Azure Virtual Desktop: Best approach for identities?

Leakim79 41 Reputation points
2022-02-10T01:55:40.823+00:00

Hello.

I have a case with a customer that today is running an environment that we are planning to move into AVD.
They already have a identity infrastructure with AAD-users & use these identities to login to their computers.

My questions are:
What is the best approach regarding identities & what will the impact be in the current environment with the different options?
We will need a directory service for FSLogix userprofiles since this is yet not supported by AAD.

Option 1: We have looked into installing a DC with AAD-Connect but in that scenario the AAD-users would then have to be recreated in AD DS & then mapped against the current users. What is the best approach for this scenario & what will the impact be for the existing users & their computers?

Option 2. AAD DS: This might seem optimal since it would just sync the existing environment into AAD DS so both AVD + FSLogix could be installed. However I'm unsure about the AAD DS limitations in regards to the current environment so AD DS seems to be the safest option. Any advice here & potential problems? It would be great if we could have a future proof environment but it also needs to work without issues.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,361 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,838 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alan Kinane 16,786 Reputation points MVP
    2022-02-10T12:43:21.09+00:00

    If you don't have Active Directory Domain Services currently then Azure AD Domain Services seems a good option here. This does have limitations as you mentioned but it can provide the basics required for AVD in terms of Kerberos authentication, domain join for your hosts, LDAP (if needed) and group policy (if needed). If you are not currently using any additional Active Directory feature as you are AAD only then you won't suddenly need these for your AVD environment in my opinion.

    Going with option 1 will give you more features yes, but do you need them? You will then have a VM to manage and maintain going forward. Regarding the syncing this does take some effort to either soft match or hard match your users but it can be done. See here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-existing-tenant

    There is a good comparison of the two services here:
    https://learn.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions

    173107-image.png

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful