Tutorial: Create service principals and role assignments with PowerShell in Azure Virtual Desktop (classic)
This content applies to Azure Virtual Desktop (classic), which doesn't support Azure Resource Manager Azure Virtual Desktop objects.
Service principals are identities that you can create in Azure Active Directory to assign roles and permissions for a specific purpose. In Azure Virtual Desktop, you can create a service principal to:
- Automate specific Azure Virtual Desktop management tasks.
- Use as credentials in place of MFA-required users when running any Azure Resource Manager template for Azure Virtual Desktop.
In this tutorial, learn how to:
- Create a service principal in Azure Active Directory.
- Create a role assignment in Azure Virtual Desktop.
- Sign in to Azure Virtual Desktop by using the service principal.
Before you can create service principals and role assignments, you need to do the following:
Follow the steps to Install the Azure Az PowerShell module.
Download and import the Azure Virtual Desktop PowerShell module.
Follow all instructions in this article in the same PowerShell session. The process might not work if you interrupt your PowerShell session by closing the window and reopening it later.
Create a service principal in Azure Active Directory
After you've fulfilled the prerequisites in your PowerShell session, run the following PowerShell cmdlets to create a multitenant service principal in Azure.
Import-Module Az.Resources Connect-AzConnect $aadContext = Get-AzContext $svcPrincipal = New-AzADApplication -AvailableToOtherTenants $true -DisplayName "Azure Virtual Desktop Svc Principal" $svcPrincipalCreds = New-AzADAppCredential -ObjectId $svcPrincipal.Id
View your credentials in PowerShell
Before you create the role assignment for your service principal, view your credentials and write them down for future reference. The password is especially important because you won't be able to retrieve it after you close this PowerShell session.
Here are the three values you should write down and the cmdlets you need to run to get them:
Create a role assignment in Azure Virtual Desktop
Next, you need to create a role assignment so the service principal can sign in to Azure Virtual Desktop. Make sure to sign in with an account that has permissions to create role assignments.
First, download and import the Azure Virtual Desktop PowerShell module to use in your PowerShell session if you haven't already.
Run the following PowerShell cmdlets to connect to Azure Virtual Desktop and display your tenants.
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" Get-RdsTenant
When you find the tenant name for the tenant you want to create a role assignment for, use that name in the following cmdlet:
$myTenantName = "<Azure Virtual Desktop Tenant Name>" New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantName $myTenantName
Sign in with the service principal
After you create a role assignment for the service principal, make sure the service principal can sign in to Azure Virtual Desktop by running the following cmdlet:
$creds = New-Object System.Management.Automation.PSCredential($svcPrincipal.AppId, (ConvertTo-SecureString $svcPrincipalCreds.Value -AsPlainText -Force)) Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" -Credential $creds -ServicePrincipal -AadTenantId $aadContext.Tenant.Id
If you can sign in successfully, your service principal is configured correctly.
After you've created the service principal and assigned it a role in your Azure Virtual Desktop tenant, you can use it to create a host pool. To learn more about host pools, continue to the tutorial for creating a host pool in Azure Virtual Desktop.
Submit and view feedback for