Citrix DaaS

Connection to Microsoft Azure

Create and manage connections describes the wizards that create a connection. The following information covers details specific to Azure Resource Manager cloud environments.

Note:

Before creating a connection to Microsoft Azure, you need to first finish setting up your Azure account as a resource location. See Microsoft Azure Resource Manager cloud environments.

Connection to Azure Resource Manager

Create and manage connections describes the wizards that create a connection. The following information covers details specific to Azure Resource Manager connections.

Considerations:

  • Citrix recommends using Service Principal with contributor role. However, see Minimum permissions section to get the list of minimum permissions.
  • When creating the first connection, Azure prompts you to grant it the necessary permissions. For future connections you must still authenticate, but Azure remembers your previous consent and does not display the prompt again.
  • Accounts used for authentication must be a co-administrator of the subscription.
  • The account used for authentication must be a member of the subscription’s directory. There are two types of accounts to be aware of: ‘Work or School’ and ‘personal Microsoft account.’ See CTX219211 for details.
  • While you can use an existing Microsoft account by adding it as a member of the subscription’s directory, there can be complications if the user was previously granted guest access to one of the directory’s resources. In this case, they might have a placeholder entry in the directory that does not grant them the necessary permissions, and an error is returned.

    Rectify this by removing the resources from the directory and add them back explicitly. However, exercise this option carefully, because it has unintended effects for other resources that account can access.

  • There is a known issue where certain accounts are detected as directory guests when they are actually members. Configurations like this typically occurs with older established directory accounts. Workaround: add an account to the directory, which takes the proper membership value.
  • Resource groups are simply containers for resources, and they can contain resources from regions other than their own region. This can potentially be confusing if you expect resources displayed in a resource group’s region to be available.
  • Ensure that your network and subnet are large enough to host the number of machines you require. This requires some foresight, but Microsoft helps you specify the right values, with guidance about the address space capacity.

You can establish a host connection to Azure in two ways:

  • Authenticate to Azure to create a service principal.
  • Use the details from a previously created service principal to connect to Azure.

Create a service principal

Important:

This feature is not yet available for Azure China and Azure Germany subscriptions.

Before you start, authenticate to Azure. Ensure:

  • You have a user account in your subscription’s Azure Active Directory tenant.
  • The Azure AD user account is also a co-administrator for the Azure subscription that you want to use for provisioning resources.
  • You have global administrator, application administrator, or application developer permissions for authentication. The permissions can be revoked after you create host connection. For more information about roles, see Azure AD built-in roles.

When you authenticate to Azure to create a service principal, an application is registered in Azure. A secret key (client secret) is created for the registered application. The registered application uses the client secret to authenticate to Azure AD. Be sure to change the client secret before it expires. You receive an alert on the console before the secret key expires. See Application secret and secret expiration date.

To authenticate to Azure to create a service principal, complete the following steps in the Add Connection and Resources wizard:

  1. On the Connection page, select Create a new connection, the Microsoft Azure connection type, and your Azure environment.

  2. Select which tools to use to create the virtual machines and then select Next.

  3. On the Connection Details page, enter your Azure subscription ID and a name for the connection. After you enter the subscription ID, the Create new button is enabled.

    Note:

    The connection name can contain 1–64 characters, and cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.

  4. Select Create new and then enter the Azure Active Directory account user name and password.

  5. Select Sign in.

  6. Select Accept to give Citrix Virtual Apps and Desktops the listed permissions. Citrix Virtual Apps and Desktops creates a service principal that allows it to manage Azure resources on behalf of the specified user.

  7. After you select Accept, you return to the Connection page in the wizard.

    Note:

    After you successfully authenticate to Azure, the Create new and Use existing buttons disappear. The Connection successful text appears, with a green check mark, indicating the successful connection to your Azure subscription.

  8. On the Connection Details page, select Next.

    Note:

    You cannot proceed to the next page until you successfully authenticate to Azure and consent to giving the required permissions.

  9. Configure resources for the connection. Resources comprise the region and the network.

    • On the Region page, select a region.
    • On the Network page, do the following:
      • Type a 1–64 character resource name to help identify the region and network combination. A resource name cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.
      • Select a virtual network/resource group pair. (If you have more than one virtual network with the same name, pairing the network name with the resource group provides unique combinations.) If the region you selected on the previous page does not have any virtual networks, return to that page and select a region that has virtual networks.
  10. On the Summary page, view a summary of settings and select Finish to complete your setup.

Use the details from a previously created service principal to connect to Azure

To create a service principal manually, connect to your Azure Resource Manager subscription and use the PowerShell cmdlets provided in the following sections.

