Hosted machines allow you to build, test, and run attended and unattended desktop flows without providing or setting up any physical machines.
You can create hosted machines directly through the Power Automate portal. Power Automate automatically provisions a Windows machine based on your configuration and registers it to your environment. Access your hosted machines in the Power Automate portal and start building your desktop flows within minutes. Hosted machines use Windows 365 for provisioning and access.
Here are some of the highlights of what you can do with hosted machines:
Build and test desktop flows using Power Automate for desktop.
Run attended and unattended desktop flows.
To distribute your automation workload, assign your hosted machines to machine groups.
Key capabilities:
Work or school account integration: Enables access to resources that are part of the business plan linked to your organization, such as Office, SharePoint, and Azure.
Vanilla or custom VM images for your hosted machine: Use a vanilla virtual machine (VM) image provided by Microsoft or personalize your hosted machines by providing your own Windows image directly from your Azure Compute Gallery. Providing your own Windows image allows you to have all your applications installed on the provisioned hosted machines.
Connect to your own virtual network: Securely communicate with each other, the Internet, and your on-premises networks.
Note
Sign-in access is only available to the creator of the hosted machine.
You can run unattended desktop flows using a work or school account that is different from the creator of the hosted machine, provided that you add the account on the hosted machine.
Licensing requirements
To use hosted machines, you need the Power Automate Hosted Process license (previously Power Automate hosted RPA add-on). Assign to your environment as much capacity as the number of hosted machines you want to run in your environment.
You also need the following prerequisite licenses: Windows, Intune, Microsoft Entra ID.
Note
The Hosted Process licenses the machines and not the user. The Premium user plan is required to run attended RPA, and for RPA developers to build and manage desktop flows on the Power Automate portal. To learn more about the Premium RPA features that come with the Premium user plan, go to Premium RPA features.
Trial licenses for evaluation
To evaluate hosted machines, you need one of the following trial licensing options:
Use the Power Automate Hosted Process license
The Power Automate Hosted Process license has trial versions that last 30 days and can be extended once to a total of 60 days. Organization admins can obtain up to 25 seats from Microsoft 365 admin center and assign Power Automate Hosted Process capacity to the targeted environment.
Use the 90-days self-assisted premium trial.
Note
This trial licensing option for hosted machines is suspended until further notice.
Trial users are granted the capacity of one hosted machine per tenant. To start a trial, select Try free under Power Automate Premium in the Power Automate pricing page or the desktop flow page of the Power Automate portal.
Prerequisites
This section presents all the prerequisites to create and use hosted machines.
Microsoft Entra and Intune requirements
A valid and working Intune and Microsoft Entra tenant.
Ensure that Intune device type enrollment restrictions are set to Allow Windows (MDM) platform for corporate enrollment.
To find more information about the Microsoft Entra and Intune requirements, go to Windows 365 requirements.
Windows 365 Cloud PC and Azure Virtual Desktop service principal
Note
The Windows 365 and Azure Virtual Desktop service principals should automatically be created in your tenant. You can skip this step, unless you face an error with service principals not created in your tenant when you provision the hosted machine.
Validate if the Windows 365 service principal is already created:
Navigate to Microsoft Entra > Enterprise applications > All applications.
Remove filter Application type == Enterprise Applications.
Fill filter Application ID starts with with the Windows 365 application ID 0af06dc6-e4b5-4f28-818e-e78e62d137a5.
If the service principal is provisioned in your Microsoft Entra, the page should look like the following screenshot:
If the application is like the presented screenshot, you don't need to perform any extra steps. However, you must create the service principal if the application isn't showing up.
The default VM image is available to all users in the environment. If you can't see the default VM image, your admin disabled sharing of default VM images with users. In this case:
Users need either the System Administrator or Desktop Flows Machine Configuration Admin role to see and manage the default image.
For other users, the System Administrator or Desktop Flows Machine Configuration Admin must share the default image with them before they can use it.
View the default image in Monitors > Machines > VM images.
Enter a name for your hosted machine and optionally add a description.
Select the VM image to use for your hosted machine. A proposed default Windows 11 image called Default Windows Desktop Image is available. If you don't see it, make sure you followed the steps described in Prerequisites.
Alternatively, you can select a custom VM image that is shared with your account.
Optionally, select the custom network connection you want your hosted machine to be provisioned with. Otherwise, you automatically connect to the Microsoft Hosted Network.
Review and create your hosted machine.
Note
The time needed to provision a hosted machine varies depending on the configuration of the hosted machine. It can take over 30 minutes for the machine to be ready for access.
Select your hosted machine from the list of machines.
In the machine details page, you should observe the following details:
Machine type: Hosted machine
Connectivity status: Connected
Machine status: Active
Select Open in browser.
A new tab in the browser should open and load the hosted machine access. Sign in with your work or school account.
The hosted machine is preregistered into the Power Automate environment.
Use custom VM images for your hosted machine
You can personalize your hosted machines by providing your own Windows image directly from your Azure Compute Gallery. This feature allows you to have all your applications installed on your hosted machines.
