Deploy Azure Virtual Desktop
Important
The following features are currently in preview:
- Azure Virtual Desktop on Azure Stack HCI for Azure Government and for Azure operated by 21Vianet (Azure in China).
- Azure Virtual Desktop on Azure Extended Zones.
For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see Supplemental Terms of Use for Microsoft Azure Previews.
This article shows you how to deploy Azure Virtual Desktop on Azure or Azure Stack HCI by using the Azure portal, the Azure CLI, or Azure PowerShell. To deploy Azure Virtual Desktop, you:
- Create a host pool.
- Create a workspace.
- Create an application group.
- Create session host virtual machines (VMs).
- Enable diagnostic settings (optional).
- Assign users or groups to the application group for users to get access to desktops and applications.
You can do all these tasks in a single process when using the Azure portal, but you can also do them separately.
For more information on the terminology used in this article, see Azure Virtual Desktop terminology. For more information about the Azure Virtual Desktop service, see Azure Virtual Desktop service architecture and resilience.
Tip
The process covered in this article is an in-depth and adaptable approach to deploying Azure Virtual Desktop. If you want to try Azure Virtual Desktop with a more simple approach to deploy a sample Windows 11 desktop, see Tutorial: Deploy a sample Azure Virtual Desktop infrastructure with a Windows 11 desktop or use the quickstart.
Prerequisites
For a general idea of what's required and supported, such as operating systems (OSs), virtual networks, and identity providers, review Prerequisites for Azure Virtual Desktop. That article also includes a list of the supported Azure regions in which you can deploy host pools, workspaces, and application groups. This list of regions is where the metadata for the host pool can be stored. However, session hosts can be located in any Azure region and on-premises with Azure Stack HCI. For more information about the types of data and locations, see Data locations for Azure Virtual Desktop.
For more prerequisites, including role-based access control (RBAC) roles, select the relevant tab for your scenario.
The Azure account that you use must have the following built-in RBAC roles as a minimum on a resource group or subscription to create the following resource types. If you want to assign the roles to a resource group, you need to create the resource group first.
Resource type RBAC role Host pool, workspace, and application group Desktop Virtualization Contributor Session hosts (Azure and Azure Extended Zones) Virtual Machine Contributor Session hosts (Azure Stack HCI) Azure Stack HCI VM Contributor Alternatively, you can assign the Contributor RBAC role to create all of these resource types.
For ongoing management of host pools, workspaces, and application groups, you can use more granular roles for each resource type. For more information, see Built-in Azure RBAC roles for Azure Virtual Desktop.
To assign users to the application group, you also need
Microsoft.Authorization/roleAssignments/write
permissions on the application group. Built-in RBAC roles that include this permission are User Access Administrator and Owner.Don't disable Windows Remote Management when you're creating session hosts by using the Azure portal, because PowerShell DSC requires it.
To add session hosts on Azure Stack HCI, you also need:
An Azure Stack HCI cluster registered with Azure. Your Azure Stack HCI clusters need to be running a minimum of version 23H2. For more information, see Azure Stack HCI, version 23H2 deployment overview. Azure Arc VM management is installed automatically.
A stable connection to Azure from your on-premises network.
At least one Windows OS image available on the cluster. For more information, see how to create VM images by using Azure Marketplace images, use images in an Azure Storage account, and use images in a local share.
A logical network that you created on your Azure Stack HCI cluster. DHCP logical networks or static logical networks with automatic IP allocation are supported. For more information, see Create logical networks for Azure Stack HCI.
To deploy session hosts to Azure Extended Zones, you also need:
Your Azure subscription registered with the respective Azure Extended Zone. For more information, see Request access to an Azure Extended Zone.
An existing Azure load balancer on the virtual network where you're deploying the session hosts.
Create a host pool
To create a host pool, select the relevant tab for your scenario and follow the steps.
Here's how to create a host pool by using the Azure portal:
Sign in to the Azure portal.
On the search bar, enter Azure Virtual Desktop and select the matching service entry.
Select Host pools, and then select Create.
On the Basics tab, complete the following information:
Parameter Value/Description Subscription In the dropdown list, select the subscription where you want to create the host pool. Resource group Select an existing resource group, or select Create new and enter a name. Host pool name Enter a name for the host pool, such as hp01. Location Select the Azure region where you want to create your host pool. Validation environment Select Yes to create a host pool that's used as a validation environment.
