How To Add Azure Virtual Desktop Session Host To Azure AD Join Guide AVD HTMD Blog

Let’s check how to add Azure virtual desktop session host to Azure AD. Microsoft released a public preview for the Azure AD join scenario on 14th July 2021.

I have already mentioned Azure Virtual Desktop Azure AD Join Support with Intune Management in the previous post. Let’s also learn how to take RDP of Azure AD Joined VMs in Azure from the following posts.

Check out the requirements of taking RDP of AAD Joined Windows 11 or 11 device: 1. RDP Of Azure AD Joined Device MS-Organization-P2P-Access Certificate and 2. How To Take RDP Of Azure AD Joined Device. This is not really applicable for AVD Azure AD Joined scenarios.

Update – Microsoft announced the General Availability of Azure AD-joined VMs on 15th Sept 2021.

I have shared my AVD End-User Experience Journey with Intune Management in the previous post. You can manage and secure Azure Virtual Desktop session hosts with MEM management and pure Azure AD join. You don’t need to use the MDM group policy to enroll devices into Intune for AAD join scenario.

You don’t need connectivity to on-prem AD if you are joining AVD Session hosts to Azure AD. Also, the AD DS requirement is not there if you are using pure Azure AD Join for the AVD session hosts.

Microsoft released Windows 365 Cloud PC on 14th July 2021. The Cloud PC solution is also an exciting solution for Windows personal desktops in the cloud.

Prerequisite to Add Azure Virtual Desktop Session Host to Azure AD Join Guide AVD

The following are the prerequisites to join AVD session hosts to Azure AD. Also, make sure you have all covered the license and other AVD prerequisites.

Host pools should only contain VMs of the same domain join type. AD-joined VMs should only be with other AD VMs, and vice-versa. The minimum supported versions of Windows 10 – 2004 or later.

Default Users/Non-Admin Users on the virtual machine should be part of Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.

Admin User on virtual desktop should be part of Virtual Machine Administrator Login: Users with this role assigned can log in to an Azure virtual machine with administrator privileges.

Custom RDP setting in the host pool “targetisaadjoined:i:1” to connect Remote Desktops from non-Widnows end-user devices.

Azure Virtual Desktop (classic) doesn’t support Azure AD-joined VMs.
Azure AD-joined VMs don’t currently support external identities, such as Azure AD Business-to-Business (B2B) and Azure AD Business-to-Consumer (B2C).
Azure AD-joined VMs can only access Azure Files file shares for synced users using Azure AD Kerberos.
The Windows Store client doesn’t currently support Azure AD-joined VMs.

Add Azure Virtual Desktop Session Host to Azure AD

Azure AD join gives you the option to automatically enroll the VM with Intune so you can easily manage Windows 10 and Windows 10 multi-session VMs. You can use the option to add Azure Virtual Desktop Session Host to Azure AD.

NOTE! – The Azure AD join is the modern method of managing devices with Intune auto-enrollment. With the Azure AD join scenario, you don’t need direct connectivity to the on-prem Active Directory.

How to Add Azure Virtual Desktop Session Host to Azure AD Join Guide WVD AVD

You have an option to add VMs to Azure AD using add virtual machines to an existing host pool wizard from the drop-down option.

Domain Join – Select which directory you would like to join – Azure Active Directory.
Enroll VM with Intune -> Yes.

Enter the Virtual machine administrator account – Enter the local user name and password for Azure AD joined session hosts.

RBAC Roles Required for AVD Azure AD Join

As I mentioned in the prerequisites section, you must add an Azure AD user group to give them login access to Azure AD joined VMs.

Navigate to Resource Groups and select the resource group that you used for building Azure AD joined session hosts.
Click on Access Control (IAM).
Click +Add button to add role assignment.
Select the Role “Virtual Machine User Login“.
Select the Azure AD group where the login (AVD end-users) users are member of.

NOTE! – Repeat the above tasks to add Admin users access to AVD session host VMs using the built-in role called Virtual Machine Administrator Login.

Special RD Settings for AVD Azure AD Joined

To access Azure AD-joined VMs using the web, Android, macOS, iOS, and Microsoft Store. You will need an advanced RD setting for Azure AD joined AVD session hosts.

You can read the details about WVD New RDP Settings Options. Also, you can check whether RDP settings are flowing down to the base clients using the How to Download WVD Session Desktop RDP File post.

Navigate to Host Pool -> Select the Hostpool where Azure AD joined VMs are located.
Click on RDP properties.
Click on … button and select Advanced button.
Enter targetisaadjoined:i:1 as the last custom properties and click Save.

