool is created.
Directory: The Entra ID option is predefined. Don't modify the default option.
FSLogix: From the drop-down list, select the FSLogix configuration profile that you created in Step 2: Configure FSLogix profile storage.
-
Name Prefix: Select how the names for multiple session hosts should be defined. Select one of the following options:
Prefix: Can be used when creating multiple session hosts. The prefix limit is 10 valid Windows computer name characters. When using a prefix, a unique suffix is automatically appended in the format "-xxxx", where xxxx are 4 random alphanumeric characters. For example: AVDHOST-s72h. Do not add a "-" to the Prefix.
Pattern: Can be used to specify an advanced naming convention for new hosts. Pattern characters must be enclosed in {} and can be the number sign (#) (for sequential numbers) and/or the question mark (?) (for random alphanumeric characters). One number sign (#) implies numbers from 0 to 9, two number signs (##) imply numbers of 0 to 99, etc. For example, Host-(##) = Host-01.
Network: Select the default subnet.
-
Desktop Image: From the drop-down list, select the desktop image that you created in Step 3: Add a desktop image.
Tip: If your desktop image is not ready yet, select the same image version that you selected in Step 3: Add a desktop image as a placeholder.
VM Size: From the drop-down, select the VM disk size and type (Pooled Desktop #1) that is defined in your Cost Estimate sheet.
OS Disk: From the drop-down list, select the OS disk type and size that is defined in your Cost Estimate sheet.
Resource Group: From the drop-down list, select the resource group to contain the VMs.
- Quick Assign: From the drop-down list, select the AVD Users. security group that you created in Step 4: Create a group.
-
-
Select OK.
The Auto-scale settings page opens.
Notes: This task may take some time to complete. You can monitor the task's progress in the Host Pools Tasks section.
Step 6: Configure Auto-scaling
The Auto-scaling feature allows host pools to grow as necessary to serve current demand, and then shrink when additional capacity is no longer needed.
To configure Auto-scaling for a host pool:
Start configuring Auto-scaling as described in Auto-scale Settings for Host Pools.
Auto-scale Timezone: From the drop-down list, select the time zone for the auto-scale process.
Clear the Re-use Host Names option.
-
In the following sections, verify the values that you set when creating a host pool in Step 5: Create a host pool:
-
Host Pool Sizing:
Base Host Pool Capacity: Enter the number of session host VMs to always be part of your host pool. These session hosts may be stopped or running. Auto-scaling ensures this number of host pools remains unchanged.
-
Min Active Host Capacity: Enter the minimum number of running session hosts that should be available 24/7/365.
Note: This is your Reserved Instance. Enter the number of hosts to always be active only if you use Reservations for the VM you purchased.
-
Burst Beyond Base Capacity: Enter the capacity to burst above the standard number of session host VMs when there is user demand. The system automatically creates up to this number of new session host VMs above the Base Host Pool Capacity, when needed. These session hosts are the first ones to be removed when the system scales in after business hours.
Note:
Adding bursted session host VMs may take up to 30 minutes. These VMs are automatically deleted when their usage stops.
Auto-scaling always checks the Base Host Pool Capacity to ensure the needed number of session host VMs remains in the host pool.
-
Scaling Logic:
Session limit per host: Enter the maximum number of sessions per host. Once this session limit is reached, and there are no more available hosts, a new host is started automatically, if it exists.
-
Load Balancing: From the drop-down list, select the desired load balancing:
Depth First: Means the load-balancing algorithm places all the users in the first session host until the host's session limit is reached. Only then, does it place the users in the next session host. If necessary, it powers on the VM and makes it available to the users.
Breadth First: Means that the load-balancing algorithm spreads the users evenly across all available session hosts.
-
Start on Connect: Select this option to start session hosts on connect.
Note: These Load Balancing settings override the Load Balancing settings in the host pool's Properties > AVD settings.
-
Triggers: Define the auto-scale triggers.
Note: The available triggers are:
CPU or RAM Usage: This trigger scales out when the average CPU or RAM usage across all running session hosts in the pool exceeds a predefined value for a predefined duration.
Average Active Sessions: This scales out when the average number of active sessions per host exceeds a predefined value.
Available Sessions: This maintains the number of available hosts by scaling out and scaling in within the limits of the Host Pool Sizing and the maximum number of sessions per host.
User-driven: Hosts are started when users connect, and are automatically stopped after a defined amount of time after all users sign out. Select this option if your selected Load Balancing option is Depth First.
-
Scale in Restrictions:
Stop or Remove (Scale In) Hosts Only From: From the drop-down list, select the time to perform the scale in operation. Select <any time> to allow scaling in to be performed at any time.