Select No (default) to create a host pool that isn't used as a validation environment.Preferred app group type Select the preferred application group type for this host pool: Desktop or RemoteApp. A desktop application group is created automatically when you use the Azure portal. Host pool type Select whether you want your host pool to be Personal or Pooled.
If you select Personal, a new option appears for Assignment type. Select either Automatic or Direct.
If you select Pooled, two new options appear for Load balancing algorithm and Max session limit.
- For Load balancing algorithm, choose either breadth-first or depth-first, based on your usage pattern.
- For Max session limit, enter the maximum number of users that you want load-balanced to a single session host. For more information, see Host pool load-balancing algorithms.Tip
After you complete this tab, you can continue to optionally create session hosts, create a workspace, register the default desktop application group from this host pool, and enable diagnostic settings by selecting Next: Virtual Machines. Alternatively, if you want to create and configure these resources separately, select Next: Review + create and go to step 9.
Optional: On the Virtual machines tab, if you want to add session hosts, expand one of the following sections and complete the information, depending on whether you want to create session hosts on Azure or on Azure Stack HCI. For guidance on sizing session host virtual machines, see Session host virtual machine sizing guidelines.
To add session hosts on Azure, expand this section.
Parameter Value/Description Add virtual machines Select Yes. This action shows several new options. Resource group This value defaults to the resource group that you chose to contain your host pool on the Basics tab, but you can select an alternative. Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Each session host has a suffix of a hyphen and then a sequential number added to the end, such as hp01-sh-0.
This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.Virtual machine type Select Azure virtual machine. Virtual machine location Select the Azure region where you want to deploy your session hosts. This value must be the same region that contains your virtual network. Availability options Select from availability zones, availability set, or No infrastructure redundancy required. If you select availability zones or availability set, complete the extra parameters that appear. Security type Select from Standard, Trusted launch virtual machines, or Confidential virtual machines.
- If you select Trusted launch virtual machines, options for secure boot and vTPM are automatically selected.
- If you select Confidential virtual machines, options for secure boot, vTPM, and integrity monitoring are automatically selected. You can't opt out of vTPM when using a confidential VM.Image Select the OS image that you want to use from the list, or select See all images to see more. The full list includes any images that you created and stored as an Azure Compute Gallery shared image or a managed image. Virtual machine size Select a size. If you want to use a different size, select Change size, and then select from the list. Hibernate Select the box to enable hibernation. Hibernation is available only for personal host pools. For more information, see Hibernation in virtual machines. If you're using Microsoft Teams media optimizations, you should update the WebRTC redirector service to 1.45.2310.13001.
FSLogix and app attach currently don't support hibernation. Don't enable hibernation if you're using FSLogix or app attach for your personal host pools.Number of VMs Enter the number of virtual machines that you want to deploy. You can deploy up to 400 session hosts at this point if you want (depending on your subscription quota), or you can add more later.
For more information, see Azure Virtual Desktop service limits and Virtual Machines limits.OS disk type Select the disk type to use for your session hosts. We recommend that you use only Premium SSD for production workloads. OS disk size Select a size for the OS disk.
If you enable hibernation, ensure that the OS disk is large enough to store the contents of the memory in addition to the OS and other applications.Confidential computing encryption If you're using a confidential VM, you must select the Confidential compute encryption checkbox to enable OS disk encryption.
This checkbox appears only if you selected Confidential virtual machines as your security type.Boot Diagnostics Select whether you want to enable boot diagnostics. Network and security Virtual network Select your virtual network. An option to select a subnet appears. Subnet Select a subnet from your virtual network. Network security group Select whether you want to use a network security group (NSG).
- None doesn't create a new NSG.
- Basic creates a new NSG for the VM network adapter.
- Advanced enables you to select an existing NSG.
We recommend that you don't create an NSG here, but create an NSG on the subnet instead.Public inbound ports You can select a port to allow from the list. Azure Virtual Desktop doesn't require public inbound ports, so we recommend that you select No. Domain to join Select which directory you would like to join Select from Microsoft Entra ID or Active Directory, and complete the relevant parameters for the selected option. Virtual Machine Administrator account Username Enter a name to use as the local administrator account for the new session hosts. Password Enter a password for the local administrator account. Confirm password Reenter the password. Custom configuration Custom configuration script URL If you want to run a PowerShell script during deployment, you can enter the URL here. To add session hosts on Azure Stack HCI, expand this section.
