Azure subscriptions

Important:

Citrix Managed Desktops is now Citrix Virtual Apps and Desktops Standard for Azure. Although this earlier documentation will remain published for a short time, it will not be updated. We recommend using the Citrix Virtual Apps and Desktops Standard for Azure product documentation.

Introduction

You can create catalogs and build or import master images in either in a Citrix-managed Azure subscription or your own Azure subscription.

  • To use your own Azure subscriptions, you first add one or more of your Azure subscriptions to Citrix Managed Desktops. That action enables the service to access the subscription.

    Then, when you create a catalog or build/import a master image, choose the subscription you want to use.

  • Using a Citrix-managed subscription requires no subscription configuration.

    • If you have a Citrix-managed subscription, and haven’t added any of your own Azure subscriptions to the service, the Citrix-managed subscription is used automatically.

    • If you have a Citrix-managed subscription, and have added your own Azure subscriptions to the service, the Citrix-managed subscription is always a choice.

Some service features differ, depending on whether the machines are in a Citrix-managed Azure subscription or in your own Azure subscription.

Citrix-managed subscription Your own Azure subscription
Supports domain-joined or non-domain-joined machines. Supports only domain-joined machines.
Supports quick create and custom create catalogs. Supports only custom create catalogs.
Always available (and is the default subscription selection) when creating catalogs and master images. Must add the Azure subscription to the service before creating a catalog.
For user authentication, supports Citrix Managed Azure Active Directory or your own Active Directory. Can connect your own Active Directory and Azure Active Directory.
Network connection options include No connectivity. Network connection options include only your own virtual networks.
When using Azure VNet peering to connect to your resources, you must create a VNet peer connection in the service. Select an existing virtual network.
When importing an image from Azure, you specify the image’s URI. When importing an image, you can select a VHD or browse storage in the Azure subscription.
Can create a bastion machine in customer Azure subscription to troubleshoot machines. No need to create a bastion machine because you can already access the machines in your subscription.

View subscriptions

To view subscription details, from the Manage dashboard, expand Cloud Subscriptions on the right. Then click a subscription entry.

  • The Details page includes the number of machines, plus the numbers and names of catalogs and images in the subscription.
  • The Resource Locations page lists the resource locations where the subscription is used.

Add customer-managed Azure subscriptions

To use a customer-managed Azure subscription, you must add it to Citrix Managed Desktops before creating a catalog or master image that uses that subscription. You have two options when adding your Azure subscriptions:

  • If you are a Global Administrator for the directory and have contributor privileges for the subscription: Simply authenticate to your Azure account.
  • If you are not a Global Administrator and have contributor privileges on the subscription: Before adding the subscription to the service, create an Azure app in your Azure AD and then add that app as a contributor of the subscription. When you add that subscription to the service, you provide relevant app information.

Add customer-managed Azure subscriptions if you’re a Global Administrator

This task requires Global Administrator privileges for the directory, and contributor privileges for the subscription.

  1. From the Manage dashboard, expand Cloud Subscriptions on the right.
  2. Click Add Azure subscription.
  3. On the Add Subscriptions page, click Add your Azure subscription.
  4. Select Allow Citrix Managed Desktops to access my Azure subscriptions on my behalf.
  5. Click Authenticate Azure Account. You’re taken to the Azure sign-in page.
  6. Enter your Azure credentials.
  7. You’re returned automatically to the service. The Add Subscription page lists the discovered Azure subscriptions. Use the search box to filter the list, if needed. Select one or more subscriptions. When you’re done, click Add Subscriptions.
  8. Confirm that you want to add the selected subscriptions.

After the subscription addition completes, the Azure subscriptions you selected are listed when you expand Subscriptions. Added subscriptions are available for selection when creating a catalog or master image.

