Citrix DaaS

Azure Active Directory joined

Note:

This feature is being rolled out in phases. It might not yet be activated for your account.

This article describes how to create Azure Active Directory (AD) joined catalogs using Citrix DaaS.

Requirements

  • Control plane: Citrix DaaS

  • VDA type: Single-session or multi-session OS VDA

  • VDA version: 2203 or later

  • Provisioning type: Machine Creation Services (MCS) Persistent and Non-persistent using the Machine Profile workflow only

  • Assignment type: Dedicated and pooled

  • Hosting platform: Azure only

  • Master VMs must not be joined to Azure AD

  • Rendezvous V2 can be enabled so Citrix Cloud Connectors are not required. To enable Rendezvous, you must add a registry setting. For more information on how to add it, see VDA installation and configuration.

Limitations

  • Support only Microsoft Azure Resource Manager cloud environments.

  • Single sign-on to virtual desktops not supported. Users must manually enter credentials when signing in to their desktops.

  • The first time a virtual desktop session is launched, the Windows sign-in screen shows the logon prompt for the last logged on user without the option to switch to another user. The user must wait until the logon times out and the desktop’s lock screen appears, and then click the lock screen to reveal the logon screen once again. At this point, the user is able to select Other Users and enter their credentials.

  • Signing in with Windows Hello to virtual desktops is not supported. If users try to use a Windows Hello PIN to sign in, they receive an error message that they are not the brokered user and the session was disconnected.

  • Service continuity is not supported.

Considerations

  • Master VMs must not be joined to Azure AD.

  • Windows Hello is not supported. Thus, disable Windows Hello in the master VMs. To do that, you have two methods:

    • Using the local group policy in the master VMs.

      • Run gpedit.msc.
      • Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business.
      • Set Use Windows Hello for Business to Disabled or Enabled.
      • Select Do not start Windows Hello provisioning after sign-in.
    • Using Microsoft Intune (persistent machines only).

      • Create a device profile that disables Windows Hello for Business. Refer to the Microsoft documentation for details.

Create Azure AD joined catalogs

You can create Azure AD joined catalogs by using the Full Configuration interface or PowerShell.

Use the Full Configuration interface

The following information is a supplement to the guidance in Create machine catalogs. To create Azure AD joined catalogs, follow the general guidance in that article, minding the details specific to Azure AD joined catalogs.

In the catalog creation wizard:

  • On the Machine Identities page, select Azure Active Directory joined. The created machines are owned by an organization and are signed into with an Azure AD account that belongs to that organization. They exist only in the cloud.

Note:

  • The Azure Active Directory joined identity type requires version 1811 or later of the VDA as the minimum functional level for the catalog. To make it available, update the minimum functional level if necessary.
  • The machines are joined to the Azure AD to which the hosting connection is bound.

Use PowerShell

The following are PowerShell steps equivalent to operations in Full Configuration. For information on how to create a catalog using the Remote PowerShell SDK, see https://developer-docs.citrix.com/projects/citrix-virtual-apps-desktops-sdk/en/latest/creating-a-catalog/.

The difference between on-premises AD joined catalogs and Azure AD joined ones lies in the creation of the identity pool and the provisioning scheme.

To create an identity pool for Azure AD joined catalogs:

New-AcctIdentityPool -AllowUnicode -IdentityType="AzureAD" -WorkgroupMachine -IdentityPoolName "AzureADJoinedCatalog" -NamingScheme "AzureAD-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->

To create a provisioning scheme for Azure AD joined catalogs, the MachineProfile parameter is required in New-ProvScheme:

New-ProvScheme -CustomProperties "<CustomProperties xmlns=`"http://schemas.citrix.com/2014/xd/machinecreation`" xmlns:xsi=`"http://www.w3.org/2001/XMLSchema-instance`"><Property xsi:type=`"StringProperty`" Name=`"UseManagedDisks`" Value=`"true`" /><Property xsi:type=`"StringProperty`" Name=`"StorageType`" Value=`"StandardSSD_LRS`" /><Property xsi:type=`"StringProperty`" Name=`"LicenseType`" Value=`"Windows_Server`" /></CustomProperties>" -HostingUnitName "AzureResource" -IdentityPoolName "AzureADJoinedCatalog" -InitialBatchSizeHint 1 -MachineProfile "XDHyp:\HostingUnits\AzureResource\image.folder\azuread-rg.resourcegroup\MasterVDA.vm" -MasterImageVM "XDHyp:\HostingUnits\AzureResource\image.folder\azuread-rg.resourcegroup\azuread-small_OsDisk_1_5fb42fadf7ff460bb301ee0d56ea30da.manageddisk" -NetworkMapping @{"0"="XDHyp:\HostingUnits\AzureResource\virtualprivatecloud.folder\East US.region\virtualprivatecloud.folder\azuread-rg.resourcegroup\azuread-vnet.virtualprivatecloud\Test_VNET.network"} -ProvisioningSchemeName "AzureADJoinedCatalog" -RunAsynchronously -Scope @() -SecurityGroup @() -ServiceOffering "XDHyp:\HostingUnits\AzureResource\serviceoffering.folder\Standard_DS1_v2.serviceoffering"
<!--NeedCopy-->

