Product documentation
Citrix DaaS™
View PDF

Identity pool of Microsoft Entra joined machine identity

September 6, 2025
Contributed by: 
C

This article describes how to create identity pool of Microsoft Entra joined machine identity using Citrix DaaS.

For information on requirements, limitations, and considerations, see Microsoft Entra joined.

Before you create the machine catalog, you need the following:

  1. New resource location
    • Navigate to the Citrix Cloud™ admin UI > upper left hamburger menu > Resource Locations.
    • Click + Resource Location.
    • Enter a name for the new resource location and click Save.
  2. Create a hosting connection. See Create and manage connections section for details. When deploying machines on Azure, see Connection to Azure Resource Manager.

You can create Microsoft Entra joined catalogs by using Studio or PowerShell.

Use Studio

The following information is a supplement to the guidance in Create machine catalogs. To create Microsoft Entra joined catalogs, follow the general guidance in that article, minding the details specific to Microsoft Entra joined catalogs.

In the catalog creation wizard:

  1. On the Image page:
    • Select 2106 or later as the functional level.
    • Select Use a machine profile and select the appropriate machine from the list.

  2. On the Machine Identities page:

    • Select Microsoft Entra joined. The created machines are owned by an organization and are signed into with a Microsoft Entra account that belongs to that organization. They exist only in the cloud.

      Note:

      • The Microsoft Entra joined identity type requires version 2106 or later as the minimum functional level for the catalog.
      • The machines are joined to the Microsoft Entra domain associated with the tenant to which the hosting connection is bound.

    • Click Select service account and select an available service account from the list. If a suitable service account is not available for the Microsoft Entra tenant that the machine identities will join to, you can create a service account. For information on service account, see Microsoft Entra service accounts.

      Note:

      The service account that you selected might be in an unhealthy status due to various reasons. You can go to Administrators > Service Accounts to view details and fix the issues according to the recommendations. Alternatively, you can proceed with the machine catalog operation and fix the issues later. If you do not fix the issue, stale Microsoft Entra joined or Microsoft Intune enrolled devices are generated that can block Microsoft Entra join of the machines.

  3. Users must be granted explicit access in Azure to log into the machines using their Microsoft Entra credentials. See Microsoft Entra joined section for more details.

Modify the service account association

To change the associated service account or add an association to an existing MCS machine catalog, use the Edit Machine Catalog page.

  • To add a service account, click Select service account on the Service Account page.
  • To change the service account association, click the edit icon on the Service Account page.

Use PowerShell

The following are PowerShell steps equivalent to operations in Studio.

The difference between on-premises AD joined catalogs and Microsoft Entra joined ones lies in the creation of the identity pool and the provisioning scheme.

You must associate a Microsoft Entra service account with the identity pool, and then create the machine catalog. You can either create a new identity pool or update an existing identity pool to associate it with a service account.

For example: To create a new identity pool and associate it with a service account, run the following:

New-AcctIdentityPool -IdentityType AzureAD -IdentityPoolName MyPool -NamingScheme Acc#### -NamingSchemeType Numeric -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->

For example: To update an existing identity pool to associate it with a service account, run the following:

$identityPoolUid = (Get-ProvScheme -ProvisioningSchemeName "MyProvScheme").IdentityPoolUid
Set-AcctIdentityPool -IdentityPoolUid $identityPoolUid -ServiceAccountUid $serviceAccountUid
<!--NeedCopy-->

Note:

The $serviceAccountUid must be a must be a valid UID of a Microsoft Entra service account.

