Azure Virtual Desktop remote app to external users without (Azure) AD DS possible?

Question

Is it possible to set up Azurse Virtual Desktop with per user access pricing for external users without using (Azure) Active Directory Domain Services?

Is it enough to create a new tenant + new subscription + avd setup and enroll the new subscription in per-user access pricing?

I have 1 legacy desktop application I want to make available to 1 user in an external organization (currently only 1 organization but let's say <10 long term with the same setup).

I'm trying to determine if it's feasible to use AVD from a cost perspective.

Looking at the documentation at https://learn.microsoft.com/en-us/azure/virtual-desktop/remote-app-streaming/identities#requirements it says:

Identities must be hybrid identities, which means they exist in both the Active Directory (AD) and Azure Active Directory (Azure AD). You can use either Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS) to create these identities. To learn more about each method, see Compare identity solutions.

You should keep users from different organizations in separate Azure AD tenants to prevent security breaches. We recommend creating one Active Directory Domain and Azure Active Directory tenant per customer organization. That tenant should have its own associated Azure AD DS or AD DS subscription dedicated to that customer.

Does that mean I would need to set up Azure AD DS for each organization costing a minimum of ~100USD/month/organization just for AD DS?

Is there any other way to do it? Seems like a large overhead for such a small setup.

Answer 1

Hello @Kasper S

Yes, you can create a new tenant for the external organization, create identities for your users in AD, create a new subscription with per-user access pricing, and deploy Azure Virtual Desktop in the new subscription.

You do not need to use AD DS in your situation, as you only have one external organization, and you are using per-user access pricing.

Please note that per-user access pricing only supports Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session. It does not support Windows Server session hosts.

Additionally, the per-user access license only grants access rights to Azure Virtual Desktop and does not include Microsoft Office, Microsoft 365 Defender, or Universal Print. You will need to separately license other products and services to grant your users access to them in your Azure Virtual Desktop environment.

Document source:

https://learn.microsoft.com/en-us/azure/virtual-desktop/remote-app-streaming/licensing

https://learn.microsoft.com/en-us/azure/virtual-desktop/remote-app-streaming/architecture-recs

https://learn.microsoft.com/en-us/azure/virtual-desktop/remote-app-streaming/overview

https://learn.microsoft.com/en-us/azure/virtual-desktop/remote-app-streaming/identities

Please don’t forget to Accept Answer and hit Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

HiKasper,

I think you are looking at incorrect AVD article the one you shared is for App Streaming, the Azure Virtual Desktop is here - https://learn.microsoft.com/en-us/azure/virtual-desktop/overview.

Any reason you cannot migrate the application to Azure App? As this will allow you to provide access to external vendors or customers via Azure B2C deployment options without any major changes and configurations.

Hope this helps.

JS

==

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.