Create an Azure Compute Gallery in Azure and add an image
Create a new Azure Compute Gallery and select Role based access control (RBAC) in the Sharing tab.
Select Review + create, and once you validated all the settings, select Create.
Once you created an Azure Compute Gallery, create an image definition following the steps in Create an image definition and an image version. You should create the image in the exact location where we deploy your hosted machines. You can find the following mapping with your environment Geo:
Australia: Australia East
Asia: East Asia
Brazil: Brazil South
Canada: Canada Central
Europe: North Europe
France: France Central
Germany: Germany West Central
India: Central India
Japan: Japan East
Korea: Korea Central
Norway: Norway East
Singapore: Southeast Asia (Allowlisted tenants only)
Switzerland: Switzerland North
United Arab Emirates: UAE North
United Kingdom: UK South
United States: East US
Image requirements
Custom VM images must meet the following requirements:
Select Add people and enter the names of the persons in your organization with whom you'd like to share the image.
Select the names of the persons and choose with which permissions they can access the image.
Select Save.
Note
When a user isn't part of an environment anymore, you can continue to see the user as deactivated. You are notified in the Manage access section of the image if it's shared with deactivated users. In this situation, remove access to them.
Use a custom virtual network for your hosted machines
You can connect to your own virtual network with your hosted machines to securely communicate with each other, the Internet, and on-premises networks. Providing your own virtual network from your Azure subscription allows your hosted machines to be provisioned with your virtual network automatically.
Note
You can have up to 30 custom virtual networks configured per tenant.
General network requirements
To use your own network with hosted machines, you must meet the following requirements:
You must have a virtual network in your Azure subscription in the same region where you created the hosted machines.
Microsoft Entra hybrid joined hosted machines require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. For more information, see Plan your Microsoft Entra hybrid join deployment.
If an organizational unit is specified, ensure it exists and is valid.
An Active Directory user account with sufficient permissions to join the computer into the specified organizational unit within the Active Directory domain. If you don't specify an organizational unit, the user account must have sufficient permissions to join the computer to the Active Directory domain.
User accounts that are creators of hosted machines must have a synced identity available in both Active Directory and Microsoft Entra ID.
Role and identity requirements
Hosted machines users must be configured with hybrid identities so that they can authenticate with resources both on-premises and in the cloud.
DNS requirements
As part of the Microsoft Entra hybrid join requirements, your hosted machines must be able to join on-premises Active Directory. That requires that the hosted machines be able to resolve DNS records for your on-premises AD environment.
Configure your Azure Virtual Network where the hosted machines are provisioned as follows:
Make sure your Azure Virtual Network has network connectivity to DNS servers that can resolve your Active Directory domain.
From the Azure Virtual Network's Settings, select DNS Servers and then choose Custom.
Enter the IP address of DNS servers that environment that can resolve your Active Directory Domain Services domain.
Share the virtual network with Windows 365 service principal
To use your virtual network for hosted machines, you need to grant Windows 365 service principal with the following permissions:
Reader permission on the Azure subscription
Windows 365 Network Interface Contributor permission on the specified resource group
Windows 365 Network User permission on the virtual network
Note
Ensure the resources have the specified role requirements assigned to the Windows 365 service principal, even if other roles with the same or higher permissions are already assigned.
Note
For virtual networks created before November 26, 2023, the Network Contributor role is used to apply permissions on both the resource group and virtual network. The new RBAC roles have more specific permissions. To manually remove the existing roles and add the new roles, refer to the following table for the existing roles used on each Azure resource. Before removing the existing roles, make sure that the updated roles are assigned.
Azure resource
Existing role (before November 26, 2023)
Updated role (after November 26, 2023)
Resource group
Network Contributor
Windows 365 Network Interface Contributor
Virtual network
Network Contributor
Windows 365 Network User
Subscription
Reader
Reader
Share the virtual network with Power Automate makers
The last step before being able to reference your virtual network from Power Automate is to share the virtual network with the Power Automate makers.
Enter a network connection name, a description, and the usage.
Network connection name: A unique name to identify the network connection.
Description: An optional description for the network connection.
Use with: Select hosted machine.
Select one of the Azure virtual network available in Azure that meets the network requirements.
Select the Subnet the hosted machine uses.
Select the Domain join type the machine uses.
If the 'Microsoft Entra hybrid join' is selected, the following information is required:
DNS domain name : The DNS name of the Active Directory domain you want to use for connecting and provisioning hosted machines. For example, corp.contoso.com.
Organizational unit (optional) : An organizational unit (OU) is a container within an Active Directory domain, which can hold users, groups, and computers. Make sure that this OU is enabled to sync with Microsoft Entra Connect. Provisioning fails if this OU isn't syncing.
Username UPN : The username, in user principal name (UPN) format, you want to use for connecting the hosted machines to your Active Directory domain. For example, svcDomainJoin@corp.contoso.com. This service account must have permission to join computers to the domain and, if set, the target OU.
Domain password : The password for the user.
