Windows Virtual Desktop - Part 1

This time we will take a look at Windows Virtual Desktop in Azure.

We will connect this cloud solution to our own infrastructure so that we can use on-premises services as well.

In order to make this work we already have a Site-to-Site VPN gateway connection setup to connect our on-premises network to an Azure virtual network, this post will not cover setup of the VPN gateway.

At the same time our Active Directory is connected to Azure AD with Azure AD connect, this part is also not covered by this post.

This post will be part one of a longer series, so hold on 

Let’s get started.

The first thing we need is to grant Azure Active Directory permissions to the Windows Virtual Desktop server app, you can do this by going to the following link:

Grant permissions to the server app

Login with your global administrator account.

Accept the permissions requested.

After accepting the permissions you will get this confirmation page.

Now do the same for the Windows virtual desktop client app, on this link

Grant permissions to the client app

Login with your global administrator account.

Accept the permissions requested.

Again you will get this confirmation page.

Go to the Azure portal and Enterprise applications and search for Windows Virtual Desktop as shown, these to application was created when we used the two above links.

Select the the Windows Virtual Desktop

Go to Users and groups and notice that our administrator account automatically has been granted the Default Access role assigned. This is not enough so we need to grant it the TenantCreator role, we will continue to use the same global administrator account for this this, click on Add User.

Click on Users and groups.

Select the desired user and then Select.

Then click Assign.

Our global administrator account has now been granted the TenantCreator role.

Now we need to create the Windows Virtual Desktop tenant, in order to do this we must use the Windows Virtual Desktop PowerShell module, you can always see the latest version available here https://www.powershellgallery.com/packages/Microsoft.RDInfra.RDPowershell

Let install latest version with the command.

Install-Module Microsoft.RDInfra.RDPowershell

Then import the module.

Import-Module Microsoft.RDInfra.RDPowershell

Use the command Get-Module Microsoft.RDInfra.RDPowershell to see currently installed version.

Now sign in to Windows Virtual Desktop.

Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com

Use your account with the TenantCreator role.

In next step we create a new Windows Virtual Desktop tenant and associate it with our Azure Active Directory tenant.

New-RdsTenant -Name <TenantName> -AadTenantId <DirectoryID> -AzureSubscriptionId <SubscriptionID>

You can get your Azure AD DirectoryID if you go to the Azure Portal – Azure Active Directory and properties.

Your subscriptionID can also be found in the Azure portal – Subscriptions and find the SubscriptionID on the Overview page of the subscription you want to use.

Then choose a name for the tenant and insert the correct values, we will use the name MindcoreLab for the tenant.

New-RdsTenant -Name MindcoreLab -AadTenantId 11111111-1111-1111-1111-1111111111111 -AzureSubscriptionId 22222222-2222-2222-2222-222222222222

We are now ready to create a service principal in Azure Active Directory and assign it a Windows Virtual Desktop role, so stay tuned for part 2.

Office 365 - problem

On Tuesday we identified a “funny” little thing when using the web version of outlook.

If we invited an internal user to a meeting and that user only had two letters in his alias the invite failed (xx@domain.com), invitations to internal people with mail addresses that had more that two letters worked without problems.

When we did the invite we saw the following error (One or more attendees have invalid email addresses).

As soon as you entered the name it turned red, meaning invalid address.

The same problem was seen when you tried to reply to an internal mail from a user with only two letters in the mail address.

I was able to reproduce the same problem on more different tenants, so no other way than contacting Office 365 support (around 17:00 Danish time).

Together with support I tested the old version of the web interface and it was working as expected.

We then did a fiddler trace and saved HTML code on the pages and the Escalation Engineer had to do his job, I must admit that I thought that it would probably take some time before they returned

So it was a very positive surprise that the problem was fixed just around noon on Wednesday (Danish time), unfortunately Microsoft has not reported anything back on the case, which is a little bit strange, I was so ready to give them credit for the quick fix, but let’s see what kind of answer the return.

Access to Teams based on our own extension attributes – PowerShell

In the last two post we looked at extending Azure AD with our own attributes https://blog.mindcore.dk/2019/10/azure-ad-extension-attributes.html and how to use this attribute to dynamically grant access to a Microsoft team https://blog.mindcore.dk/2019/10/access-to-teams-based-on-our-own.html.

This time we will create the team and dynamic group using PowerShell instead.

