Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This tutorial guides you through deploying Azure Virtual Desktop in Azure Enclave. You create Azure Virtual Desktop infrastructure including host pools, session hosts, application groups, and FSLogix storage, all secured within your enclave boundary.
In this tutorial, you learn how to:
- Deploy Azure Virtual Desktop community endpoint for external connectivity
- Deploy Azure Virtual Desktop enclave infrastructure
- Deploy Azure Virtual Desktop workload with session hosts and control plane
- Configure identity and encryption
- Access Azure Virtual Desktop via encrypted connections
- Validate the deployment
Prerequisites
- Completion of Tutorial 2-2: Create Azure Enclave Environment
- Azure Virtual Desktop enclave with management and session hosts subnets
- Common dependencies (Key Vault, managed identity, disk encryption set) from Tutorial 2-2
- Private DNS zones for Azure Virtual Desktop deployed
- Virtual Machine Contributor role on the Azure Virtual Desktop workload resource group
- Active Directory or Microsoft Entra ID configured for user authentication
Before you begin
Identity solution requirements
Azure Virtual Desktop requires an identity solution for user authentication. You have two options:
| Solution | Requirements | Best For |
|---|---|---|
| Microsoft Entra ID | - Microsoft Entra tenant - Users synced or cloud-only - Microsoft Entra joined VMs |
Cloud-native organizations |
| Active Directory Domain Services (AD DS) | - Domain controller accessible from enclave - Domain join for VMs - Can be hybrid with Microsoft Entra Connect |
Existing AD infrastructure |
This tutorial supports both options. Choose the appropriate parameters during deployment.
Resource naming conventions
This tutorial uses example names. Use your organization's naming convention:
- Enclave:
avd-enclave - Workload:
avd-workload - Resource group prefix:
rg-avd- - Host pool:
hp-prod-01
Deploy Azure Virtual Desktop community endpoint
The Azure Virtual Desktop community endpoint enables session hosts to communicate with Azure Virtual Desktop control plane services.
Note
If you created the Azure Virtual Desktop community endpoint in Tutorial 2-2, you can skip this section.
Use service catalog template
- In the Azure portal, navigate to your Azure Virtual Desktop workload in the Azure Virtual Desktop enclave.
- Select + Add an Azure Service.
- Search for and select Azure Virtual Desktop Community Endpoint.
- Configure the deployment:
- Resource group: Select your workload resource group (for example,
rg-avd-workload) - Community Resource Name: Select your community (for example,
fabrikam) - Community Endpoint Name:
ce-avd-services - Include Azure Virtual Desktop URLs: Check all required URLs:
*.wvd.microsoft.comlogin.microsoftonline.commanagement.azure.com*.prod.warm.ingest.monitor.core.windows.net
- Resource group: Select your workload resource group (for example,
- Select Review + Add and then Create.
- Wait for deployment to complete (~5-10 minutes).
Deploy Azure Virtual Desktop enclave infrastructure
The Azure Virtual Desktop enclave template prepares your enclave with required subnets and network security groups.
Use service catalog template
In your Azure Virtual Desktop workload, select + Add an Azure Service.
Search for and select Azure Virtual Desktop Enclave.
Configure the deployment:
Basic settings:
- Resource group:
rg-avd-infrastructure - Enclave Resource Name: Select
avd-enclave - Location: Same as enclave region
Network configuration:
- Virtual Network Name: Leave default (uses enclave virtual network)
- Management Subnet Name:
AzureVirtualDesktopManagementSubnet - Session Hosts Subnet Name:
AzureVirtualDesktopSessionHostsSubnet - Create NSGs: Yes (if not already created)
Private DNS:
- Create Private DNS Zones: No (already created in Tutorial 2-2)
- Link to VNet: Yes
- Resource group:
Select Review + Add and then Create.
Wait for deployment to complete (~10-15 minutes).
Deploy Azure Virtual Desktop workload
Now deploy the Azure Virtual Desktop workload with host pool, session hosts, and supporting infrastructure.
Select the Azure Virtual Desktop workload template
- In your Azure Virtual Desktop workload, select + Add an Azure Service.
- Search for and select Azure Virtual Desktop Workload.
- Configure the deployment using the following parameters:
| Configuration Section | Parameters |
|---|---|
| Basics tab | - Resource group: rg-avd-workload- Location: Same as enclave region - Workload Name: avd-prod |
| Host Pool Configuration | - Host Pool Name: hp-prod-01- Host Pool Type: Pooled- Load Balancer Type: BreadthFirst- Max Session Limit: 10 (for pooled, sessions per host)- Validation Environment: No (unless testing) |
| Session Host Configuration | - Session Host Name Prefix: avd-sh-- Virtual Machine Size: Standard_D4s_v5 (4 vCPU, 16 GB of RAM minimum)- Number of Session Hosts: 2 (start small, scale later)- OS Disk Type: Premium_LRS- Image Reference: - Publisher: MicrosoftWindowsDesktop- Offer: Windows-11- SKU: win11-23h2-avd- Version: latest |
| Network Configuration | - Virtual Network Resource Group: avd-enclave-HostedResources-<guid> (enclave MRG)- Virtual Network Name: Enclave virtual network name - Subnet Name: AzureVirtualDesktopSessionHostsSubnet |
| Identity and Domain | For Microsoft Entra ID: - Identity Type: AzureADJoin- Entra Tenant ID: Your Microsoft Entra tenant ID - Intune Enrollment: Yes (recommended)For Active Directory Domain Services: - Identity Type: DomainJoin- Domain FQDN: contoso.com- OU Path: OU=AVD,DC=contoso,DC=com (optional)- Domain Join Account UPN: avd-join@contoso.com- Domain Join Password: (secure password) |
| Workspace Configuration | - Workspace Name: ws-avd-prod- Workspace Friendly Name: Production Azure Virtual Desktop Workspace- Application Group Name: ag-desktop-prod- Application Group Type: Desktop (or RemoteApp) |
| Storage Configuration (FSLogix) | - Storage Account Name: stavdfslogix<uniqueid>- Storage Account Type: Premium_LRS (for best performance)- File Share Name: profiles- File Share Quota (GB): 1024 (1 TB)- Enable Azure Files Private Endpoint: Yes- Private Endpoint Subnet: AzureVirtualDesktopManagementSubnet |
| Encryption Configuration | - Enable CMK Encryption: Yes- Disk Encryption Set Resource ID: Resource ID from Tutorial 2-2 common dependencies - User Assigned Identity Resource ID: Resource ID from Tutorial 2-2 common dependencies |
| Monitoring | - Enable Diagnostic Settings: Yes- Log Analytics Workspace: Select workspace from shared services or create new - Enable Azure Virtual Desktop Insights: Yes (recommended) |
- Select
Review + Create. - Review all settings carefully.
- Select
Create.
Note
Deployment takes 30-60 minutes depending on the number of session hosts.
Configure enclave endpoints for management
Create enclave endpoints to allow management traffic from admin resources.
Navigate to your Azure Virtual Desktop enclave.
Select
Enclave endpointsthen select+ Create.Configure the endpoint:
- Name:
ee-avd-management - Description:
Allow management access to Azure Virtual Desktop resources
- Name:
Add rules:
Rule 1: RDP to Session Hosts
- Name:
rdp-to-hosts - Protocol:
TCP - Port:
3389 - Source: Admin subnet CIDR or bastion subnet
Rule 2: PowerShell Remoting
- Name:
winrm - Protocol:
TCP - Port:
5985,5986 - Source: Admin subnet CIDR
- Name:
Select
Review + createand thenCreate.
Configure enclave connection for FSLogix
If your FSLogix storage is in a different enclave, create an enclave connection.
- Navigate to your Azure Virtual Desktop enclave.
- Select
Enclave connectionsthen select+ Create. - Configure the connection:
- Name:
conn-avd-to-storage - Source enclave:
avd-enclave - Destination enclave endpoint: Select endpoint in shared services enclave
- Name:
- Select
Review + createand thenCreate.
Assign users to application group
Users need to be assigned to the application group to access Azure Virtual Desktop.
Using Azure portal
- Navigate to your Application Group (for example,
ag-desktop-prod). - Select
Assignmentsthen select+ Add. - Search for and select users or groups.
- Select
Select.
Using Azure PowerShell
# Variables
$resourceGroup = "rg-avd-workload"
$appGroupName = "ag-desktop-prod"
$userPrincipalName = "user@contoso.com"
# Get the application group
$appGroup = Get-AzWvdApplicationGroup -ResourceGroupName $resourceGroup -Name $appGroupName
# Get the user object ID
$user = Get-AzADUser -UserPrincipalName $userPrincipalName
# Assign user to application group
New-AzRoleAssignment -ObjectId $user.Id `
-RoleDefinitionName "Desktop Virtualization User" `
-ResourceName $appGroupName `
-ResourceGroupName $resourceGroup `
-ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
Access Azure Virtual Desktop from client
Users can access Azure Virtual Desktop through various clients.
Web client
- Navigate to https://client.wvd.microsoft.com/arm/webclient
- Sign in with Microsoft Entra credentials
- Select the published desktop or application
- Session connects through enclave connectivity
Windows App
- Download the Windows App from the Microsoft Store or direct download
- Install and launch Windows App
- Select
Add accountor+to add a workspace - Sign in with your Microsoft Entra credentials
- Your Azure Virtual Desktop resources automatically appear
- Select a desktop or application to connect
Note
Windows App replaces the legacy Remote Desktop client and provides a modern experience for accessing Azure Virtual Desktop, Azure Virtual Desktop, and other remote resources.
Validate the deployment
Perform these validation steps to ensure proper deployment:
Check session host status
- Navigate to your Host Pool (for example,
hp-prod-01) - Select
Session hosts - Verify all hosts show status:
Available - Check Agent version is current
- Verify Domain joined status
Test user session
- Sign in as a test user
- Launch a desktop or application
- Verify connectivity and performance
- Check FSLogix profile loads correctly
- Test application functionality
Verify encryption
- Navigate to a session host VM
- Select
Disks - Select the OS disk
- Verify
Encryption type:Encryption at rest with a customer-managed key - Check encryption set is applied
Check diagnostic logs
- Navigate to the Host Pool
- Select
Diagnostic settings - Verify logs are flowing to Log Analytics
- Query logs for connection events:
WVDConnections
| where TimeGenerated > ago(1h)
| where State == "Connected"
| project TimeGenerated, UserName, ClientOS, ClientType
Validate network connectivity
- Connect to a session host via bastion or admin VM
- Test connectivity to required endpoints:
# Test Azure Virtual Desktop control plane
Test-NetConnection -ComputerName rdweb.wvd.microsoft.com -Port 443
# Test Azure Storage (FSLogix)
Test-NetConnection -ComputerName $storageAccountName.file.core.windows.net -Port 445
# Test Microsoft Entra ID
Test-NetConnection -ComputerName login.microsoftonline.com -Port 443
Monitor Azure Virtual Desktop Insights
Enable and configure Azure Virtual Desktop Insights for comprehensive monitoring.
- Navigate to your Host Pool
- Select
Insights - Select
Open Insights workbook - Review metrics:
- Connection success rate
- Active sessions
- Session host performance
- User input delays
- Resource utilization
Troubleshooting common issues
Session hosts not joining domain
Symptom: Session hosts show "Domain Join Error"
Solutions:
- Verify domain join credentials are correct
- Check enclave connectivity to domain controllers
- Ensure DNS resolution works for domain FQDN
- Verify OU path is correct (if specified)
Users can't connect
Symptom: Connection fails during authentication
Solutions:
- Verify users are assigned to application group
- Check RDP properties allow connections
- Verify community endpoints are created
- Check network security group rules
FSLogix profiles not loading
Symptom: Users get temporary profile
Solutions:
- Verify storage account private endpoint is created
- Check SMB connectivity on port 445
- Verify users have RBAC permissions on file share
- Check virtual network link for private DNS zone
Poor performance
Symptom: Slow response sessions
Solutions:
- Check session host VM size is adequate
- Verify Premium SSD disks are used
- Review host pool load balancing settings
- Check max sessions per host configuration
- Monitor network latency in Azure Virtual Desktop Insights
Clean up resources
To avoid ongoing charges, delete resources when no longer needed:
Delete in order
- Remove user assignments from application groups
- Delete application groups
- Delete workspace
- Delete host pool (stops/deletes session hosts)
- Delete storage account
- Delete disk encryption set
- Delete Key Vault key
- Delete managed identity
- Delete workload resource groups
Using Azure CLI
# Delete resource group (deletes all contained resources)
az group delete --name rg-avd-workload --yes --no-wait
az group delete --name rg-avd-infrastructure --yes --no-wait
Warning
Deleting resources is permanent and can't be undone.
Next steps
With Azure Virtual Desktop deployed, you can now deploy Azure Kubernetes Service workloads.