To create a provisioning scheme for Microsoft Entra joined catalogs, the MachineProfile parameter is required in New-ProvScheme. For example:

New-ProvScheme -CustomProperties "<CustomProperties xmlns=`"http://schemas.citrix.com/2014/xd/machinecreation`" xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`"><Property xsi:type=`"StringProperty`" Name=`"UseManagedDisks`" Value=`"true`" /><Property xsi:type=`"StringProperty`" Name=`"StorageType`" Value=`"StandardSSD_LRS`" /><Property xsi:type=`"StringProperty`" Name=`"LicenseType`" Value=`"Windows_Server`" /></CustomProperties>" -HostingUnitName "AzureResource" -IdentityPoolName "AzureADJoinedCatalog" -InitialBatchSizeHint 1 -MachineProfile "XDHyp:\HostingUnits\AzureResource\image.folder\azuread-rg.resourcegroup\MasterVDA.vm" -MasterImageVM "XDHyp:\HostingUnits\AzureResource\image.folder\azuread-rg.resourcegroup\azuread-small_OsDisk_1_5fb42fadf7ff460bb301ee0d56ea30da.manageddisk" -NetworkMapping @{"0"="XDHyp:\HostingUnits\AzureResource\virtualprivatecloud.folder\East US.region\virtualprivatecloud.folder\azuread-rg.resourcegroup\azuread-vnet.virtualprivatecloud\Test_VNET.network"} -ProvisioningSchemeName "AzureADJoinedCatalog" -RunAsynchronously -Scope @() -SecurityGroup @() -ServiceOffering "XDHyp:\HostingUnits\AzureResource\serviceoffering.folder\Standard_DS1_v2.serviceoffering"
<!--NeedCopy-->

To create a Microsoft Entra catalog using a prepared image. For Example:

New-ProvScheme -ProvisioningSchemeName <name> -ImageVersionSpecUid <preparedVersionSpecUid> -HostingUnitUid <hostingUnitUid> -IdentityPoolUid <IdentityPoolUid> [-CleanOnBoot] -NetworkMapping @{"0"="XDHyp:\HostingUnits\<hostingunitName>\<region>.region\virtualprivatecloud.folder\<resourcegroupName>.resourcegroup\<vnetName>.virtualprivatecloud\<sunNetName>.network"} -ServiceOffering <serviceofferingPath> [-MachineProfile <machineProfilePath>] [-CustomProperties <>]
<!--NeedCopy-->

View the status of the Microsoft Entra join process

In Studio, the status of the Microsoft Entra join process is visible when Microsoft Entra joined machines in a delivery group are in a powered-on state. To view the status, use Search to identify those machines and then for each check Machine Identity on the Details tab in the lower pane. The following information can appear in Machine Identity:

  • Microsoft Entra joined
  • Not yet joined to Microsoft Entra ID

Note:

If the machines fail to be in Microsoft Entra joined state, they do not register with the Delivery Controller. Their registration status appears as Initialization.

Also, using Studio, you can learn why machines are unavailable. To do that, click a machine on the Search node, check Registration on the Details tab in the lower pane, and then read the tooltip for additional information.

Delivery Group

See Create delivery groups section for details.

Enable Rendezvous

Once the delivery group has been created, you can enable Rendezvous. See Rendezvous V2 for details.

Troubleshoot

If machines fail to be Microsoft Entra joined, do the following:

  • Check if the system assigned managed identity is enabled for the machines. MCS-provisioned machines must have this enabled automatically. The Microsoft Entra join process fails without a system-assigned managed identity. If the system assigned managed identity is not enabled for MCS-provisioned machines, then the possible reason is:

    • IdentityType of the identity pool associated with the provisioning scheme is not set to AzureAD. You can verify this by running Get-AcctIdentityPool.

  • For catalogs that use master images with VDA version 2206 or earlier, check the provisioning status of the AADLoginForWindows extension for the machines. If the AADLoginForWindows extension does not exist, possible reasons are:

    • IdentityType of the identity pool associated with the provisioning scheme is not set to AzureAD. You can verify this by running Get-AcctIdentityPool.

    • The AADLoginForWindows extension installation is blocked by Azure policy.

  • To troubleshoot AADLoginForWindows extension provisioning failures, you can check logs under C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.ActiveDirectory.AADLoginForWindows on the MCS-provisioned machine.

    Note:

    MCS does not rely on the AADLoginForWindows extension to join a VM to Microsoft Entra ID when using a master image with VDA version 2209 or later. In this case, the AADLoginForWindows extension will not be installed on the MCS-provisioned machine. Therefore, AADLoginForWindows extension provisioning logs can’t be collected.

  • Check the Microsoft Entra join status and debug logs by running dsregcmd /status command on the MCS-provisioned machine.

  • Check Windows event logs under Application and Services Logs > Microsoft > Windows > User Device Registration.

  • Check if Microsoft Entra device management is correctly configured by running Get-Item -LiteralPath XDHyp:\Connections\${HostingConnectionName}.

    Ensure that the value of:

    • AzureAdDeviceManagement property in CustomProperties is true
    • Citrix_MCS_AzureAdDeviceManagement_PermissionGranted property in metadata is true

    If Citrix_MCS_AzureAdDeviceManagement_PermissionGranted is false, it indicates that the ServicePrincipal of the application used by the hosting connection is not granted with sufficient permissions to perform Microsoft Entra device management. To resolve this, assign the ServicePrincipal with the Cloud Device Administrator role.

Microsoft Entra dynamic security groups

Dynamic group rules place the VMs in the catalog to a dynamic security group based on the naming scheme of the machine catalog.

If the naming scheme of the machine catalog is Test### (where, # means number), Citrix® creates the dynamic membership rule ^Test[0-9]{3}$ in the dynamic security group. Now, if the name of the VM created by Citrix is anything from Test001 to Test999, then the VM is included in the dynamic security group.

Note:

If the name of the VM created by you manually is anything from Test001 to Test999, then also the VM is included in the dynamic security group. This is one of the limitations of the dynamic security group.

The dynamic security group feature is useful when you want to manage the VMs by Microsoft Entra ID. This is also useful when you want to apply Conditional Access policies or distribute apps from Intune by filtering the VMs with Microsoft Entra dynamic security group.

You can use PowerShell commands to:

  • Create a machine catalog with Microsoft Entra dynamic security group
  • Enable security group feature for a Microsoft Entra catalog
  • Delete a machine catalog with Microsoft Entra joined device security group

Important:

Create a machine catalog with Microsoft Entra dynamic security group

  1. In the machine catalog setup the user interface of the web-based console, on the Machine Identities page, select Microsoft Entra joined.
  2. Log in to Microsoft Entra ID.
  3. Get the access token to the MS Graph API. Use this access token as a value of $AzureADAccessToken parameter when you run the PowerShell commands. You don’t need a Microsoft Entra access token if you use a Microsoft Entra service account.

  4. Run the following command to verify if the dynamic security group name exists in the tenant.

    Get-AcctAzureADSecurityGroup
–AccessToken  $AzureADAccessToken
–Name "SecurityGroupName"
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroup -ServiceAccountUid <service account uid> –Name "SecurityGroupName"
<!--NeedCopy-->

  5. Create a machine catalog using the Tenant ID, access token, and dynamic security group. Run the following command to create an IdentityPool with IdentityType=AzureAD and create a dynamic security group in Azure.

    New-AcctIdentityPool
-AllowUnicode
-IdentityPoolName "SecurityGroupCatalog"
-NamingScheme "SG-VM-###"
-NamingSchemeType "Numeric" -Scope @()
-ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
-WorkgroupMachine
-IdentityType "AzureAD"
-DeviceManagementType "None"
-AzureADTenantId  620387bb-9167-4bdd-8435-e3dccc58369e
-AzureADSecurityGroupName "SecurityGroupName"
-AzureADAccessToken $AzureADAccessToken
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    New-AcctIdentityPool  -AllowUnicode -AzureADSecurityGroupName "<security group name>" -AzureADTenantId "<Azure tenant id>" -DeviceManagementType "Intune" -IdentityPoolName "dynamic security group test" -IdentityType "AzureAD"  -NamingScheme "<naming scheme>" -NamingSchemeType "Numeric" -Scope @() -ServiceAccountUid @("<service account uid>") -StartCount 1 -WorkgroupMachine -ZoneUid "<Zone UID>"
<!--NeedCopy-->

Enable security group feature for a Microsoft Entra catalog

You can enable the dynamic security feature for a Microsoft Entra catalog that was created without the dynamic security group feature enabled. To do this:

  1. Manually create a new dynamic security group. You can also reuse an existing dynamic security group.

  2. Log in to Microsoft Entra ID, and get the access token to the MS Graph API. Use this access token as a value of $AzureADAccessToken parameter when you run the PowerShell commands.