Add customer-managed Azure subscriptions if you’re not a Global Administrator

Adding an Azure subscription when you’re not a global admin is a two-part process:

Create an app in Azure AD and add it as a contributor

  1. Register a new application in Azure AD:

    1. From a browser, navigate to https://portal.azure.com.
    2. In the upper left menu, select Azure Active Directory.
    3. In the Manage list, click App registrations.
    4. Click + New registration.
    5. On the Register an application page, provide the following information:

      • Name: Enter the connection name
      • Application type: Select Web app / API
      • Redirect URI: leave blank
    6. Click Create.
  2. Create the application’s secret access key and add the role assignment:

    1. From the previous procedure, select App Registration to view details.
    2. Make a note of the Application ID and Directory ID. You’ll use this later when adding your subscription to the service.
    3. Under Manage, select Certificates & secrets.
    4. On the Client secrets page, select + New client secret.
    5. On the Add a client secret page, provide a description and select an expiration interval. Then click Add.
    6. Make a note of the client secret value. You’ll use this later when adding your subscription to the service.
    7. Select the Azure subscription you want to link (add) to the service, and then click Access control (IAM).
    8. In the Add a role assignment box, click Add.
    9. On the Add role assignment tab, select the following:

      • Role: Contributor
      • Assign access to: Azure AD user, group, or service principal
      • Select: The name of the Azure app you created earlier.
    10. Click Save.

Add your subscription to the service

You’ll need the application ID, directory ID, and client secret value from the app you created in Azure AD.

  1. From the Manage dashboard in the service, expand Cloud Subscriptions on the right.
  2. Click Add Azure subscription.
  3. On the Add Subscriptions page, click Add your Azure subscriptions.
  4. Select I have an Azure App with contributor role to the subscription.
  5. Enter the tenant ID (directory ID), client ID (application ID), and client secret for the app you created in Azure.
  6. Click Select your subscription and then select the subscription you want.

Later, from the subscription’s Details page in the service dashboard, you can update the client secret or replace the Azure app from the ellipsis menu.

Add Citrix-managed Azure subscriptions

A Citrix-managed Azure subscription supports up to 1,000 machines. (In this context, machines refers to VMs that have a Citrix VDA installed. These machines deliver apps and desktops to users. It does not include other machines, such as Cloud Connectors, in a resource location.)

If your subscription is likely to reach its limit soon, and you have enough Citrix licenses, you can request another Citrix-managed Azure subscription. The dashboard contains a notification when you’re close to the limit.

You can’t create a catalog (or add machines to a catalog) if the total number of machines for all catalogs that use that Citrix-managed subscription would exceed 1,000.

For example:

  • Let’s say you have two catalogs (Cat1 and Cat2). Both catalogs use the same Citrix-managed subscription. Cat1 currently contains 500 machines, and Cat2 has 250.

  • As you plan for future capacity needs, you add 200 machines to Cat2. The Citrix-managed subscription now supports 950 machines (500 in Cat 1 and 450 in Cat 2). The dashboard indicates that the subscription is near its limit.

  • When you need 75 more machines, you can’t create a catalog with 75 machines (or add 75 machines to an existing catalog), using that subscription. That would exceed the subscription limit. Instead, you request another Citrix-managed subscription. Then, you create a catalog using that subscription.

When you have more than one Citrix-managed Azure subscription:

  • Nothing is shared between those subscriptions.
  • Each subscription has a unique name.
  • You can choose among the Citrix-managed subscriptions (and any customer-managed Azure subscriptions that you’ve added) when:

    • Creating a catalog.
    • Building or importing a master image.
    • Creating a VNet peering or SD-WAN connection.

Requirement:

  • You must have enough Citrix licenses to warrant adding another Citrix-managed subscription. For example, if you have 1,200 Citrix licenses in anticipation of deploying at least 1,100 machines through Citrix-managed subscriptions, you can add another Citrix-managed subscription.

To add a Citrix-managed Azure subscription:

  1. Contact your Citrix representative to request another Citrix-managed Azure subscription. You are notified when you can proceed.
  2. From the Manage dashboard, expand Cloud Subscriptions on the right.
  3. Click Add Azure subscription.
  4. On the Add Subscriptions page, click Add a Citrix-managed Azure subscription.
  5. On the Add a Citrix-Managed Subscription page, click Add Subscription at the bottom of the page.

If you’re notified that an error occurred during creation of a Citrix-managed Azure subscription, contact Citrix Support.

Remove subscriptions

To remove a subscription, you must first delete all catalogs and master images that use it.

You cannot remove all Citrix-managed Azure subscriptions. At least one must remain.

  1. From the Manage dashboard, expand Cloud Subscriptions on the right.
  2. Click the subscription entry.
  3. On the Details tab, click Remove Subscription.
  4. Click Authenticate Azure Account. You’re taken to the Azure sign-in page.
  5. Enter your Azure credentials.
  6. You’re returned automatically to the service. Confirm the deletion in the check boxes and then click Yes, Delete Subscription.

Azure subscriptions