Search This Blog

Tuesday, November 19, 2019

Windows Virtual Desktop - Part 2

This is part 2 of our posts regarding Windows Virtual Desktop, until now we have covered:

Now let’s continue and create a service principal.

We will create the service principal with PowerShell, in order to do that you will need the AzureAD module.

You can always see latest version of both the General Availability version (AzureAD module) and the preview version (AzureADPreview module) here https://docs.microsoft.com/en-us/powershell/azure/active-directory/ad-pshell-v2-version-history?view=azureadps-2.0

image

To see your current version use the commands:

Import-Module -Name AzureAD or Import-Module AzureADPreview (depending on which module you want to use)

Get-Module -Name AzureAD or Import-Module AzureADPreview (depending on which module you want to use)

image

image

You can always just uninstall and reinstall the module to be sure you got the latest version. (elevated)

Uninstall-Module -Name AzureADPreview

Install-Module -Name AzureADPreview

image

Now login to the Azure AD  tenant with the command.

Connect-AzureAD

image

And enter credentials.



We also need the Windows Virtual Desktop module we installed in Part 1, so let’s import that.

Import-Module Microsoft.RDInfra.RDPowershell

image_thumb19  

Now sign in to Windows Virtual Desktop.

Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com

2019-10-09-09_43_53-Window_thumb

Use your account with the TenantCreator role.

image_thumb21

image_thumb22

Now that we are connected to Azure AD, let’s create a multitenant service principal in our Azure AD.

$AzureADServicePrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Service Principal"

image

Save credentials for use in the next command.

$AzureADServicePrincipalCredentials = New-AzureADApplicationPasswordCredential -ObjectId $AzureADServicePrincipal.ObjectId

image

Later we will need the enter the password, so it’s important to save it because we won’t be able to retrieve it after we close this PowerShell session, we can however later reset it with New-AzureADApplicationPasswordCredential. 

Use this command to see the password and save it.

$AzureADServicePrincipalCredentials.Value

image

In the Azure portalAzure Active DirectoryApp registrations you will now see our service principal.

image

Next we assign the role RDS Owner  to the service principal so it can sign in to Windows Virtual Desktop.

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $AzureADServicePrincipal.AppId -TenantName (Get-RdsTenant).TenantName

image

We need to test our service principal, use the following code.

$credentials = New-Object System.Management.Automation.PSCredential($AzureADServicePrincipal.AppId, (ConvertTo-SecureString $AzureADServicePrincipalCredentials.Value -AsPlainText -Force))

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" -Credential $credentials -ServicePrincipal -AadTenantId (Get-AzureADCurrentSessionInfo).TenantId.Guid

Get-RdsTenant

Notice that this time no userName is displayed when connecting, the command Get-RdsTenant will return information if our account works.

image

Then we will do some preparation in our on-premises Active Directory.

In this test we will use an OU called WVD in the domain lab.local (OU=WVD,DC=lab,DC=local), this will hold our deployed machines.

image

image

When joining computers to the domain we will use a service account called svc-wvd-domainjoin.

image

For the OU=WVD we have delegated control so that the service account can create new computers (Minimal permissions to join the domain).

image

Finally we need a test user in Active Directory which is synchronized to Azure AD, so we create a user called test1@mincorelab.dk.

image

And makes sure that the account is synchronized to Azure AD and assigned an Office 365 E3 or E5 license.

image

With this in place we are ready to create a host pool, stay tuned for part 3.

No comments:

Post a Comment