Parameter Value/Description Add virtual machines Select Yes. This action shows several new options. Resource group This value defaults to the resource group that you chose to contain your host pool on the Basics tab, but you can select an alternative. Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Each session host has a suffix of a hyphen and then a sequential number added to the end, such as hp01-sh-0.
This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.Virtual machine type Select Azure Stack HCI virtual machine. Custom location In the dropdown list, select the Azure Stack HCI cluster where you want to deploy your session hosts. Images Select the OS image that you want to use from the list, or select Manage VM images to manage the images available on the cluster that you selected. Number of VMs Enter the number of virtual machines that you want to deploy. You can add more later. Virtual processor count Enter the number of virtual processors that you want to assign to each session host. This value isn't validated against the resources available in the cluster. Memory type Select Static for a fixed memory allocation, or select Dynamic for a dynamic memory allocation. Memory (GB) Enter a number for the amount of memory, in gigabytes, that you want to assign to each session host. This value isn't validated against the resources available in the cluster. Maximum memory If you selected dynamic memory allocation, enter a number for the maximum amount of memory, in gigabytes, that you want your session host to be able to use. Minimum memory If you selected dynamic memory allocation, enter a number for the minimum amount of memory, in gigabytes, that you want your session host to be able to use. Network and security Network dropdown Select an existing network to connect each session to. Domain to join Select which directory you would like to join Active Directory is the only available option. This includes using Microsoft Entra hybrid join. AD domain join UPN Enter the user principal name (UPN) of an Active Directory user who has permission to join the session hosts to your domain. Password Enter the password for the Active Directory user. Specify domain or unit Select yes if you want to join session hosts to a specific domain or be placed in a specific organizational unit (OU). If you select no, the suffix of the UPN is used as the domain. Virtual Machine Administrator account Username Enter a name to use as the local administrator account for the new session hosts. Password Enter a password for the local administrator account. Confirm password Reenter the password. To add session hosts on Azure Extended Zones, expand this section.
Parameter Value/Description Add virtual machines Select Yes. This action shows several new options. Resource group This value defaults to the resource group that you chose to contain your host pool on the Basics tab, but you can select an alternative. Name prefix Enter a name prefix for your session hosts, such as hp01-sh.
Each session host has a suffix of a hyphen and then a sequential number added to the end, such as hp01-sh-0.
This name prefix can be a maximum of 11 characters and is used in the computer name in the operating system. The prefix and the suffix combined can be a maximum of 15 characters. Session host names must be unique.Virtual machine type Select Azure virtual machine. Virtual machine location Select the Azure region where you want to deploy your session hosts. This value must be the same region that contains your virtual network. Then select Deploy to an Azure Extended Zone. Azure Extended Zones Azure Extended Zone Select Los Angeles. Place the session host(s) behind an existing load balancing solution? Select the box. This action shows options for selecting a load balancer and a back-end pool. Select a load balancer Select an existing load balancer on the virtual network where you're deploying the session hosts. Select a backend pool Select a back-end pool on the load balancer where you want to place the session hosts. Availability options Select from availability zones, availability set, or No infrastructure dependency required. If you select availability zones or availability set, complete the extra parameters that appear. Security type Select from Standard, Trusted launch virtual machines, or Confidential virtual machines.
- If you select Trusted launch virtual machines, options for secure boot and vTPM are automatically selected.
- If you select Confidential virtual machines, options for secure boot, vTPM, and integrity monitoring are automatically selected. You can't opt out of vTPM when using a confidential VM.After you complete this tab, select Next: Workspace.
Optional: On the Workspace tab, if you want to create a workspace and register the default desktop application group from this host pool, complete the following information:
Parameter Value/Description Register desktop app group Select Yes. This action registers the default desktop application group to the selected workspace. To this workspace Select an existing workspace from the list, or select Create new and enter a name, such as ws01. After you complete this tab, select Next: Advanced.