-
Scale In Aggressiveness: Scale-in aggressiveness is by default set to High. Change this setting to Medium.
Note:
When scale-in aggressiveness is set to Medium, after business hours, the scaling logic only removes the hosts that have disconnected sessions running on them. The session hosts with active sessions running on them won't be removed. In this case, the host pool is scaled in to some extent.
The Medium option is not available if the Auto-scale Trigger is set to User-driven.
-
Pre-Stage Hosts: Select this option if you want your session host VMs to be powered on in the morning before the first user signs in.
Note: Configure the system to automatically pre-stage some hosts as available capacity with respect to the business hours. For example, you can pre-stage hosts at the beginning of the work day, so the system does not have to auto-scale in real time for users who all sign in at the same time when they start work.
-
Use Multiple Schedules: Select this option to enable multiple, non-overlapping pre-staging schedules to be used.
Note: This is not available for the Available Sessions trigger when the During Work Hours option is specified.
Work Days: From the drop-down list, select the work days when pre-stage tasks should be run.
Start of Work Hours: From the drop-down list, select Monday-Friday.
Host to be Active by Start of Work Hours: Enter 1. This determines the number of session hosts that should be ready to accept user connections by this time.
Scale In Delay: From the drop-down list, select a delay to restrict scale in operations after the start of work hours. Pre-staged hosts are not scaled in during this time even if they are unused.
-
Notify if isn't done: Type the email addresses, separated by commas, to receive notification if pre-stage hosts task does not execute properly.
-
Use Multiple Schedules: Select this option to enable multiple, non-overlapping pre-staging schedules to be used.
-
Messaging: Leave as default.
Note: The system sends messages to any users connected to a session host that has been selected for scale in.
-
Auto-Heal Broken Hosts: If your session host becomes unavailable, Auto-heal attempts to restart the host VM twice. If the recovery fails after two attempts, Auto-heal fully redeploys the VM.
- Auto-Heal Broken Hosts: Enable this option.
-
Host is Broken if AVD Agent Status is: From the drop-down lists, select the desired statuses along with the sessions status.
Note: The status is reported to the AVD service by the AVD agent installed on the session host VM. If something is wrong, the status is something other than "Available." Not every status other than "Available" means that there is a problem. See this Microsoft article for more details. Hosts with active sessions may still be somewhat functional and such hosts are not treated as broken. Only hosts that have either no sessions at all or no active session (that is, disconnected sessions only) are considered broken by auto-scale.
Number of restart attempts Enter the number of times Auto-scaling should try to restart the session host VM to see if the AVD agent status enters a normal state.
Minutes between restart attempts: Enter the number of minutes to wait after each restart attempt before moving on to next step (for example, Restart VM, then Remove VM, then etc.).
Run Scripted actions after restart attempts: From the drop-down list, select the AADJWindowsCredentialManager scripted action to run to attempt to repair the session host VM.
-
Unrecoverable hosts should be: From the drop-down list, select what to do with the session host VM if the restarts do not resolve the problem.
Notes:
The session host VM can be removed and re-created based on host pool sizing configuration. Alternatively, it can be left alone to be dealt with manually.
If the Auto-Heal operation requires deletion and re-creation of a broken host VM, a spare VM is powered on to replace the capacity, if available.
-
Select Save.
Step 7: Define the host pool properties
Once the host pool Auto-scaling is configured, you can define the host pool properties.
To define the host pool properties:
At the Account level, navigate to AVD > Host Pools.
Next to your host pool, select Manage Hosts > Properties.
-
On the AVD tab:
-
Start VM on connect: Select this option. The VM is powered on automatically when the user connects. Any user can start the VM when they sign in. See Start VM on Connect for details.
Tip: For the Start VM on connect to work, you need to have the following options enabled:
-
In the Auto-scale settings:
Start On Connect
Auto-Scale Trigger set to User-driven
In the host pool properties: Start VM on connect.
-
-
-
On the VM Deployment tab:
Set time zone: Select this option, and from the drop-down list select the time zone, to set the time zone on the VM when it is provisioned.
-
Trusted Launch: Enable this option.
Note: Azure offers Trusted Launch as a seamless way to improve the security of Generation 2 VMs. Trusted Launch protects against advanced and persistent attack techniques. Trusted Launch is composed of several coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats. See Trusted Launch for Azure virtual machines for more information.
Be sure that the desktop image used for this host pool has Trusted Launch enabled too. It must meet the following criteria:
The selected OS must be Gen2.
