Introduction
Azure Virtual Desktop (https://azure.microsoft.com/en-us/services/virtual-desktop/) is a managed desktop environment where an Operator Client can be deployed.
Using IAM Access Control, using role assignments, users or groups that are allowed to use a virtual desktop session, have to be assigned one of the following roles:
- Virtual Machine User Login
- Virtual Machine Administrator Login
See also: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows
When you create a session host in your hostpool, make sure the name is unqiue in your tenant. If the same name is used in the same Azure tenant, azure ad joining may fail due to conflicting names.
In the virtual host pool, the RDP properties have to be costomized in case MS Entry ID is used to login:
The following property has to be added in the advanced section:
targetisaadjoined:i:1;
It is now possible to login using a desktop client or using a browser.
To connect using a desktop client, please see:
https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-windows-7-10
To connect using a browser, it should be possible to login with the following URL;
https://rdweb.wvd.microsoft.com/arm/webclient/index.html
When entering your MS Entry ID credentials, a virtual desktop will be available.
For more information, see: https://docs.microsoft.com/en-us/azure/virtual-desktop/user-documentation/connect-web
Virtual Desktop OC Shortcut
To make the Operator Client available to users, a shortcut can be created. You can login using a Bastion Host to all VMs in the hostpool (or use an ARM template to automate the process). For this example, we assume a multisession Windows 10 is used.
Once logged in to the Virtual Machine, unzip the Delft-FEWS base build to c:/fews/bin
Run the create shortcuts command and enter de database URL and username and password in the URL.
The created shortcut should be copied to the C:\Users\Public\Desktop folder (this folder is hidden by default). Make sure the shortcut is not hidden and has the correct permissions for other users to use. This will make sure the shortcut will be visible to all users who login.
Start on Connect
To optimize costs, the Virtual Desktop can be configured to start only when a user tries to connect. Follow the following steps to create a custom role to allow starting a VM on connect.
https://docs.microsoft.com/en-us/azure/virtual-desktop/start-virtual-machine-connect
When the custom role has been assigned, the feature can be enabled as a property of the virtual host pool.
Now when connecting to the Virtual Desktop when the virtual machine is down, the first user will see a message like this:
Schedule OC downtime using Azure Automation.
Once the start on connect feature has been abled, to minimize the usage costs, a schedule can be created to shutdown the host pool virtual machines. For example, the VMs can be shutdown after working hours or on the weekend.
The VM has an option to autoshutdown, which is the most conventiens way.
Alternatively automation can be used:
https://docs.microsoft.com/en-us/azure/automation/automation-solution-vm-management
For this example to work the automation account needs to have a system assigned identity and it should have the "Virtual Machine Contributor" role assigned to the resource group the virtual machine is running in.
As an example see the following runbook that will stop a VM with the name OC-0:
When the runbook is scheduled daily, a runbook job will be triggered that will shutdown the Virtual Dekstop OC:
