This article answers frequently asked questions and explains best practices for Azure Virtual Desktop.
What are the minimum admin permissions I need to manage objects?
If you want to create host pools and other objects, you must be assigned the Contributor role on the subscription or resource group you're working with.
You must be assigned the User Access Admin role on an application group to publish application groups to users or user groups.
To restrict an admin to only manage user sessions, such as sending messages to users, signing out users, and so on, you can create custom roles. For example:
"actions": [ "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/tags/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/write" ], "notActions": , "dataActions": , "notDataActions":  }
Can I deploy Azure Virtual Desktop across multiple Azure Active Directory tenants?
Users must be in the same Azure Active Directory (Azure AD) tenant as their assigned workspace, host pool, and app group. Having everything in the same tenant lets you assign users to proper role-based access control (RBAC) roles so they can access their resources.
However, you can deploy virtual machines (VMs) in a different Azure AD tenant if they're joined to either the same AD as the user or an AD that has a trust relationship with the user's AD.
What are location restrictions?
All service resources have a location associated with them. A host pool's location determines which geography the service metadata for the host pool is stored in. An application group can't exist without a host pool. If you add apps to a RemoteApp application group, you'll also need a session host to determine the start menu apps. For any application group action, you'll also need a related data access on the host pool. To make sure data isn't being transferred between multiple locations, the application group's location should be the same as the host pool's.
Workspaces also must be in the same location as their application groups. Whenever the workspace updates, the related application group updates along with it. Like with application groups, the service requires that all workspaces are associated with application groups created in the same location.
How do you expand an object's properties in PowerShell?
When you run a PowerShell cmdlet, you only see the resource name and location.
Get-AzWvdHostPool -Name 0224hp -ResourceGroupName 0224rg Location Name Type -------- ---- ---- westus 0224hp Microsoft.DesktopVirtualization/hostpools
To see all of a resource's properties, add either
fl to the end of the cmdlet.
Get-AzWvdHostPool -Name 0224hp -ResourceGroupName 0224rg |fl
To see specific properties, add the specific property names after
Get-AzWvdHostPool -Name demohp -ResourceGroupName 0414rg |fl CustomRdpProperty CustomRdpProperty : audiocapturemode:i:0;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:0;redirectprinters:i:1;redirectsmartcards:i:1;screen modeid:i:2;
Does Azure Virtual Desktop support guest users?
Azure Virtual Desktop doesn't support Azure AD guest user accounts. For example, let's say a group of guest users have Microsoft 365 E3 Per-user, Windows E3 Per-user, or WIN VDA licenses in their own company, but are guest users in a different company's Azure AD. The other company would manage the guest users' user objects in both Azure AD and Active Directory like local accounts.
You can't use your own licenses for the benefit of a third party. Also, Azure Virtual Desktop doesn't currently support Microsoft Account (MSA).
Why don't I see the client IP address in the WVDConnections table?
We don't currently have a reliable way to collect the web client's IP addresses, so we don't include that value in the table.
How does Azure Virtual Desktop handle backups?
There are multiple options in Azure Virtual Desktop for handling backup. At the Compute level, backup is recommended only for Personal Host Pools through Azure Backup. At the Storage level, recommended backup solution varies based on the backend storage used to store user profiles. If Azure Files Share is used, Azure Backup for File Share is recommended. If Azure NetApp Files is used, Snaphots/Policies or Azure NetApp Files Backup are tools available.
Does Azure Virtual Desktop support third-party collaboration apps?
Azure Virtual Desktop is currently optimized for Teams. Microsoft currently doesn't support third-party collaboration apps like Zoom. Third-party organizations are responsible for giving compatibility guidelines to their customers. Azure Virtual Desktop also doesn't support Skype for Business.
Can I change from pooled to personal host pools?
Once you create a host pool, you can't change its type. However, you can move any VMs you register to a host pool to a different type of host pool.
What's the largest profile size FSLogix can handle?
Limitations or quotas in FSLogix depend on the storage fabric used to store user profile VHD(X) files.
The following table gives an example of how many IOPS an FSLogix profile needs to support each user. Requirements can vary widely depending on the user, applications, and activity on each profile.
|Steady state IOPS||10|
|Sign in/sign out IOPS||50|
The example in this table is of a single user, but can be used to estimate requirements for the total number of users in your environment. For example, you'd need around 1,000 IOPS for 100 users, and around 5,000 IOPS during sign-in and sign-out.