Note
It takes 10-15 minutes to provision a new network connection with Microsoft Entra hybrid join domain join type.
Select Add people and enter the names of the persons in your organization with whom you’d like to share the network connection.
Select the names of the persons and choose which permissions they can access the network connection with.
Select Save.
Note
When a user isn't part of an environment anymore, you can continue to see the user as deactivated. You are notified in the Manage access section of the network connection if it's shared with deactivated users. In this situation, remove access to them.
View list of hosted machines
Once you created your hosted machine in an environment, you can view its details in the Power Automate portal.
Select a hosted machine in the list and navigate to the details page of it.
Select Manage access.
Enter the username or email you want to share the hosted machine with, and select the user you want to add.
For each user, you can grant different permissions: User or Co-owner.
User permission only allows the targeted user to run desktop flows on the selected hosted machine. A Co-Owner can also edit the hosted machine details.
Note
Sign-in access is only available to the creator of the hosted machine.
You can run unattended desktop flow using a work or school account that is different from the creator of the hosted machine, provided that you add the account on the hosted machine.
When a user isn't part of an environment anymore, you may continue to see the user as deactivated. You'll be notified in the Manage access section of the hosted machine if it's shared with deactivated users. In this situation, remove access to them.
Run desktop flows on hosted machines
Power Automate enables you to trigger desktop flows on your hosted machines as you do on standard machines. To implement this functionality, you need a desktop flow connection to your hosted machine.
If you intend to run unattended desktop flows on your hosted machine using the default virtual machine (VM) image option, you need to disable Network Level Authentication on your machine.
Restart hosted machines
Power Automate enables you to restart your hosted machines from the Power Automate portal. To restart your hosted machine:
This section describes the permissions for hosted machines.
Environment Maker role
By default, the Environment Maker role can create hosted machines in their environment. The entities that require privileges to use hosted machines are:
Flow Machine
Flow Machine Group
Flow Machine Image
Flow Machine Network (if using custom virtual network for your hosted machine)
The Environment Maker role can create and share custom VM images, as these actions require create and append privileges on the Flow Machine Image.
Admins can also use the roles provided as part of Desktop Flows. You can find more information about desktop flow security roles in Manage Machines.
Desktop Flows Machine Owner role
By default, the Desktop Flows Machine owner can create hosted machines, but can't create custom VM images or custom virtual network. They can only use previously shared custom VM images or custom virtual networks in their own hosted machine.
Desktop Flows Machine Configuration Admin role
The Desktop Flows Machine Configuration Admin role role only brings full privileges on the Flow Machine Image and Flow Machine Network entities. In particular, it allows users with this role to share/unshare VM images and virtual network to be used for created hosted machines in their environment. You can find more information about sharing pre-provisioned VM images and virtual network in Create hosted machines.
Custom virtual network permissions
The custom virtual network feature requires permissions to the Flow Machine Network table. You can grant or deny privileges to this table to control which user can create and share custom virtual networks.
Hosted machines limitations
This section presents the limitations of hosted machines.
Geographical availabilities/restrictions
The following list displays all the supported Power Platform geographies in the public cloud:
Australia
Asia
Brazil
Canada
Europe
France
Germany
India
Japan
Korea
Norway
Singapore (Allowlisted tenants only)
Switzerland
United Arab Emirates
United Kingdom
United States
Note
Hosted machines aren't yet available in sovereign clouds.
Azure tenant country/region and supported geographies in the public cloud
A hosted machine stores limited metadata in the geography of your tenant's country/region, which can be different from the region of your Power Automate environment. By default, the cross-geo support for hosted machines is enabled. System admins and environment admins can disable or enable the feature from the Power Platform admin center.
Go to Environments, and select the appropriate environment.
Select Settings > Features.
Under Hosted RPA, select the toggle for Enable cross-geo support for hosted machines to disable or enable this feature.
Select Save.
Note
Disabling this feature at the environment level will restrict creation of hosted machines when your tenant's country or region on Azure don't fall within the same scope of the region for your Power Automate environment.
To check the tenant country/region on Azure:
Open the Tenant properties service. The Country or region is available as one of the properties.
Deletion of unused resources
For environments without the Power Automate Hosted Process license, we clean unused resources to ensure our service is available for everyone. A hosted machine that is inactive for 14 days is automatically deleted. The deleted hosted machine is still visible but can't be used anymore. An inactive hosted machine is a machine that has no flow runs and no usage of Power Automate for desktop for the last 14 days.
Note
You need to delete the inactive hosted machine and recreate a new one to continue using the hosted machines feature. You need to reconfigure the connections associated with your cloud flows.
Azure HPC is a purpose-built cloud capability for HPC & AI workload, using leading-edge processors and HPC-class InfiniBand interconnect, to deliver the best application performance, scalability, and value. Azure HPC enables users to unlock innovation, productivity, and business agility, through a highly available range of HPC & AI technologies that can be dynamically allocated as your business and technical needs change. This learning path is a series of modules that help you get started on Azure HPC - you