The Create image VM as Gen2 option must be selected.
An Azure Compute Gallery must be selected.
See Overview of Desktop Images for details.
Secure Boot: Select this option to enable Secure Boot, which helps protect your VMs against boot kits, rootkits, and kernel-level malware.
vTPM: Select this option to enable Virtual Trusted Platform Module (vTPM), which is TPM 2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets.
-
In the Scripted Actions section:
-
Run scripted actions when host VM is CREATED: Turn this option on.
Windows scripts: From the drop-down menu, select the AADJWindowsCredentialManager script.
-
Run scripted actions when host VM is STARTED: Turn this option on.
Windows scripts: From the drop-down menu, select the AADJWindowsCredentialManager script.
-
Select Save.
-
Custom RDP: Provide the necessary custom RDP settings.
Tip: Select the info icon next to each Not Configured entry. The pop-up dialog box displays what each value represents.
-
On the Session time limits tab:
Note:
Your session host only powers off once all users have properly signed out of AVD.
You can set Session Time limits to force any disconnected user to auto-sign out. For example, if they terminated their session but did not properly sign out.
Focus on the first two options for Log Off Disconnected Session After & Disconnect Idle Session After.
Set each option to 1 hour. This provides users with two-hour grace period.
Step 8: Enable Auto-scaling
Now you are ready to turn Auto-scaling on. Auto-scaling automatically creates session host VMs based on all the Auto-scaling and host pool properties that you have defined.
To turn Auto-scaling on:
At the Account level, navigate to AVD > Host Pools.
Next to your host pool, select Manage Hosts > Auto-scale > Configure.
On the Manage Auto-scale page, set the Auto-scale option to On.
Select Save.
Step 9: Configure backups
You can now configure the backup policies.
To configure the backups:
Go to Settings > Integrations.
In the Backup recovery vaults, policies and assignments tile, select Add vault.
-
In the Add new recovery vault dialog box, provide the necessary details, and then select save.
Adding the backup vault creates two VM policies:
-
Default policy: Daily VM backup policy.
-
Enhanced policy: Hourly VM backup policy.
-
-
Create the third policy for Azure Files to back up your FSLogix profiles:
-
Select Add policy, and then provide the following details:
Name: Enter the name for the new policy.
Type: Select Azure Files policy.
-
Frequency: Select Hourly.
Set to the beginning of your business hours. For example, if you start at 8 AM, then the policy should create a backup (3 restore points) every four hours for 12 hours.
Retention: Follow the In-Region Backup on your cost estimate sheet and adjust accordingly.
-
Select Save.
-
-
In Nerdio Manager, go to Backup, and then next to the policies you have defined, select Enable backup.
Tip: Best practice is to enable backup for the following:
Azure Files shares
Desktop image
Servers
Session host (only if you have local data saved to the OS disk of each hosted VM)
Step 10: Enable Azure Monitor Insights
For Nerdio Manager to start collecting the monitoring data, you need to enable Azure Monitor Insights for an account.
To enable Azure Monitor Insights:
At the Account level, go to Settings > Integrations.
-
In the Azure Monitor Insights tile, next to Current Status, select Disabled.
In the new dialog box, turn the Use Azure Monitor Insights option On.
-
In the Log Analytics Workspace field, select from the list of existing LAWs or create a new LAW.
To create a new LAW:
-
Enter the name for the LAW, and then select Create [your LAW name] as new LAW.
Resource group: Select the resource group that should contain your LAW.
Region: Select the region that should contain your LAW.
-
Ensure the Configure Monitoring for AVD pools option is selected.
Select OK.
Note:
Select the same resource group and the same region as for the environment.
-
Azure Monitor Insights provides timestamp data for:
AVD user sessions: Displays the user’s round-trip time (RTT) for real-time ping results, allowing you to identify potential latency issues.
Last login activity reports: Display end-user timestamps of their most recent sign-in date and time.
For more details, see How can I configure monitoring in Nerdio Manager?
Step 11: Configure multifactor authentication
If you have legacy MFA enabled for each user, you must disable it and use MFA via the Conditional Access Policy. For details, see Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access.
Step 12: Test signing in to AVD
Once the session host's status is Available, you can test signing in to AVD.
To sign in to your AVD:
Download the Remote Desktop client application.
-
Connect to AVD with the Remote Desktop client for Windows. For details, see Get started with the Remote Desktop app.
Tip:
For Windows: Download the Windows 64-bit client application.
For remote access: Use the Remote Desktop web client application.
Note: If you have difficulty signing in to your AVD, make sure you exclude Target resources as described in Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access.
Comments (0 comments)