Prerequisites for Azure Virtual Desktop
There are a few things you need to start using Azure Virtual Desktop. Here you can find what prerequisites you need to complete to successfully provide your users with desktops and applications.
At a high level, you need:
- An Azure account with an active subscription
- A supported identity provider
- A supported operating system for session host virtual machines
Azure account with an active subscription
You need an Azure account with an active subscription to deploy Azure Virtual Desktop. If you don't have one already, you can create an account for free.
To deploy Azure Virtual Desktop, you need to assign the relevant Azure role-based access control (RBAC) roles. The specific role requirements are covered in each of the related articles for deploying Azure Virtual Desktop, which are listed in the Next steps section.
Also make sure you've registered the Microsoft.DesktopVirtualization resource provider for your subscription. To check the status of the resource provider and register if needed, select the relevant tab for your scenario and follow the steps.
Important
You must have permission to register a resource provider, which requires the */register/action operation. This is included if your account is assigned the contributor or owner role on your subscription.
- Sign in to the Azure portal.
- Select Subscriptions.
- Select the name of your subscription.
- Select Resource providers.
- Search for Microsoft.DesktopVirtualization.
- If the status is NotRegistered, select Microsoft.DesktopVirtualization, and then select Register.
- Verify that the status of Microsoft.DesktopVirtualization is Registered.
Identity
To access desktops and applications from your session hosts, your users need to be able to authenticate. Microsoft Entra ID is Microsoft's centralized cloud identity service that enables this capability. Microsoft Entra ID is always used to authenticate users for Azure Virtual Desktop. Session hosts can be joined to the same Microsoft Entra tenant, or to an Active Directory domain using Active Directory Domain Services (AD DS) or Microsoft Entra Domain Services, providing you with a choice of flexible configuration options.
Session hosts
You need to join session hosts that provide desktops and applications to the same Microsoft Entra tenant as your users, or an Active Directory domain (either AD DS or Microsoft Entra Domain Services).
For Azure Stack HCI, you can only join session hosts to an Active Directory Domain Services domain.
To join session hosts to Microsoft Entra ID or an Active Directory domain, you need the following permissions:
- For Microsoft Entra ID, you need an account that can join computers to your tenant. For more information, see Manage device identities. To learn more about joining session hosts to Microsoft Entra ID, see Microsoft Entra joined session hosts.
- For an Active Directory domain, you need a domain account that can join computers to your domain. For Microsoft Entra Domain Services, you would need to be a member of the AAD DC Administrators group.
Users
Your users need accounts that are in Microsoft Entra ID. If you're also using AD DS or Microsoft Entra Domain Services in your deployment of Azure Virtual Desktop, these accounts need to be hybrid identities, which means the user accounts are synchronized. You need to keep the following things in mind based on which identity provider you use:
- If you're using Microsoft Entra ID with AD DS, you need to configure Microsoft Entra Connect to synchronize user identity data between AD DS and Microsoft Entra ID.
- If you're using Microsoft Entra ID with Microsoft Entra Domain Services, user accounts are synchronized one way from Microsoft Entra ID to Microsoft Entra Domain Services. This synchronization process is automatic.
Important
The user account must exist in the Microsoft Entra tenant you use for Azure Virtual Desktop. Azure Virtual Desktop doesn't support B2B, B2C, or personal Microsoft accounts.
When using hybrid identities, either the UserPrincipalName (UPN) or the Security Identifier (SID) must match across Active Directory Domain Services and Microsoft Entra ID. For more information, see Supported identities and authentication methods.
Supported identity scenarios
The table summarizes identity scenarios that Azure Virtual Desktop currently supports:
| Identity scenario | Session hosts | User accounts |
|---|---|---|
| Microsoft Entra ID + AD DS | Joined to AD DS | In Microsoft Entra ID and AD DS, synchronized |
| Microsoft Entra ID + AD DS | Joined to Microsoft Entra ID | In Microsoft Entra ID and AD DS, synchronized |
| Microsoft Entra ID + Microsoft Entra Domain Services | Joined to Microsoft Entra Domain Services | In Microsoft Entra ID and Microsoft Entra Domain Services, synchronized |
| Microsoft Entra ID + Microsoft Entra Domain Services + AD DS | Joined to Microsoft Entra Domain Services | In Microsoft Entra ID and AD DS, synchronized |
| Microsoft Entra ID + Microsoft Entra Domain Services | Joined to Microsoft Entra ID | In Microsoft Entra ID and Microsoft Entra Domain Services, synchronized |
| Microsoft Entra-only | Joined to Microsoft Entra ID | In Microsoft Entra ID |
For more detailed information about supported identity scenarios, including single sign-on and multifactor authentication, see Supported identities and authentication methods.
FSLogix Profile Container
To use FSLogix Profile Container when joining your session hosts to Microsoft Entra ID, you need to store profiles on Azure Files or Azure NetApp Files and your user accounts must be hybrid identities. You must create these accounts in AD DS and synchronize them to Microsoft Entra ID.
Deployment parameters
You need to enter the following identity parameters when deploying session hosts:
- Domain name, if using AD DS or Microsoft Entra Domain Services.
- Credentials to join session hosts to the domain.
- Organizational Unit (OU), which is an optional parameter that lets you place session hosts in the desired OU at deployment time.
Important
The account you use for joining a domain can't have multifactor authentication (MFA) enabled.