How to assign / connect a user to a Session Host within a Host Pool?

Question

Hi, I created an Entra ID Host pool with one Session Host VM called BP-Test-1. However, even with adding the correct users to have IAM access to the Application Group and the Virtual Machine, I still am unable to add them as a user to that VM.

I can log into the VM using RDP or other connections using only the Admin account. All the other accounts do not allow a connection or allow me to add them as users assigned.

What else can I do? I have tried to create a support ticket for this issue but have found it extremely difficult to actually make a support ticket that goes to the right department. I met with a support member who helped me setup this test Host Pool and Session Host and VM using Entra ID but it does not actually work even with the "right" configurations. I do not understand what I am missing?

Answer 1

Hi Zach,

When you say you've already given IAM access to the Virtual Machine, do you explicitly mean either the Virtual Machine User Login role or the Virtual Machine Admin Login role? It must be one of these two, having contributor or owner at the VM or above is not a subsititute for one of these roles.

The other thing to check is the RDP Properties of the host pool, make sure, under the 'Connection information' tab that Microsoft Entra single sign-on = Connections will use Microsoft Entra authentication to provide single sign-on.

Answer 2

Hi Zach Johnson,

Azure Virtual Desktop > Host Pools > [Your Host Pool] > Application Groups. Select the appropriate Application Group (usually Desktop Application Group),Under Assignments ensure that the users are explicitly assigned.

Since your Session Host is Entra ID-joined, users must be Entra ID-native users or hybrid joined users with SSO enabled. Ensure that the users are members of the Remote Desktop Users group on the session host. You can do this by running the following command in PowerShell (as an admin on the VM):

net localgroup "Remote Desktop Users"

If the users are missing, add them with:

net localgroup "Remote Desktop Users" /add "AzureAD\UPN_of_User"

Replace UPN_of_User with their Entra ID username (e.g., ******@yourdomain.com).

Ensure the Session Host shows as Available in Azure Virtual Desktop > Host Pools > [Your Host Pool] > Session Hosts. If it’s not available, try running:

Get-AzWvdSessionHost -ResourceGroupName "YourResourceGroup" -HostPoolName "YourHostPool"

In the VM’s Network settings, confirm that RDP access (port 3389) is allowed in NSG rules.

If Conditional Access policies restrict non-admin logins, review them in Microsoft Entra ID > Security > Conditional Access.

• Verify that MFA is not preventing the login.

Ensure that users have at least Virtual Machine User Login or Virtual Machine Administrator Login roles assigned at the VM level:

• Go to Azure Portal > Virtual Machines > BP-Test-1 > Access Control (IAM)

• Click Add Role Assignment

• Select Virtual Machine User Login

• Assign it to the necessary users or a security group.

Licensing Issues:

The user might be missing a valid Intune license or have the wrong license type. To resolve this, verify in the Microsoft 365 admin center that the user has an appropriate Intune license assigned under Users > Active Users > Product licenses > Edit. If the issue still persist please provide what error your getting so that it will be helpful to figure it out.

If the comment was helpful, please don't forget to click "Upvote".

Thank You.