How to provision a Windows Virtual Desktop (WVD) Host Pool with Service Principal

As described earlier in this blog you can easily provision a Windows Virtual Desktop (WVD) host pool with an user account that have “RDS Owner” or “RDS Contributor” permissions on the Windows Virtual Desktop tenant. However, this will not work as this user has Multi Factor Authentication (MFA) enabled.

I had this situation recently by a customer, every user needs to have MFA enabled. Fortunately there is another way to provision a Windows Virtual Desktop Host Pool, namely with Service Principal.

In this blog I will explain, step-by-step, how to create Service Principal and provision a Windows Virtual Desktop Host Pool with it. For this blog I assume that you have already a Windows Virtual Desktop tenant up and running as described in step 1, 2 and 3 from this blog.

In this blog

This blog contains the following steps:

  • Step 1 : Create the Azure Service Principal
  • Step 2 : Give the Service Principal “RDS Owner” rights
  • Step 3 : Provision a Windows Virtual Desktop (WVD) Host Pool with Service Principal

Step 1 : Create the Azure Service Principal

The first step is to create the Service Principal. To do this, you need to start an elevated PowerShell prompt and run the following commands.

First we need to install the AzureAD module. Run the following command:

Install-Module AzureAD

When the question comes up to install from the “PSGallery”, type Y (for Yes) or A (for All).

To import the module type:

Import-Module AzureAD

To login to your Microsoft Azure Portal type:

$aadContext = Connect-AzureAD

And login with a user that have Azure Global Admin rights.

To create the Service Principal, run the following command:

$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Service Principal"

Next run:

$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

To get the information about the just created Azure Service Principal, run:

$svcPrincipalCreds.Value
$svcPrincipal.AppId

Note : This is the only moment you can request this information so copy it (as text) to a save location for later use.

For your information, these steps have created a new App registration in the Microsoft Azure Portal.

Step 2 : Give the Service Principal “RDS Owner” rights

The next step is to give the Service Principal the “RDS Owner” rights within the Windows Virtual Desktop tenant.

If you not already installed the RDSInfra PowerShell module, run the following command:

Install-Module -Name Microsoft.RDInfra.RDPowerShell

To import the module, run:

Import-Module -Name Microsoft.RDInfra.RDPowerShell

The next step is to login with an account with WVD “RDS Owner” rights. Therefore, run the following command and login with that account:

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

To set the WVD tenant name variable, run (replace “Tenant Name” with your WVD Tenant Name) :

$myTenantName = "Tenant Name"

To give the Azure Services Principal “RDS Owner” rights, run:

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantName $myTenantName

Step 3 : Provision a Windows Virtual Desktop (WVD) Host Pool with Service Principal

For the final steps, login to the Microsoft Azure Portal.

Within the Microsoft Azure portal, click the + Create a resource button, search for Windows Virtual Desktop – Provision a host pool, and click Create.

Select your subscription and a Resource group (or create a new one). Select your Region and give this hostpool a name. Select the Desktop Type (Pooled or Personal) and fill in the default desktop users.

Click Next : Configure virtual machines

Select the Usage Profile and the total number of users. If you want you can change the Virtual machine size. Fill in the Virtual machine name prefix.

Click Next : Virtual machine settings

Select your Image source. In this case I will use a Gallery Image. Select Disk Type and fill in the account that have rights to perform the session host pool servers domain join. Optionally you can specify the domain to join and the OU path. Select your existing Virtual network and vmSubnet (or create new one).

Click Next : Windows Virtual Desktop information.

Leave the Windows Virtual Desktop tenant group default and fill in your Windows Virtual Desktop tenant name. Now select Service principal as Windows Virtual Desktop tenant RDS Owner and fill in the Application ID, Credentials, and your Azure AD tenant ID.

Click Next : Review + create

Click Create

The deployment of the Windows Virtual Desktop Host Pool is now underway.

And after a few minutes the deployment is complete.

8 comments

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close