In order to do this we will need the Teams PowerShell module and the AzureADPreview module.

You can always find the latest version of the teams module here:

https://www.powershellgallery.com/packages/MicrosoftTeams/

To see your currently installed version of MicrosoftTeams use the command:

Import-Module MicrosoftTeams

Get-Module MicrosoftTeams

You can always just uninstall and reinstall the module to be sure you got the latest version. (elevated)

Uninstall-Module MicrosoftTeams

Install-Module MicrosoftTeams

Please note that I had to use .Net higher than version 4.6 in order to make the module work.

To find the latest version of the AzureADPreview module you can go here:

https://www.powershellgallery.com/packages/AzureADPreview

To see your currently installed version of AzureADPreview use the commands:

Import-Module AzureADPreview

Get-Module AzureADPreview

You can always just uninstall and reinstall the module to be sure you got the latest version. (elevated)

Uninstall-Module AzureADPreview

Install-Module AzureADPreview

You will need the preview version because otherwise converting to a dynamic group will fail.

With all modules installed let’s import the modules, unless you already did that.

Import-Module AzureADPreview

Import-Module MicrosoftTeams

Then connect to Azure AD and Microsoft teams.

Connect-AzureAD –AccountId youradmin@mydomain.com

Connect-MicrosoftTeams –AccountId youradmin@mydomain.com

Next step is to create the team.

$team = New-Team -MailNickname "NewTeam" -displayname "NewTeam" -Visibility "private" -Description "My New team"

Then we get the appid used in the extension and change the group behind the team to a dynamic group.

$Appid = (get-AzureADApplication -SearchString "Mindcore Azure AD Properties").Appid.replace("-","")

Set-AzureADMSGroup -Id $team.GroupId -GroupTypes "DynamicMembership","Unified" -MembershipRuleProcessingState "On" -MembershipRule "(user.extension_$($appid)_MyAttribute -eq ""MyValue"")"

We could also do it the other way around, creating the group first and then link a team, right now we cannot create the dynamic group right away with the teams PowerShell module.

Final result is the same as in the last post were it was all done directly in the portal https://blog.mindcore.dk/2019/10/access-to-teams-based-on-our-own.html.

Access to Teams based on our own extension attributes

In our last post we looked at extending Azure AD with our own attributes https://blog.mindcore.dk/2019/10/azure-ad-extension-attributes.html

Now let’s try to dynamically allow access to a Microsoft team based on the attribute.

First we create a Team in Microsoft teams.

In teams we create a new private team called TestTeam.

We will build from scratch.

Private team.

Name the team TestTeam.

Skip adding members.

In order to use our extension attributes we need the application ID we created in the last post, in Azure Active Directory go to App registrations and find our application by name and copy the Application (Client) ID.

Now go to Azure Active Directory and Groups and notice that the membership type is for now Assigned.

Click on the group/team we just created and go to Properties and change the Membership type to Dynamic User and click on Add dynamic query.

Click on Get custom extension properties.

Paste in the application ID and click Refresh properties.

  

After this refresh you will find the custom attributes in Property, select the required extension attribute.

Select the correct Operator and value, here we want all users where our Myattribute Equals Myvalue, remember to Save.

Remember to save once more!

Click Yes to accept that existing members will change.

If we click on Overview we are able to follow the status, here our dynamic rule is being elevated and with no update time yet.

This will change to Update complete and a timestamp when the rule has been processed.

The Members view now shows the only user we assigned our extension attribute with the value MyValue.

Membership type of our team/group has now been changed to Dynamic.

If we take a look on members in teams, the first thing to notice is that we can no longer add or remove members  - This team has membership settings that prevent you from adding or removing members – This is now done regular based on our rule.

And for now the only member is our test user with the extended attribute MyAttribute set to MyValue, if we add this attribute and value to another user, the user will automatically be added to the team.

Owners of the team is not changed by dynamic groups.

It will take some time before Teams shows the correct members, often it’s will be quicker to see the updated members in SharePoint.

And yes why is there a Add Users button in SharePoint, when we cannot add users manually any more?

If you try you will see Couldn’t add users, so it shouldn't be shown.

You need to have at least a Azure AD Premium P1 license for each unique user that is a member of one or more dynamic groups.

The license doesn't have to be assigned to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the tenant to cover all users in dynamic groups.

In an upcoming post we will try to do the above using PowerShell only.