Training
Certification
Microsoft Certified: Azure Virtual Desktop Specialty - Certifications
Plan, deliver, manage, and monitor virtual desktop experiences and remote apps on Microsoft Azure for any device.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article will walk you through the process of deploying and accessing Microsoft Entra joined virtual machines in Azure Virtual Desktop. Microsoft Entra joined VMs remove the need to have line-of-sight from the VM to an on-premises or virtualized Active Directory Domain Controller (DC) or to deploy Microsoft Entra Domain Services. In some cases, it can remove the need for a DC entirely, simplifying the deployment and management of the environment. These VMs can also be automatically enrolled in Intune for ease of management.
The following known limitations may affect access to your on-premises or Active Directory domain-joined resources and you should consider them when deciding whether Microsoft Entra joined VMs are right for your environment.
You can deploy Microsoft Entra joined VMs directly from the Azure portal when you create a new host pool or expand an existing host pool. To deploy a Microsoft Entra joined VM, open the Virtual Machines tab, then select whether to join the VM to Active Directory or Microsoft Entra ID. Selecting Microsoft Entra ID gives you the option to enroll VMs with Intune automatically, which lets you easily manage your session hosts. Keep in mind that the Microsoft Entra ID option will only join VMs to the same Microsoft Entra tenant as the subscription you're in.
Note
After you've created your host pool, you must assign users access to their resources. To grant access to resources, add each user to the application group. Follow the instructions in Manage application groups to assign user access to apps and desktops. We recommend that you use user groups instead of individual users wherever possible.
For Microsoft Entra joined VMs, you'll need to do two extra things on top of the requirements for Active Directory or Microsoft Entra Domain Services-based deployments:
To grant users access to Microsoft Entra joined VMs, you must configure role assignments for the VM. You can assign the Virtual Machine User Login or Virtual Machine Administrator Login role either on the VMs, the resource group containing the VMs, or the subscription. We recommend assigning the Virtual Machine User Login role to the same user group you used for the application group at the resource group level to make it apply to all the VMs in the host pool.
This section explains how to access Microsoft Entra joined VMs from different Azure Virtual Desktop clients.
For the best experience across all platforms, you should enable a single sign-on experience using Microsoft Entra authentication when accessing Microsoft Entra joined VMs. Follow the steps to Configure single sign-on to provide a seamless connection experience.
If you prefer not to enable single sign-on, you can use the following configuration to enable access to Microsoft Entra joined VMs.
Connect using the Windows Desktop client
The default configuration supports connections from Windows 11 or Windows 10 using the Windows Desktop client. You can use your credentials, smart card, Windows Hello for Business certificate trust or Windows Hello for Business key trust with certificates to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:
If your local PC doesn't meet one of these conditions, add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
Connect using the other clients
To access Microsoft Entra joined VMs using the web, Android, macOS and iOS clients, you must add targetisaadjoined:i:1 as a custom RDP property to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
You can use Microsoft Entra multifactor authentication with Microsoft Entra joined VMs. Follow the steps to Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access and note the extra steps for Microsoft Entra joined session host VMs.
If you're using Microsoft Entra multifactor authentication and you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll need to exclude the Azure Windows VM Sign-In app from your Conditional Access policy.
You can use FSLogix profile containers with Microsoft Entra joined VMs when you store them on Azure Files while using hybrid user accounts. For more information, see Create a profile container with Azure Files and Microsoft Entra ID.
While you don't need an Active Directory to deploy or access your Microsoft Entra joined VMs, an Active Directory and line-of-sight to it are needed to access on-premises resources from those VMs. To learn more about accessing on-premises resources, see How SSO to on-premises resources works on Microsoft Entra joined devices.
Now that you've deployed some Microsoft Entra joined VMs, we recommend enabling single sign-on before connecting with a supported Azure Virtual Desktop client to test it as part of a user session. To learn more, check out these articles:
Training
Certification
Microsoft Certified: Azure Virtual Desktop Specialty - Certifications
Plan, deliver, manage, and monitor virtual desktop experiences and remote apps on Microsoft Azure for any device.
Documentation
Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID
Learn how to configure single sign-on for an Azure Virtual Desktop environment using Microsoft Entra ID.
Configure personal desktop assignment in Azure Virtual Desktop - Azure
How to configure automatic or direct assignment for an Azure Virtual Desktop personal desktop host pool.
Azure Virtual Desktop identities and authentication - Azure
Identities and authentication methods for Azure Virtual Desktop.