    Note:

  3. Run the following command to connect the identity pool to the created Microsoft Entra dynamic security group.

    Set-AcctIdentityPool
-IdentityPoolName "SecurityGroupCatalog"
-AzureADTenantId 620387bb-9167-4bdd-8435-e3dccc58369e
-AzureADSecurityGroupNam "ExistingSecurityGroupName"
-AzureADAccessToken $AzureADAccessToken
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Set-AcctIdentityPool
-IdentityPoolName "SecurityGroupCatalog"
-AzureADTenantId 620387bb-9167-4bdd-8435-e3dccc58369e
-AzureADSecurityGroupNam "ExistingSecurityGroupName"
-ServiceAccountUid @("<service account uid>") -StartCount 1 -WorkgroupMachine -ZoneUid "<Zone UID>"
<!--NeedCopy-->

If you update the naming scheme, Citrix updates the naming scheme to a new membership rule. If you delete the catalog, the membership rule gets deleted, and not the security group.

Delete a machine catalog with Microsoft Entra joined device security group

When you delete a machine catalog, the Microsoft Entra joined device security group is also deleted.

To delete the Microsoft Entra dynamic security group, do the following:

  1. Log in to Microsoft Entra ID.
  2. Get the access token to the MS Graph API. Use this access token as value of $AzureADAccessToken parameter when you run the PowerShell commands. You don’t need a Microsoft Entra access token if you use a Microsoft Entra service account.

  3. Run the following command:

    Remove-AcctIdentityPool
-IdentityPoolName "SecurityGroupCatalog"
-AzureADAccessToken $AzureADAccessToken
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Remove-AcctIdentityPool
-IdentityPoolName "SecurityGroupCatalog"
-ServiceAccountUid @("<service account uid>") -StartCount 1 -WorkgroupMachine -ZoneUid "<Zone UID>"
<!--NeedCopy-->

Create a Microsoft Entra dynamic security group under an existing Microsoft Entra ID assigned security group

You can create a Microsoft Entra dynamic security group under an existing Microsoft Entra ID assigned security group. You can do the following:

  • Get security group information.
  • Get all Microsoft Entra ID assigned security groups that are synced from on-premises AD server or the assigned security groups to which Microsoft Entra roles can be assigned.
  • Get all Microsoft Entra dynamic security groups.
  • Add the Microsoft Entra dynamic security group as a member of the Microsoft Entra ID assigned group.
  • Remove the membership between Microsoft Entra dynamic security group and Microsoft Entra ID assigned security group when Microsoft Entra dynamic security group is deleted along with the machine catalog.

You can also see explicit error messages when any of the operations fail.

Requirement:

You must have the access token to the MS Graph API when you run the PowerShell commands. You don’t need a Microsoft Entra access token if you use a Microsoft Entra service account. Therefore, instead of -AccessToken <token>, use ServiceAccountUid <service account uid>.

To get the access token:

  1. Open Microsoft graph explorer and log in to Microsoft Entra ID.
  2. Make sure that you have consent to Group.ReadWrite.All and GroupMember.ReadWrite.All permissions.
  3. Get access token from Microsoft graph explorer. Use this access token when you run the PowerShell commands.

