Cannot connect to Azure Virtual Desktop using Point-to-Site from macOS RDP Client

Arman Koradia 0 Reputation points
2024-09-06T12:26:42.5266667+00:00

I have the following scenario:
I have setup Point-to-Site connectivity for my Virtual Network. I have provisioned Azure Virtual Desktop Host Pool in which the VMs are deployed on the VNet which has P2S configured.

P2S is configured to use Azure AD for authentication and it is working fine. I am able to connect successfully.

VMs in HostPool are Entra Joined VMs. The RDP Properties of the HostPool has "Enable Microsoft Entra authentication for RDP" is selected.

Private Endpoints setup for HostPool and Workspaces are completed and private endpoints are created for connection, feed and global. AVD VM in HostPool stays in "Can Connect".

Now when I am connected to VPN and I try to connect to VM by adding workspace from RDP Client installed on macOS, I get the following error message: "Unable to access resources from your network". I get the same error in web client from browser.

However, from RDP client, if I try to connect to VM by adding the Private IP address, I am able to connect successfully. But I have to login to VM using the Local Admin credentials.

I am unable to login to VM using my Azure AD/Entra ID credentials. When I use my Entra ID credentials, it says "Username or password incorrect".

Please help on how I can fix the two issues mentioned above.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,547 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,821 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Arman Koradia 0 Reputation points
    2024-09-17T10:04:18.4033333+00:00

    For anyone who is trying to achieve the following scenario, I am describing the end-to-end setup steps so that they don't waste time figuring things out like I did.

    Scenario: Access Azure Virtual Desktop using Private Link from Point-2-Site VPN(or Site-to-Site VPN) that uses Azure Entra ID authentication and SSO

    You will need the following resources:

    1. VNet with different subnets (AVD HostPool, PrivateEndpoints, Gateway)
      1. AVD HostPool and PrivateEndpoints subnets created with no outbound connectivity
      2. Gateway Subnet is automatically created
      3. Expose the Service Endpoint for Azure Active Directory in subnets
      4. NSG blocking 443 Outbound attached on AVD HostPool Subnet
        1. This will block internet traffic from AVD. Tune as per your requirements
    2. VPN Gateway with Point-to-Site Connection configurations done.
      1. Add the VNet CIDR in "Advertised Route" in P2S configuration.
        1. I used Azure Public value as "41b23e61-6c1e-4545-b367-cd054e0ed4b4"
    3. Azure Virtual Desktop Host Pool
      1. Create Private Endpoint and Disable all Public Access on the HostPool
      2. In Microsoft Entra ID SSO, select "Connections will use Entra ID SSO"
    4. Azure Virtual Desktop Application Group
    5. Azure Virtual Desktop Workspace
      1. Create Private Endpoints (Global and Feed) and Disable Public Access from all networks
    6. DNS Private Zones will be created for AVD HostPool Private Endpoint and AVD Workspace Private Endpoint (Global) automatically. Don't change config here.
    7. DNS Private Resolver (Inbound Endpoint)
      1. Create additional subnet with /28 CIDR for this in the same VNet.
      2. Use the Inbound IP that gets allocated in Private Resolver as Custom DNS in VNet
    8. Once all this configuration is completed, install Azure VPN Client and Microsoft Remote Desktop app on your laptop (Windows/Linux/Mac)
    9. Download the VPN config from P2S config blade in VPN Gateway.
    10. Open azurevpnconfig.xml file and add following config there.User's image
    11. Save and Import this profile into Azure VPN Client installed and try to connect using your Entra ID credentials.
    12. Once connected, use "nslookup" to check if https://rdweb.wvd.microsoft.com or https://client.wvd.microsoft.com resolves to Private IP.
    13. If yes, use that URL to add workspace in your Microsoft Remote Desktop app and you should be able to connect there. Please let me know incase you need additional information to get this work.
    0 comments No comments

  2. anashetty 255 Reputation points Microsoft Vendor
    2024-09-17T10:26:15.9833333+00:00

    Hi Arman Koradia,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    Cannot connect to Azure Virtual Desktop using Point-to-Site from macOS RDP Client

    Solution:

    Scenario: Access Azure Virtual Desktop using Private Link from Point-2-Site VPN(or Site-to-Site VPN) that uses Azure Entra ID authentication and SSO

    You will need the following resources:

    1. VNet with different subnets (AVD HostPool, PrivateEndpoints, Gateway)
      1. AVD HostPool and PrivateEndpoints subnets created with no outbound connectivity
      2. Gateway Subnet is automatically created
      3. Expose the Service Endpoint for Azure Active Directory in subnets
      4. NSG blocking 443 Outbound attached on AVD HostPool Subnet
        1. This will block internet traffic from AVD. Tune as per your requirements
    2. VPN Gateway with Point-to-Site Connection configurations done.
      1. Add the VNet CIDR in "Advertised Route" in P2S configuration.
        1. I used Azure Public value as "41b23e61-6c1e-4545-b367-cd054e0ed4b4"
    3. Azure Virtual Desktop Host Pool
      1. Create Private Endpoint and Disable all Public Access on the HostPool
      2. In Microsoft Entra ID SSO, select "Connections will use Entra ID SSO"
    4. Azure Virtual Desktop Application Group
    5. Azure Virtual Desktop Workspace
      1. Create Private Endpoints (Global and Feed) and Disable Public Access from all networks
    6. DNS Private Zones will be created for AVD HostPool Private Endpoint and AVD Workspace Private Endpoint (Global) automatically. Don't change config here.
    7. DNS Private Resolver (Inbound Endpoint)
      1. Create additional subnet with /28 CIDR for this in the same VNet.
      2. Use the Inbound IP that gets allocated in Private Resolver as Custom DNS in VNet
    8. Once all this configuration is completed, install Azure VPN Client and Microsoft Remote Desktop app on your laptop (Windows/Linux/Mac)
    9. Download the VPN config from P2S config blade in VPN Gateway.
    10. Open azurevpnconfig.xml file and add following config there.User's image
    11. Save and Import this profile into Azure VPN Client installed and try to connect using your Entra ID credentials.
    12. Once connected, use "nslookup" to check if https://rdweb.wvd.microsoft.com or https://client.wvd.microsoft.com resolves to Private IP.
    13. If yes, use that URL to add workspace in your Microsoft Remote Desktop app and you should be able to connect there. Please let me know in case you need additional information to get this work.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thank you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.