How to create an Azure Service Principal for use with Windows Virtual Desktop AND Azure ARM Templates, like the ARM Template to Update an existing Windows Virtual Desktop hostpool

Some time ago, I wrote a blog about How to provision a Windows Virtual Desktop (WVD) Host Pool with Service Principal in the case that MFA is enabled for (every) user/admin in the Azure environment and you cannot provision a Windows Virtual Desktop hostpool. And this was working fine when provisioning a new Windows Virtual Desktop host pool via the “Windows Virtual Desktop – Provision a host pool” wizard in the Microsoft Azure Portal. But soon I was running into failed deployments when running the ARM Template to Update an exisiting Windows Virtual Desktop hostpool, and I was not the only one, I got a lot of mails from people with the same problem.

After troubleshooting without success, I decided to open a case on Github. Also there were people that are saying they have the same problem, even for months. Recently the “Microsoft Windows Virtual Desktop team” (Including Tom Hickling, Christian Montoya, Mohit Nakrani  and more) starts helping me on this case, and they ware able to found out that the problem is “related to not having the right permission to authenticate with Azure resource manager to be able to delete/deallocate old VMs.” So first a big shootout to Tom Hickling, Christian Montoya, Mohit Nakrani and  the rest of this awesome team for finding the cause of this problem!

In this blog I will show you step-by-step how you can create a Service Principal that you can use to provision a new Windows Virtual Desktop Host pool via the “Windows Virtual Desktop – Provision a host pool” wizard within the Microsoft Azure Portal, AND the ARM Template to Update an existing Windows Virtual Desktop hostpool. I will do this in the following steps:

  • Create an App Registration
  • Add a role assignment to your Azure Subscription
  • Add the RDS Owner role to the Service Principal
  • Provisioning a new WVD Hostpool
  • Running the ARM Template to Update an existing Windows Virtual Desktop hostpool

Lets get started…

Step 1) Create an App Registration

For the next steps login to the Microsoft Azure Portal.

Navigate to: Azure Active Directory > App registrations and click the + New registration button.

Give this application a name, in this case I will give it the name Windows Virtual Desktop SP. Select Accounts in this organizational directory only. Leave Redirect URI (optional) empty and click Register

Open the Certificates & secrets blade and click + New client secret

Give the client secret a name, in this case I will use WVD as name. Select an expire period and click Add

Copy the Value to a save place, this is the Service Principal “password” and this is the only moment you can see this value.

Open the Overview blade and copy the Application ID to the same save place as the client secret, this is the Service Principal “Username” and you need this together with the client secret when enrolling a new Windows Virtual Desktop Host pool or update an existing one.

Step 2) Add a role assignment to your Azure Subscription

Within the Azure portal, navigate to Subscriptions

 

Open your Subscription and go to the Access control (IAM) blade. In the Add a role assignment dialog, click Add

Select Contributor as role and search for the Service Principal created in step one of this blog, select it and click Save

Step 3) Add the RDS Owner role to the Service Principal

Open the PowerShell in an elevated prompt.

If you not already done this, install the Microsoft RDinfra PowerShell module by running the following command:

Install-Module -Name Microsoft.RDInfra.RDPowerShell

Import the module with the following command:

Import-Module -Name Microsoft.RDInfra.RDPowerShell

Run the following command and login with a Windows Virtual Desktop RDS Owner role

Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com

The following output will be displayed.

Run the following command. (replace hobo.cloud with your Windows Virtual Desktop tenant name)

$myTenantName = "your tenant name"

Run the following command to add the RDS Owner role to the Service Principal. Replace “<Service Principal App ID>” with the App ID of the Service Principal created in step one of this blog.

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId <Service Principal App ID> -TenantName $myTenantName

Step 4) Provisioning a new WVD Hostpool

Lets see if we can create a new Windows Virtual Desktop Hostpool with this Servcice Principal. For the next steps you need to go back to the Microsoft Azure Portal.

In the Microsoft Azure Portal, click the + Create a resource button.

Search for Windows Virtual Desktop – Provision a host pool and click Create

Select your Subscription, a Resource group (or create a new one, like I do in this case). Select your Region and fill in a name for this new WVD Hostpool (in my case SP-TEST). Select the Desktop type (in my case Pooled) and fill in the Default desktop users. Click Next : Configure virtual machines

Configure the virtual machines, in my case I will create two D4s v3 VM’s. Click Next

Configure the Image source (for now I will keep it with a Gallery image) and fill all the other requested information in. Click Next : Windows Virtual Desktop information

Fill in the Windows Virtual Desktop information. Set Windows Virtual Desktop tenant RDS Owner to Service principal. Fill in the Application ID and the Password (client secret). Fill in your Azure AD tenant ID and click Next : Review + create

Click Create

After a few minutes Your deployment is complete

Step 5) Running the ARM Template to Update an existing Windows Virtual Desktop hostpool

Now that the Service Principle is working for the “Windows Virtual Desktop – Provision a host pool” wizards. Let’s see how it’s working for the ARM Template.