Is there a scale limit for host pools created in the Azure portal?
These factors can affect scale limit for host pools:
The Azure template is limited to 800 objects. To learn more, see Azure subscription and service limits, quotas, and constraints. Each VM also creates about six objects, so that means you can create around 132 VMs each time you run the template.
There are restrictions on how many vCPUs you can create per region and per subscription. For example, if you have an Enterprise Agreement subscription, by default you can create 350 vCPUs. You'll need to divide 350 by either the default number of vCPUs per VM or your own vCPU limit to determine how many VMs you can create each time you run the template. Learn more at Virtual Machines limits - Azure Resource Manager and Check vCPU quotas.
The VM prefix name can't exceed 11 characters, so that when a sequential number is added the total name is a maximum of 15 characters. To learn more, see Naming rules and restrictions for Azure resources.
Can I manage Azure Virtual Desktop environments with Azure Lighthouse?
Azure Lighthouse doesn't fully support managing Azure Virtual Desktop environments. Since Lighthouse doesn't currently support cross-Azure AD tenant user management, Lighthouse customers still need to sign in to the Azure AD that customers use to manage users.
You also can't use CSP sandbox subscriptions with the Azure Virtual Desktop service. To learn more, see Integration sandbox account.
Finally, if you enabled the resource provider from the CSP owner account, the CSP customer accounts won't be able to modify the resource provider.
How often should I turn my VMs on to prevent registration issues?
After you register a VM to a host pool within the Azure Virtual Desktop service, the agent regularly refreshes the VM's token whenever the VM is active. The certificate for the registration token is valid for 90 days. Because of this 90-day limit, we recommend VMs to be online for 20 minutes every 90 days so that the machine can refresh its tokens and update the agent and side-by-side stack components. Turning your VM on within this time limit will prevent its registration token from expiring or becoming invalid. If you've started your VM after 90 days and are experiencing registration issues, follow the instructions in the Azure Virtual Desktop agent troubleshooting guide to remove the VM from the host pool, reinstall the agent, and reregister it to the pool.
Can I set availability options when creating host pools?
Yes. Azure Virtual Desktop host pools have an option for selecting either availability set or availability zones when you create a VM. These availability options are the same as the ones Azure Compute uses. If you select a zone for the VM you create in a host pool, the setting automatically applies to all VMs you create in that zone. If you'd prefer to spread your host pool VMs across multiple zones, you'll need to follow the directions in Add virtual machines with the Azure portal to manually select a new zone for each new VM you create.
Make sure that your Azure availability zones are available in the region where your VMs are located.
Which availability option is best for me?
The availability option you should use for your VMs depends on your image's location. The following table explains the relationship each setting has with these variables to help you figure out which option is best for your deployment.
|Availability option||Image location|
|Availability zone||Gallery (blob storage option disabled)|
|Availability set with managed SKU (managed disk)||Gallery|
|Availability set with managed SKU (managed disk)||Blob storage|
|Availability set with managed SKU (managed disk)||Blob storage (Gallery option disabled)|
|Availability set (newly created by user)||Gallery|
|Availability set (newly created by user)||Blob storage|
Should I use Windows Defender Application Control or AppLocker to control which applications and drivers are allowed to run on my Windows 10 devices?
We recommend you use Windows Defender Application Control instead of AppLocker.
When I'm testing migration, can I have the two different Azure Virtual Desktop environments exist in the same tenant?
Yes. You can have both deployments within the same Azure Active Directory tenant.
Are ephemeral OS disks for Azure VMs supported with Azure Virtual Desktop?
No. Ephemeral OS disks for Azure VMs are not supported with Azure Virtual Desktop.
If I store my host pools and VMs in different regions, what would happen in a disaster scenario where the host pool region goes down but the VM region stays online?
If the region you stored your host pool metadata in goes down, Azure Virtual Desktop won't accept new user connections to the session host VMs in that host pool. However, any existing sessions on the session host VMs in that host pool will remain connected and unaffected.
What happens when you try to add more than 200 VMs to an availability set in Azure Virtual Desktop?
If you try to go over 200 VMs in an availability set in Azure Virtual Desktop, you'll receive an error message that says "Can't create VM because the limit of 200 VMs has already been reached." For more information, see the Availability sets overview.