Prerequisites:

  • SubscriptionId: Azure Resource Manager SubscriptionID for the subscription where you want to provision VDAs.
  • ActiveDirectoryID: Tenant ID of the application that you registered with Azure AD.
  • ApplicationName: Name for the application to be created in Azure AD.

To create a service principal:

  1. Connect to your Azure Resource Manager subscription.

    Connect-AzAccount

  2. Select the Azure Resource Manager subscription where you want to create the service principal.

    Get-AzSubscription -SubscriptionId $subscriptionId | Select-AzSubscription

  3. Create the application in your AD tenant.

    $AzureADApplication = New-AzADApplication -DisplayName $ApplicationName

  4. Create a service principal.

    New-AzADServicePrincipal -ApplicationId $AzureADApplication.AppId

  5. Assign a role to the service principal.

    New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $AzureADApplication.AppId –scope /subscriptions/$SubscriptionId

  6. From the output window of the PowerShell console, note the ApplicationId. You provide that ID when creating the host connection.

In the Add Connection and Resources wizard:

  1. On the Connection page, select Create a new connection, the Microsoft Azure connection type, and your Azure environment.

  2. Select which tools to use to create the virtual machines and then select Next.

  3. On the Connection Details page, enter your Azure subscription ID and a name for the connection.

    Note:

    The connection name can contain 1–64 characters, and cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.

  4. Select Use existing. In the Existing Service Principal Details window, enter the following settings for the existing service principal. After you enter the details, the Save button is enabled. Select Save. You cannot progress beyond this page until you provide valid details.

    • Subscription ID. Enter your Azure subscription ID. To obtain your subscription ID, sign in to the Azure portal and navigate to Subscriptions > Overview.
    • Active Directory ID (tenant ID). Enter the Directory (tenant) ID of the application that you registered with Azure AD.
    • Application ID. Enter the Application (client) ID of the application that you registered with Azure AD.
    • Application secret. Create a secret key (client secret). The registered application uses the key to authenticate to Azure AD. We recommend that you change keys regularly for security purposes. Be sure to save the key because you cannot retrieve the key later. See Application secret and secret expiration date.
    • Secret expiration date. Enter the date after which the application secret expires. You receive an alert on the console before the secret key expires. However, if the secret key expires, you receive errors.

      Note:

      For security purposes, the expiration period cannot be more than two years from now.

    • Authentication URL. This field is automatically populated and is not editable.
    • Management URL. This field is automatically populated and is not editable.
    • Storage suffix. This field is automatically populated and is not editable.
  5. After selecting Save, you return to the Connection Details page. Select Next to proceed to the next page.

  6. Configure resources for the connection. Resources comprise the region and the network.

    • On the Region page, select a region.
    • On the Network page, do the following:
      • Type a 1–64 character resource name to help identify the region and network combination. A resource name cannot contain only blank spaces nor the characters \/;:#.*?=<>|[]{}"'()'.
      • Select a virtual network/resource group pair. (If you have more than one virtual network with the same name, pairing the network name with the resource group provides unique combinations.) If the region you selected on the previous page does not have any virtual networks, return to that page and select a region that has virtual networks.
  7. On the Summary page, view a summary of settings and select Finish to complete your setup.

Application secret and secret expiration date

View the application ID

You can view the application ID in the Full Configuration interface.

In the Add Connection and Resources wizard, select the connection to view the details. The Details tab shows the Application ID.

Application ID on Add Connection and Resouces page

View the application secret

You can view the application secret in the Azure portal.

  1. Get the Application ID from the Full Configuration interface.
  2. Sign in to the Azure portal.
  3. In Azure, select Azure Active Directory.
  4. From App registrations in Azure AD, select your application.
  5. Go to Certificates & secrets.
  6. Click Client secrets.

Application secret in Azure portal

Change the secret expiration date

Use the Full Configuration interface to add or modify the expiration date for the application secret in use.

  1. In the Add Connection and Resources wizard, right-click a connection, and click Edit Connection.
  2. On the Connection Properties page, click Secret expiration date to add or modify the expiration date for the application secret in use.

Change secret expiration date

Create a new application secret

You can create a new application secret of a connection through the Azure portal.

  1. Select Azure Active Directory.
  2. From App registrations in Azure AD, select your application.
  3. Go to Certificates & secrets.
  4. Click Client secrets > New client secret.

    Create new application secret

  5. Provide a description of the secret and specify a duration. When you are done, select Add.

    Note:

    Be sure to save the client secret because you cannot retrieve it later.

  6. Copy the client secret value and the expiration date.
  7. In the Full Configuration interface, edit the corresponding connection and replace the content in the Application secret and Secret expiration date field with the values you copied.

About Azure permissions

This section contains the minimum and general permissions required for Azure.

Minimum permissions

Minimum permissions give better security control. However, new features that require additional permissions will fail because of using only minimum permissions.

Creating a host connection

Add a new host connection using the information obtained from Azure.

"Microsoft.Network/virtualNetworks/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/disks/read",
<!--NeedCopy-->

Power management of VMs

Power on or off the machine instances.

"Microsoft.Compute/virtualMachines/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
<!--NeedCopy-->

Creating, updating, or deleting VMs

Create a machine catalog, then add, delete, update machines, and delete the machine catalog.

Following is the list of minimum permissions required when the master image is managed disk or snapshots are located in the same region as the hosting connection.

"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/disks/endGetAccess/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
<!--NeedCopy-->

You need the following extra permissions based on minimal permissions for the following features:

  • If the master image is a VHD in a storage account located in the same region as the hosting connection:

     "Microsoft.Storage/storageAccounts/read",
     "Microsoft.Storage/storageAccounts/listKeys/action",
     <!--NeedCopy-->
    
  • If the master image is an ImageVersion from the Shared Image Gallery:

     "Microsoft.Compute/galleries/read",
     "Microsoft.Compute/galleries/images/read",
     "Microsoft.Compute/galleries/images/versions/read",
     <!--NeedCopy-->
    
  • If the master image is a managed disk. Snapshots, or VHD is in a region different from the region of hosting connection:

     "Microsoft.Storage/storageAccounts/read",
     "Microsoft.Storage/storageAccounts/listKeys/action",
     "Microsoft.Storage/storageAccounts/write",
     "Microsoft.Storage/storageAccounts/delete",
     <!--NeedCopy-->
    
  • If you use Citrix-managed resource group:

     "Microsoft.Resources/subscriptions/resourceGroups/write",
     "Microsoft.Resources/subscriptions/resourceGroups/delete",
     <!--NeedCopy-->
    
  • If you put the master image in Shared Image Gallery:

     "Microsoft.Compute/galleries/write",
     "Microsoft.Compute/galleries/images/write",
     "Microsoft.Compute/galleries/images/versions/write",
     "Microsoft.Compute/galleries/read",
     "Microsoft.Compute/galleries/images/read",
     "Microsoft.Compute/galleries/images/versions/read",
     "Microsoft.Compute/galleries/delete",
     "Microsoft.Compute/galleries/images/delete",
     "Microsoft.Compute/galleries/images/versions/delete",
     <!--NeedCopy-->
    
  • If you use Azure dedicated host support:

     "Microsoft.Compute/hostGroups/read",
     "Microsoft.Compute/hostGroups/write",
     "Microsoft.Compute/hostGroups/hosts/read",
     <!--NeedCopy-->
    
  • If you use Server Side Encryption (SSE) with Customer Managed Keys (CMK):

     "Microsoft.Compute/diskEncryptionSets/read",
     <!--NeedCopy-->
    
  • If you deploy VMs using ARM templates (machine profile):

     "Microsoft.Resources/deployments/write",
     "Microsoft.Resources/deployments/operationstatuses/read",
     "Microsoft.Resources/deployments/read",
     "Microsoft.Resources/deployments/delete",
     <!--NeedCopy-->
    
  • If you use Azure template spec as a machine profile:

     "Microsoft.Resources/templateSpecs/read",
     "Microsoft.Resources/templateSpecs/versions/read",
     <!--NeedCopy-->
    

Creating, updating, and deleting machines with unmanaged disk

Following is the list of minimum permissions required when the master image is VHD and use resource group as provided by admin:

"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action"
<!--NeedCopy-->

General permission

Contributor role has full access to manage all resources. This set of permissions does not block you from getting new features.

The following set of permissions provides the best compatibility going forward although it does include more permissions than needed with the current feature set:

"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/endGetAccess/action",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/galleries/delete",
"Microsoft.Compute/galleries/images/delete",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/delete",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/galleries/images/versions/write",
"Microsoft.Compute/galleries/images/write",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/write",
"Microsoft.Compute/hostGroups/hosts/read",
"Microsoft.Compute/hostGroups/read",
"Microsoft.Compute/hostGroups/write",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Resources/templateSpecs/read",
"Microsoft.Resources/templateSpecs/versions/read",
<!--NeedCopy-->

Where to go next

More information

Connection to Microsoft Azure