All other commands used to create Azure AD joined catalogs are the same as for traditional on-premises AD joined catalogs.

View the status of the Azure AD join process

In the Full Configuration interface, the status of the Azure AD join process is visible when Azure AD joined machines in a delivery group are in a powered-on state. To view the status, use Search to identify those machines and then for each check Machine Identity on the Details tab in the lower pane. The following information can appear in Machine Identity:

  • Azure AD joined
  • Not yet joined to Azure AD

Note:

If the machines fail to be in Azure AD joined state, they do not register with the Delivery Controller. Their registration status appears as Initialization.

Also, using the Full Configuration interface, you can learn why machines are unavailable. To do that, click a machine on the Search node, check Registration on the Details tab in the lower pane, and then read the tooltip for additional information.

Enable user login with Azure AD accounts

Machines or delivery groups must be assigned to specific Azure AD accounts. This can be done using the Full Configuration interface (using the Select identity type field when assigning users) or the Citrix Cloud Library page.

To enable users to sign in to the machines with their Azure AD credentials, add the role assignment at the resource group level:

  1. Sign in to the Azure portal.

  2. Select Resource Groups.

  3. Click the resource group where the virtual desktop workloads reside.

  4. Select Access control (IAM).

  5. Click Add role assignment.

  6. Search for Virtual Machine User Login, select it in the list, and click Next.

  7. Select User, group, or service principal.

  8. Click Select members and select the users and groups you want to grant access to the virtual desktops.

  9. Click Select.

  10. Click Review + assign.

  11. Click Review + assign again.

Note:

If you choose to let MCS create the resource group for the virtual desktops, add this role assignment after machine catalog creation.

Microsoft Intune

Note:

This feature applies only to Azure AD joined persistent machines. The machines must meet the minimum system requirements. For more information, see the Microsoft documentation: https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers#microsoft.

You can use Citrix DaaS to enable Microsoft Intune enrollment. Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. For more information, see Microsoft Intune.

Microsoft Intune works by using the functionality of Azure AD.

Important:

Before enabling this feature, verify that your Azure environment meets licensing requirements to use Microsoft Intune. For more information, see the Microsoft documentation: https://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses. Do not enable the feature if you do not have the appropriate Intune license.

Enable Microsoft Intune

You can enable Microsoft Intune by using the Full Configuration interface or PowerShell.

Use the Full Configuration interface

The following information is a supplement to the guidance in Create machine catalogs. This feature requires the selection of Azure Active Directory joined in Machine Identities during catalog creation. Follow the general guidance in that article, minding the details specific to this feature.

In the catalog creation wizard:

  • On the Machine Identities page, select Azure Active Directory joined and then Enroll the machines in Microsoft Intune. If enabled, enroll the machines in Microsoft Intune for management.

Use PowerShell

The following are PowerShell steps equivalent to operations in Full Configuration.

To enroll machines in Microsoft Intune using the Remote PowerShell SDK, use the DeviceManagementType parameter in New-AcctIdentityPool. This feature requires that the catalog is Azure AD joined and that Azure AD possesses the correct Microsoft Intune license. For example:

New-AcctIdentityPool -AllowUnicode -DeviceManagementType "Intune" IdentityType="AzureAD" -WorkgroupMachine -IdentityPoolName "AzureADJoinedCatalog" -NamingScheme "AzureAD-VM-##" -NamingSchemeType "Numeric" -Scope @() -ZoneUid "81291221-d2f2-49d2-ab12-bae5bbd0df05"
<!--NeedCopy-->

Tip:

This feature is implemented using the Azure Resource Manager template. In the template, specify the application ID of Microsoft Intune in the AADLoginForWindows extension to enable Azure AD joined VMs to enroll.

Azure Active Directory joined