Open the ARM Template to Update an exisiting Windows Virtual Desktop hostpool and click Deploy to Azure

Fill in the following fields:

Subscription : Select your Azure Subscription
Resource group : Select the current Resource Group used for the host pool or create a new one
Rdsh Image Source : Select the type of Image you want to use (in my case this will be a custom image)
Vm Image Vhd Uri : Enter the URL of the VHD file (if using a custom image)
Rdsh Name Prefix : Enter a Computer name Prefix for the new VM’s (other then current)
Rdsh Number Of Instances : Fill in the number of VM’s that needs to be created
Rdsh VM Disk Type : Select the disk type you want to use for this new VM’s

Scroll a little down

Fill in the following fields:

Rdsh Vm Size : Select your VM size
Domain To Join : Fill in your local domain name
Existing Domain UPN : The user account to join the VM’s to the domain
Existing Doamin Password : The password of the user
Ou Path : Optionally the OU were the computer accounts needs to put in
Existing Vnet Name : The name of the Network you want to use for your VM’s
Existing Subnet Name : Enter the name of the subnet you want to use (VM’s needs to be able connect to the local DC’s or Azure AD DS)
Virtual Network Resource Group Name : The Resource group name of the Vnet
Existing Tenant Name : The name of your WVD Tenant
Existing Hostpool Name : The name of the WVD Hostpool

Scroll a little down

Fill in the following:

Tenant Admin Upn Or Application Id : The Application ID of the Service Principal created in step one of this blog
Tenant Admin Password : The client secret of the Service Principal created in step one of this blog
Is Service Principal : true
Aad Tenant Id : Your Azure ID
Action on Previous Virtual Machines : Delete or deallocate
User Logoff Delay In Minutes : The amount of minutes you prefer

Select I agree to the terms and conditions stated above and click Purchase

After a few minutes Your deployment is complete

When looking in the management console, you see that the old two VM’s are removed from the Hostpool, and the four new ones are added.

10 comments

  • Great article – I have also struggled with this. I read in other blogs that the SP account needed permissions to the resource group to create VMs, vNics etc – is this not the case?

    • Hi Dave, that’s depending on how things are configured in your Azure tenant, in most cases contributor rights on the subscription should be enough.

  • Thank you for this! I do have a question, do we need to do the first consent for deploying a new WVD? Or we don’t need to do that anymore now?

  • I resolved this issue another way. I followed the MS WVD deployment documents to create a service principal using “New-AzureADApplication”, this creates the App Registration and then you add the credential (secret). This then works with RDS broker for powershell login but I couldn’t use it for redeployment as Azure login does not recognize it. To solve this navigate to App Registration > “WVD Service Principal > Overview and on the right hand side you will see the heading “Managed application in” and it will say “Create Service Principal” click this and it will complete the creation of the Service Principal into “Enterprise Applications” and can be used to redeploy and add into RBAC roles in required groups and subs. Short story, creating via powershell does not complete the full creation process for a service principal.

  • Hi Robin
    Im using Okta SSO and Duo MFA ont he account that has gloabl right son Azure, so im trying to use the Service principle approach, but that option is not avialble in the spring update when provisioning the VM’s.
    The deployment is failing at the “machinename-0/dscextension”
    “Microsoft.Compute/virtualMachines/extensions” stage, and i think its related to the above MFA or Okta.
    Any ideas?

  • Hi Robin,
    I have done this twice now (once following your instructions and once following Microsoft), and both times I get error “The received access token is not valid: at least one of the claims ‘puid’ or ‘altsecid’ or ‘oid’ should be present. If you are accessing as application please make sure service principal is properly created in the tenant.”
    I am not sure what is missing or wrong. Have you encountered this?
    Thank you for publishing this article.

About Robin Hobo

I am a Technology Specialist working for Microsoft with focus on the Modern Workplace. I am specialized in Microsoft Intune, Azure Virtual Desktop (AVD), Windows 365, Windows 11 and Azure AD. Also interested in mental health, NLP and personal development.

For more information, see the About Me page or my LinkedIn profile.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close