Azure Virtual Desktop Azure AD Join Support with Intune Management is coming soon from many months for now. It seems Microsoft is nearer to the public preview release as per the latest rebranding announcement of WVD to AVD. While writing this post, the only supported scenario is hybrid Azure AD join for Azure Virtual Desktop (a.k.a AVD) and Intune enrollment using MDM group policy.
I mentioned Azure AD before during WVD Management with Intune | Windows Virtual Desktop session, and Microsoft discussed this during various Ignite sessions. AVD is a modern VDI platform service to provide more flexible and customizable options to build modern solutions.
You can manage and secure Azure Virtual Desktop session hosts with MEM management and hybrid Azure AD join. The hybrid Azure AD join and Intune management are supported for both Windows 10 single and multi-session VMs.
Table of Contents
Azure Virtual Desktop Hybrid Azure AD Join
All the session hosts (a.k.a Azure VMs) must join a hybrid AD as per the currently supported workflow of WVD (a.k.a AVD) implementation. . Hybrid Azure AD join is the scenario where you have device records in both Azure AD and on-prem Active directory.
One challenge with hybrid Azure AD and AVD (a.k.a WVD) is the lack of a single sign-on (SSO). Microsoft recently announced an option to have SSO for the scenario where you use ADFS to facilitate Hybrid Azure AD join. You can get more details from Microsoft docs Configure AD FS single sign-on for Azure Virtual Desktop.
Azure Virtual Desktop Azure AD Join Support
Azure AD join is the scenario where AVD (a.k.a WVD) session host record is always only in the Azure Active directory. So this is going to create a lot of interesting challenges that we are going to discuss in the next section of the post.
Microsoft announced that Azure AD join the public preview soon with Intune support, as I mentioned in the first paragraph. Once this feature is flighted for your Azure tenant, you would be getting a drop-down menu opinion either to select any of the following (I guess): Select which directory you would like to join:
- Azure Active Directory
- AD Domain join (Hybrid Azure Active Directory)
The new Azure Virtual Desktop and Azure AD join capabilities such as support for single sign-on, additional credential types like FIDO2, and Azure Files for cloud users. You also get an option to directly enroll the AVD session host VMs to Microsoft Endpoint Manager (a.k.a MEM). Intune management also. Well, you can’t use MDM Group policy for the Azure AD join scenario.
Azure AD Join Considerations
Let’s quickly try to understand the challenges of the VDI modern platform and Azure AD join (AADJ). I’m not going to cover all the considerations here but some of the important ones. You will have to start the design discussions to move to modern authentication.
Traditionally, the VDI environment has heavily relied on AD Group Policies. I have seen hundreds of group policies to manage and secure the VDI session host. Now, with Azure AD join, the biggest challenge is that you can’t manage and secure Azure AD joined VMs with group policy.
Why? This is because you don’t have VM records available on-prem Active Directory domain/OU. You need to use the Intune policies instead of group policies to secure and manage AVD session hosts.
Authentication challenges with the Azure AD join scenario are that pure Azure AD doesn’t support the following authentication methods like LDAP, NT LAN Manager (NTLM), and Kerberos authentication. There are solutions to make LDAP and Kerberos authentication (you can build AD-DS/ADFS etc..). More details are available in the resources section of the post.
- LDAP authentication with Azure Active Directory
- Kerberos Constrained Delegation for single sign-on (SSO) to your apps with Application Proxy