Design Decision: Azure Specific Considerations

Azure accounts are used for consolidated billing, but cannot contain Azure resources directly. Azure accounts contain one or more subscriptions. Subscriptions serve as security boundaries and they contain the actual Azure resources, such as virtual machines.

A subscription is an agreement with Microsoft to use one or more Microsoft cloud platforms or services. Charges accrue based on either a per-user license fee or on cloud-based resource consumption. Subscriptions can be used to further subdivide the costs or administrative access as required.

Management groups are used within Azure to efficiently manage access, policies, governance, and compliance across subscriptions. They are invaluable for operating multi-subscription tenants in Azure at scale. Each subscription automatically inherits the conditions, policies, and access of its parent management group.

Here are the questions that you need to answer about Azure infrastructure

How many Azure tenants do I need?

  • Use a single Azure tenant for the Citrix resources and the users and devices that access those resources

  • Use multiple tenants where multiple Azure Active Directories are required. Development/Test having a separate authentication directory or and enterprise that has multiple on-premises AD directory services are two example.

  • The Azure account owner must be associated to the same tenant where the subscriptions for the account are provisioned

  • Azure account owners are automatically subscription owners for all the subscriptions in the account

What Microsoft license models should I use?

  • Apply the Hybrid Use Benefit (HUB) of your current EA license if it includes Windows Server Software Assurance. HUB significantly reduces compute costs in the cloud. This licensing model can save you up to 40% of the hourly cost because you can use the base VM pricing for Windows Server or SQL Server instances in Azure.

  • If using the Microsoft Office suite, use per user licenses that include the Windows 10 Virtual Desktop licenses such as the E3/E5 subscriptions

    • Microsoft 365 E3/E5: Includes Azure Virtual Desktop licenses and Microsoft Office licenses
    • Microsoft 365 Business Premium: Includes Azure Virtual Desktop licenses and Microsoft Office licenses
    • Windows 10 Enterprise E3/E5: Includes Azure Virtual Desktop licenses

How many Azure subscriptions will I need?

  • All subscriptions within the same management group must trust the same Azure Active Directory tenant

  • A subscription can be associated with only a single account at a time and must have an associated account owner

  • Subscriptions cannot share networks, but they can communicate through VNET peering and Azure ExpressRoute

  • Subscriptions are boundaries for Azure policies, management, governance and administrative, so plan subscriptions for business units that have separate administrative or billing requirements

  • Multiple subscriptions reduce the blast radius and exposure in case credentials are compromised

  • Plan to isolate development and test subscriptions from production subscriptions to provide extra performance, security, governance, and compliance

  • Some environments such as production and user acceptance testing or preproduction can be shared in a single subscription

  • Dedicating subscriptions to Citrix workloads simplify administration and policy management

  • Citrix recommends limiting a subscription to 2,500 Virtual Delivery Agents (VDAs)

  • Use subscriptions as scale units and scale them out as needed to support the required resources

  • Microsoft sets limits on resources within a subscription and those limits must be considered when determining how many subscriptions are necessary to support the Citrix workloads

How many management groups will I need?

  • Subscriptions can belong to only one management group at a time

  • Management groups are associated with a single parent

  • Management groups can be up to 6-levels deep and Microsoft recommends keeping the management group hierarchy as flat as possible

  • Management groups are used for policies, not for billing or line-of-business groups. Create management groups based on policy requirements such as instance types, firewall rules, logging, storage, encryption, RBAC model, and so forth

  • Limit the number of Azure policy assignments at the management group root, instead of placing them on the individual management groups

  • Citrix recommends creating a management group for Citrix workload subscriptions

  • Management groups are used for aggregating Azure Policies, so group subscriptions with similar policy requirements together under the same management group

  • Use resource tags that can be referenced by Azure policy

For Citrix Cloud to connect and deploy machine catalogs in the Azure cloud, a service principal account is required. That account needs the correct permissions to create, delete, and maintain Citrix resources in each subscription. The service principal account is created through an application registration within the Azure AD tenant. The creation of the service principal account can be created automatically by Citrix or manually by an Azure AD global administrator.

The creation of the service principal object can be accomplished automatically by Citrix if the user running the Citrix Host Connection Wizard has contributor permissions on the subscription. During the host connection setup, the Wizard requests all the required permissions, including contributor permissions on the subscription, and keeps that acceptance for future connections.

Security-sensitive environments do not allow service principals to have contributor permissions at a subscription level. Citrix provides an alternative solution referred to as a Narrow Scope service principal. An Azure AD global administrator needs to manually create an application registration. Then a subscription administrator manually grants the service principal account appropriate permissions. Narrow-scoped service principals do not have contributor permissions on the entire subscription. Their permissions are scoped to just the resource groups, networks, and images that are required to create and manage the Machine Catalogs.

Here are the questions you need to answer regarding the service principal account:

Should I use a subscription-scope service principal account?

  • Requires Azure AD global administrator permissions

  • Contributor role for the entire subscription is created automatically and Azure will prompt for permissions approval at initial connection

  • Use when information security allows a service principal account to be granted contributor permissions on the entire subscription and Citrix administrators have contributor access to the subscription

  • Accounts used for authentication during the host connection creation must be at least co-administrators on the subscription and a member of the Azure Active Directory

  • Recommended when subscriptions are dedicated to Citrix resources or the environment will contain many resource groups

  • Use when a simple management experience is wanted

  • Use when Citrix Studio is used to manage the environment more than PowerShell

  • Preferred during proof-of-concept deployments

Should I use a narrow-scope service principal?

  • The narrow-scope service principal is created manually by an Azure AD global administrator

  • Before running the machine catalog Add Machines wizard, the target resource group must be precreated and granted these permissions:

    • Pre-Created Resource Group: Virtual machine contributor, Storage account contributor, and Disk snapshot contributor
    • Virtual Network: Virtual machine contributor
    • Storage Account: Virtual machine contributor
  • Recommended when the number of resource groups is manageable either through the Azure console or through automation

  • Recommended for higher-security environments where permissions are tightly controlled and fine-grained access control is prevalent

  • Recommended when subscriptions cannot be dedicated to Citrix resources and are hosting other services

  • Recommended when Azure administrators have different subscription permissions depending on their role

  • For larger environments, consider using build scripts or ARM templates to pre-create resource groups and grant the required permissions

Should I use custom roles for the service principal?

  • Citrix recommends the use of custom roles for setting permissions for the service principal when more than one subscription will be used

  • Microsoft recommends setting the role permissions at the management group level through Azure policy

Azure subscription and service limits, quotas, and constraints

Citrix TIPs: Azure Subscription Sizing

Citrix TIPs: Citrix on Azure - Enterprise-Scale Landing Zones - Part 2

Enterprise Agreement enrollment and Azure Active Directory tenants

Management group and subscription organization

Throttling requests for subscription and tenant limits

What are Azure management groups?

Azure Virtual Desktop pricing

Application and service principal objects in Azure Active Directory

How to Grant XenApp and XenDesktop Access to Your Azure Subscription

Manually Granting Citrix Cloud Access to Your Azure Subscription

Design Decision: Azure Specific Considerations

In this article