To get security group information by group id:

  1. Get the access token.
  2. Find group object id from the Azure portal.

  3. Run the following PowerShell command in the PowerShell console:

    Get-AcctAzureADSecurityGroup
-AccessToken <token> -GroupId <GroupUid>
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroup -ServiceAccountUid <guid> -GroupId <GroupUid>
<!--NeedCopy-->

To get security groups by group display the name:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Get-AcctAzureADSecurityGroup
-AccessToken <token>
-Name <TargetGroupDisplayName>
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroup
-ServiceAccountUid <guid>
-Name <TargetGroupDisplayName>
<!--NeedCopy-->

To get security groups whose display the name contains a substring:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Get-AcctAzureADSecurityGroup
-AccessToken <token>
-SearchString <displayNameSubString>
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroup
-ServiceAccountUid <guid>
-SearchString <displayNameSubString>
<!--NeedCopy-->

To get all Microsoft Entra ID assigned security groups that are synced from on-premises AD server or the assigned security groups to which Microsoft Entra roles can be assigned:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Get-AcctAzureADSecurityGroup
-AccessToken <token>
-Assigned true
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroup
-ServiceAccountUid <guid>
-Assigned true
<!--NeedCopy-->

To get all Microsoft Entra dynamic security groups:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Get-AcctAzureADSecurityGroup
-AccessToken <token>
-Dynamic true
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroup
-ServiceAccountUid <guid>
-Dynamic true
<!--NeedCopy-->

To get Microsoft Entra ID assigned security groups with maximum record count:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Get-AcctAzureADSecurityGroup
-AccessToken <token>
-Assigned true
-MaxRecordCount 10
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroup
-ServiceAccountUid <guid>
-Assigned true
-MaxRecordCount 10
<!--NeedCopy-->

To add Microsoft Entra dynamic security group as a member of Microsoft Entra ID assigned security group:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Add-AcctAzureADSecurityGroupMember
-AccessToken <token>
-GroupId <ASG-Id>
-RefGroupId <DSG-Id>
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Add-AcctAzureADSecurityGroupMember
-ServiceAccountUid <guid>
-GroupId <ASG-Id>
-RefGroupId <DSG-Id>
<!--NeedCopy-->

To get Microsoft Entra ID assigned security group members:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Get-AcctAzureADSecurityGroupMember
-AccessToken <token>
-GroupId <ASG-Id>
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Get-AcctAzureADSecurityGroupMember
-ServiceAccountUid <guid>
-GroupId <ASG-Id>
<!--NeedCopy-->

    Note:

    Get-AcctAzureADSecurityGroupMember provides you only the direct members of the security group type under Microsoft Entra ID assigned security group.

To remove the membership between Microsoft Entra dynamic security group and Microsoft Entra ID assigned security group when Microsoft Entra dynamic security group is deleted along with machine catalog:

  1. Get the access token.

  2. Run the following PowerShell command in the PowerShell console:

    Remove-AcctIdentityPool
-IdentityPoolName "SecurityGroupCatalog"
-AzureADAccessToken $AzureADAccessToken
<!--NeedCopy-->

    Or, run the following if you are using a Microsoft Entra service account:

    Remove-AcctIdentityPool
-ServiceAccountUid <guid>
-IdentityPoolName "SecurityGroupCatalog"
<!--NeedCopy-->

Modify Microsoft Entra dynamic security group name

You can modify the Microsoft Entra dynamic security group name associated with a machine catalog. This modification makes the security group information stored in the Microsoft Entra identity pool object to be consistent with the information stored in the Azure portal.

Note:

The Microsoft Entra dynamic security groups do not include security groups synced from on-premises AD and other group types like Office 365 group.

You can modify the Microsoft Entra dynamic security group name using Studio and PowerShell commands.

To modify the Microsoft Entra dynamic security group name using PowerShell:

  1. Open the PowerShell window.
  2. Run asnp citrix* to load the Citrix-specific PowerShell modules.
  3. Run the command Set-AcctIdentityPool -AzureAdSeurityGroupName [DSG-Name].

You get appropriate error messages if the Microsoft Entra dynamic security group name cannot be modified.

More information

Identity pool of Microsoft Entra joined machine identity
September 6, 2025
Contributed by: 
C
September 6, 2025
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.