Optional: On the Advanced tab, if you want to enable diagnostic settings, complete the following information:
Parameter Value/Description Enable diagnostics settings Select the box. Choosing destination details to send logs to Select one of the following destinations:
- Send to a Log Analytics workspace
- Archive to a storage account
- Stream to an event hubAfter you complete this tab, select Next: Tags.
Optional: On the Tags tab, you can enter any name/value pairs that you need, and then select Next: Review + create.
On the Review + create tab, ensure that validation passes and review the information that will be used during deployment.
Select Create to create the host pool.
Select Go to resource to go to the overview of your new host pool, and then select Properties to view its properties.
Post-deployment tasks
If you also added session hosts to your host pool, you need to do some extra configuration, as described in the following sections.
Licensing
To ensure that your session hosts have licenses applied correctly, you need to do the following tasks:
If you have the correct licenses to run Azure Virtual Desktop workloads, you can apply a Windows or Windows Server license to your session hosts as part of Azure Virtual Desktop and run them without paying for a separate license. This license is automatically applied when you create session hosts by using the Azure Virtual Desktop service, but you might have to apply the license separately if you create session hosts outside Azure Virtual Desktop. For more information, see Apply a Windows license to session host virtual machines.
If your session hosts are running a Windows Server OS, you also need to issue them a Remote Desktop Services (RDS) client access license (CAL) from an RDS license server. For more information, see License your RDS deployment with client access licenses.
For session hosts on Azure Stack HCI, you must license and activate the virtual machines before you use them with Azure Virtual Desktop. For activating VMs that use Windows 10 Enterprise multi-session, Windows 11 Enterprise multi-session, and Windows Server 2022 Datacenter: Azure Edition, use Azure verification for VMs. For all other OS images (such as Windows 10 Enterprise, Windows 11 Enterprise, and other editions of Windows Server), you should continue to use existing activation methods. For more information, see Activate Windows Server VMs on Azure Stack HCI.
Microsoft Entra joined session hosts
For session hosts on Azure that are joined to Microsoft Entra ID, you also need to enable single sign-on or earlier authentication protocols, assign an RBAC role to users, and review your multifactor authentication policies so that users can sign in to the VMs. For more information, see Microsoft Entra joined session hosts.
Note
If you created a host pool and a workspace, and you registered the default desktop application group from this host pool in the same process, go to the section Assign users to an application group and complete the rest of the article. A desktop application group (whichever application group type you set as preferred) is created automatically when you use the Azure portal.
If you created a host pool and workspace in the same process, but you didn't register the default desktop application group from this host pool, go to the section Create an application group and complete the rest of the article.
If you didn't create a workspace, continue to the next section and complete the rest of the article.
Create a workspace
Next, to create a workspace, select the relevant tab for your scenario and follow the steps.
Here's how to create a workspace by using the Azure portal:
On the Azure Virtual Desktop overview, select Workspaces, and then select Create.
On the Basics tab, complete the following information:
Parameter Value/Description Subscription In the dropdown list, select the subscription where you want to create the workspace. Resource group Select an existing resource group, or select Create new and enter a name. Workspace name Enter a name for the workspace, such as workspace01. Friendly name Optional: Enter a display name for the workspace. Description Optional: Enter a description for the workspace. Location Select the Azure region where you want to deploy your workspace. Tip
After you complete this tab, you can continue to optionally register an existing application group to this workspace, if you have one, and enable diagnostic settings by selecting Next: Application groups. Alternatively, if you want to create and configure these resources separately, select Review + create and go to step 9.
Optional: On the Application groups tab, if you want to register an existing application group to this workspace, complete the following information:
Parameter Value/Description Register application groups Select Yes, and then select + Register application groups. On the new pane that opens, select the Add icon for the application groups that you want to add, and then choose Select. After you complete this tab, select Next: Advanced.
Optional: On the Advanced tab, if you want to enable diagnostic settings, complete the following information:
Parameter Value/Description Enable diagnostics settings Select the box. Choosing destination details to send logs to Select one of the following destinations:
- Send to a Log Analytics workspace
- Archive to a storage account
- Stream to an event hubAfter you complete this tab, select Next: Tags.
Optional: On the Tags tab, you can enter any name/value pairs that you need, and then select Next: Review + create.
On the Review + create tab, ensure that validation passes and review the information that will be used during deployment.
Select Create to create the workspace.
Select Go to resource to go to the overview of your new workspace, and then select Properties to view its properties.
