As described earlier in this blog you can easily provision a Windows Virtual Desktop (WVD) host pool with an user account that have “RDS Owner” or “RDS Contributor” permissions on the Windows Virtual Desktop tenant. However, this will not work as this user has Multi Factor Authentication (MFA) enabled.
I had this situation recently by a customer, every user needs to have MFA enabled. Fortunately there is another way to provision a Windows Virtual Desktop Host Pool, namely with Service Principal.
In this blog I will explain, step-by-step, how to create Service Principal and provision a Windows Virtual Desktop Host Pool with it. For this blog I assume that you have already a Windows Virtual Desktop tenant up and running as described in step 1, 2 and 3 from this blog.
In this blog
This blog contains the following steps:
- Step 1 : Create the Azure Service Principal
- Step 2 : Give the Service Principal “RDS Owner” rights
- Step 3 : Provision a Windows Virtual Desktop (WVD) Host Pool with Service Principal
Step 1 : Create the Azure Service Principal
The first step is to create the Service Principal. To do this, you need to start an elevated PowerShell prompt and run the following commands.
First we need to install the AzureAD module. Run the following command:
When the question comes up to install from the “PSGallery”, type Y (for Yes) or A (for All).
To import the module type:
To login to your Microsoft Azure Portal type:
$aadContext = Connect-AzureAD
And login with a user that have Azure Global Admin rights.
To create the Service Principal, run the following command:
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Service Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId
To get the information about the just created Azure Service Principal, run:
Note : This is the only moment you can request this information so copy it (as text) to a save location for later use.
For your information, these steps have created a new App registration in the Microsoft Azure Portal.
Step 2 : Give the Service Principal “RDS Owner” rights
The next step is to give the Service Principal the “RDS Owner” rights within the Windows Virtual Desktop tenant.
If you not already installed the RDSInfra PowerShell module, run the following command:
Install-Module -Name Microsoft.RDInfra.RDPowerShell
To import the module, run:
Import-Module -Name Microsoft.RDInfra.RDPowerShell
The next step is to login with an account with WVD “RDS Owner” rights. Therefore, run the following command and login with that account:
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
To set the WVD tenant name variable, run (replace “Tenant Name” with your WVD Tenant Name) :
$myTenantName = "Tenant Name"
To give the Azure Services Principal “RDS Owner” rights, run:
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantName $myTenantName
Step 3 : Provision a Windows Virtual Desktop (WVD) Host Pool with Service Principal
For the final steps, login to the Microsoft Azure Portal.
Within the Microsoft Azure portal, click the + Create a resource button, search for Windows Virtual Desktop – Provision a host pool, and click Create.
Select your subscription and a Resource group (or create a new one). Select your Region and give this hostpool a name. Select the Desktop Type (Pooled or Personal) and fill in the default desktop users.
Click Next : Configure virtual machines
Select the Usage Profile and the total number of users. If you want you can change the Virtual machine size. Fill in the Virtual machine name prefix.
Click Next : Virtual machine settings
Select your Image source. In this case I will use a Gallery Image. Select Disk Type and fill in the account that have rights to perform the session host pool servers domain join. Optionally you can specify the domain to join and the OU path. Select your existing Virtual network and vmSubnet (or create new one).
Click Next : Windows Virtual Desktop information.
Leave the Windows Virtual Desktop tenant group default and fill in your Windows Virtual Desktop tenant name. Now select Service principal as Windows Virtual Desktop tenant RDS Owner and fill in the Application ID, Credentials, and your Azure AD tenant ID.
Click Next : Review + create
The deployment of the Windows Virtual Desktop Host Pool is now underway.
And after a few minutes the deployment is complete.