How to Add Azure Virtual Desktop Session Host to Azure AD Join Guide WVD AVD Special RD Settings for AVD Azure AD Joined — How to Add Azure Virtual Desktop Session Host to Azure AD Join Guide WVD AVD **Special RD Settings for AVD Azure AD Joined**

Results – AVD Azure AD Joined

You can check the results of AVD Azure AD joined session hosts from various places.

Azure AD Devices node.
Intune MEM Portal.
Windows 10 or Windows 11 client.

Issue with Azure AD Joined VMs?

I can’t log in to Azure AD join session hosts. I got the following error whenever I tried to connect to VM from RD client.

The following error 0x9735 translates to SSL_ERR_INVALID_UPN_NAME which originates from SEC_E_INVALID_UPN_NAME.
This means “You can’t sign in with a user ID in this format. Try using your email address instead.”
I’m login in to session host with anoop@abc.onmicrosoft.com ID. I don’t know whether this is supported or not,

NOTE! – Further troubleshooting in a later blog post. In the comments section, you can comment on your experience with Azure AD joined VMs.

As promised, here is the blog post FIX: AVD Azure AD Joined VM Login Issue with Error Code 0x9735.

Error code: 0x9735 
Extended error code: 0x0 
Activity ID: {7432516d-23a3-483f-b99e-c3c321520000}

Resources

Azure Virtual Desktop End-User Experience Journey with Intune Management

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

13 thoughts on “How to Add Azure Virtual Desktop Session Host to Azure AD Join Guide AVD”

pawel

July 20, 2021 at 7:21 pm

hi
your guide is great.
i reeached to a point where im getting this 0x9735 error every time when trying to connect using Remote Desktop app on client device.
All prereqs are met. Device is AADJ to the same tenant, managed by intune and this error still occours.
The only way im able to login to my AADJ AVD hostpool is via RD web client. Theres no issues there.
Any clues ???
- Anoop C Nair
  
  July 20, 2021 at 7:36 pm
  
  Are you using a cloud account that ends with .onmicrosoft.com or a standard account like [email protected] to login?
Robert Steeghs

August 6, 2021 at 7:49 pm

You need to have your host pool in the validation environment as well: https://docs.microsoft.com/en-us/azure/virtual-desktop/deploy-azure-ad-joined-vm

During public preview, you must configure your host pool to be in the validation environment.
- Anoop C Nair
  
  August 6, 2021 at 10:12 pm
  
  Thank you for the tip!
David

December 5, 2022 at 9:55 pm

Hi Anoop,

Is there a way to automate to assignment a user to AVD pool and to add Virtual Machine User Login?
how to mange that in a big company ?
- Anoop C Nair
  
  December 6, 2022 at 12:06 am
  
  Hi David – You can use Azure AD groups for automatic assignment as shown in the post. A VM from that hostpool will automatically get assigned whenever the user logs in.
David

December 6, 2022 at 2:34 pm

Hi Anoop

The automatic assignment i setup for the App group, but how to add user to Virtual Machine User Login?
sorry i dont see in in the article
my goal is to automate all so i dont have add user to the Host pool and Virtual Machine User Login
- Anoop C Nair
  
  December 6, 2022 at 2:39 pm
  
  Here you go https://www.anoopcnair.com/avd-admin-experience-create-new-host-pool/
  
  Check for this sentence “Search for Azure AD Users or Groups to assign Desktop Application Group created through the Hostpool.” in the post
David

December 6, 2022 at 3:54 pm

but there i can add a user to the Application group but still i need to add the user to the VM so can can login

sorrr or i dont understate something
- Anoop C Nair
  
  December 6, 2022 at 4:22 pm
  
  The application group is assigned to Host Pool, and the host pool has VMs. Hence the users in the application group will automatically get VM assignment if there is enough capacity for VMs in the hostpool.
Satz

September 8, 2023 at 11:05 pm

How can I route specific user to login to specific session hosts from host pool.
Blueman

September 10, 2023 at 4:32 am

I already have existing VM which aren’t Azure AD joined, how do I add them to the Azure Active Directory and enrolll in Intune.
Lastly I see two VDI with AD joined under devices, how can I enroll them to Intune? Who do I give the license to?
Matt

April 12, 2024 at 6:28 am

Hi Anoop, I also have the same question, I have 2 hosts (Win11 mutisession) VMs that I want to join to MS Entra/AAD. How can I achieve that as I did not select Intune enrollment when onboarding them?.
Thanks