Note
If you added an application group to this workspace, go to the section Assign users to an application group and complete the rest of the article.
If you didn't add an application group to this workspace, continue to the next section and complete the rest of the article.
Create an application group
To create an application group, select the relevant tab for your scenario and follow the steps.
Here's how to create an application group by using the Azure portal:
On the Azure Virtual Desktop overview, select Application groups, and then select Create.
On the Basics tab, complete the following information:
Parameter Value/Description Subscription In the dropdown list, select the subscription where you want to create the application group. Resource group Select an existing resource group, or select Create new and enter a name. Host pool Select the host pool for the application group. Location Metadata is stored in the same location as the host pool. Application group type Select the application group type for the host pool: Desktop or RemoteApp. Application group name Enter a name for the application group, such as Session Desktop. Tip
After you complete this tab, select Next: Review + create. You don't need to complete the other tabs to create an application group, but you need to create a workspace, add an application group to a workspace, and assign users to the application group before users can access the resources.
If you created an application group for RemoteApp, you also need to add applications to it. For more information, see Publish applications.
Optional: If you chose to create a RemoteApp application group, you can add applications to this group. On the Application groups tab, select + Add applications, and then select an application. For more information on the application parameters, see Publish applications with RemoteApp. At least one session host in the host pool must be turned on and available in Azure Virtual Desktop.
After you complete this tab, or if you're creating a desktop application group, select Next: Assignments.
Optional: On the Assignments tab, if you want to assign users or groups to this application group, select + Add Microsoft Entra users or user groups. On the new pane that opens, select the box next to the users or groups that you want to add, and then choose Select.
After you complete this tab, select Next: Workspace.
Optional: On the Workspace tab, if you're creating a desktop application group, you can register the default desktop application group from the host pool that you selected by completing the following information:
Parameter Value/Description Register application group Select Yes. This action registers the default desktop application group to the selected workspace. Register application group Select an existing workspace from the list. After you complete this tab, select Next: Advanced.
Optional: If you want to enable diagnostic settings, on the Advanced tab, complete the following information:
Parameter Value/Description Enable diagnostics settings Select the box. Choosing destination details to send logs to Select one of the following destinations:
- Send to a Log Analytics workspace
- Archive to a storage account
- Stream to an event hubAfter you complete this tab, select Next: Tags.
Optional: On the Tags tab, you can enter any name/value pairs that you need, and then select Next: Review + create.
On the Review + create tab, ensure that validation passes and review the information that will be used during deployment.
Select Create to create the application group.
Select Go to resource to go to the overview of your new application group, and then select Properties to view its properties.
Note
If you created a desktop application group, assigned users or groups, and registered the default desktop application group to a workspace, your assigned users can connect to the desktop and you don't need to complete the rest of the article.
If you created a RemoteApp application group, added applications, and assigned users or groups, go to the section Add an application group to a workspace and complete the rest of the article.
If you didn't add applications, assign users or groups, or register the application group to a workspace, continue to the next section and complete the rest of the article.
Add an application group to a workspace
Next, to add an application group to a workspace, select the relevant tab for your scenario and follow the steps.
Here's how to add an application group to a workspace by using the Azure portal:
On the Azure Virtual Desktop overview, select Workspaces, and then select the name of the workspace to which you want to assign an application group.
On the workspace overview, select Application groups, and then select + Add.
In the list, select the plus icon (+) next to an application group. Only application groups that aren't already assigned to a workspace are listed.
Choose Select. The application group is added to the workspace.
Assign users to an application group
Finally, to assign users or user groups to an application group, select the relevant tab for your scenario and follow the steps. We recommend that you assign user groups to application groups to make ongoing management simpler.
Here's how to assign users or user groups to an application group by using the Azure portal:
On the Azure Virtual Desktop overview, select Application groups.
Select the application group from the list.
On the application group overview, select Assignments.
Select + Add, and then search for and select the user account or user group that you want to assign to this application group.
Finish by choosing Select.
Related content
After you deploy Azure Virtual Desktop, your users can connect from several platforms, including a web browser. For more information, see Remote Desktop clients for Azure Virtual Desktop and Connect to Azure Virtual Desktop with the Remote Desktop Web client.
Here are some extra tasks that you might want to do: