Citrix DaaS

Create Azure Active Directory joined catalogs

This article describes how to create Azure Active Directory (AD) joined catalogs using Citrix DaaS.

For information on requirements, limitations, and considerations, see Azure Active Directory joined.

Before you create the machine catalog, you need the following:

  1. New resource location
    • Navigate to the Citrix Cloud admin UI > upper left hamburger menu > Resource Locations.
    • Click + Resource Location.
    • Enter a name for the new resource location and click Save.
  2. Create a hosting connection. See Create and manage connections section for details. When deploying machines on Azure, see Connection to Azure Resource Manager.

You can create Azure AD joined catalogs by using the Full Configuration interface or PowerShell.

Use the Full Configuration interface

The following information is a supplement to the guidance in Create machine catalogs. To create Azure AD joined catalogs, follow the general guidance in that article, minding the details specific to Azure AD joined catalogs.

In the catalog creation wizard:

  1. On the Master Image page:
    • Select 2106 or later as the functional level.
    • Select Use a machine profile and select the appropriate machine from the list.
  2. On the Machine Identities page, select Azure Active Directory joined. The created machines are owned by an organization and are signed into with an Azure AD account that belongs to that organization. They exist only in the cloud.

    Note:

    • The Azure Active Directory joined identity type requires version 2106 or later as the minimum functional level for the catalog.
    • The machines are joined to the Azure AD domain associated with the tenant to which the hosting connection is bound.
  3. Users must be granted explicit access in Azure to log into the machines using their AAD credentials. See Azure Active Directory joined section for more details.

Use PowerShell

The following are PowerShell steps equivalent to operations in Full Configuration. For information on how to create a catalog using the Remote PowerShell SDK, see https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/latest/creating-a-catalog/.

The difference between on-premises AD joined catalogs and Azure AD joined ones lies in the creation of the identity pool and the provisioning scheme.

To create an identity pool for Azure AD joined catalogs:

New-AcctIdentityPool -AllowUnicode -IdentityType="AzureAD" -WorkgroupMachine -IdentityPoolName "AzureADJoinedCatalog" -NamingScheme "AzureAD-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->

To create a provisioning scheme for Azure AD joined catalogs, the MachineProfile parameter is required in New-ProvScheme:

New-ProvScheme -CustomProperties "<CustomProperties xmlns=`"http://schemas.citrix.com/2014/xd/machinecreation`" xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`"><Property xsi:type=`"StringProperty`" Name=`"UseManagedDisks`" Value=`"true`" /><Property xsi:type=`"StringProperty`" Name=`"StorageType`" Value=`"StandardSSD_LRS`" /><Property xsi:type=`"StringProperty`" Name=`"LicenseType`" Value=`"Windows_Server`" /></CustomProperties>" -HostingUnitName "AzureResource" -IdentityPoolName "AzureADJoinedCatalog" -InitialBatchSizeHint 1 -MachineProfile "XDHyp:\HostingUnits\AzureResource\image.folder\azuread-rg.resourcegroup\MasterVDA.vm" -MasterImageVM "XDHyp:\HostingUnits\AzureResource\image.folder\azuread-rg.resourcegroup\azuread-small_OsDisk_1_5fb42fadf7ff460bb301ee0d56ea30da.manageddisk" -NetworkMapping @{"0"="XDHyp:\HostingUnits\AzureResource\virtualprivatecloud.folder\East US.region\virtualprivatecloud.folder\azuread-rg.resourcegroup\azuread-vnet.virtualprivatecloud\Test_VNET.network"} -ProvisioningSchemeName "AzureADJoinedCatalog" -RunAsynchronously -Scope @() -SecurityGroup @() -ServiceOffering "XDHyp:\HostingUnits\AzureResource\serviceoffering.folder\Standard_DS1_v2.serviceoffering"
<!--NeedCopy-->

All other commands used to create Azure AD joined catalogs are the same as for traditional on-premises AD joined catalogs.

View the status of the Azure AD join process

In the Full Configuration interface, the status of the Azure AD join process is visible when Azure AD joined machines in a delivery group are in a powered-on state. To view the status, use Search to identify those machines and then for each check Machine Identity on the Details tab in the lower pane. The following information can appear in Machine Identity:

  • Azure AD joined
  • Not yet joined to Azure AD

Note:

If the machines fail to be in Azure AD joined state, they do not register with the Delivery Controller. Their registration status appears as Initialization.

Also, using the Full Configuration interface, you can learn why machines are unavailable. To do that, click a machine on the Search node, check Registration on the Details tab in the lower pane, and then read the tooltip for additional information.

Delivery Group

See Create delivery groups section for details.

Enable Rendezvous

Once the delivery group has been created, you can enable Rendezvous. See Rendezvous V2 for details.

Troubleshoot

If machines fail to be Azure AD joined, do the following:

  • Check if the system assigned managed identity is enabled for the machines. MCS-provisioned machines must have this enabled automatically. The Azure AD join process fails without system assigned managed identity. If the system assigned managed identity is not enabled for MCS-provisioned machines, possible reason is:

    • IdentityType of the identity pool associated with the provisioning scheme is not set to AzureAD. You can verify this by running Get-AcctIdentityPool.
  • Check the provisioning status of AADLoginForWindows extension for the machines. MCS relies on this extension to join a virtual machine to Azure AD. If the AADLoginForWindows extension does not exist, possible reasons are:

    • IdentityType of the identity pool associated with the provisioning scheme is not set to AzureAD. You can verify this by running Get-AcctIdentityPool.

    • The AADLoginForWindows extension installation is blocked by Azure policy.

  • To troubleshoot AADLoginForWindows extension provisioning failures, you can check logs under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows on the MCS-provisioned machine.

  • Check the Azure AD join status and debug logs by running dsregcmd /status /debug command on the MCS-provisioned machine.

  • Check Windows event logs under Application and Services Logs > Microsoft > Windows > User Device Registration.

Create Azure Active Directory joined catalogs