Windows Virtual Desktop WVD is a great new solution from Microsoft that helps partners and customers to easy manage and deploy virtual desktops and apps to end users. WVD is at an early state but in constant development, but currently not supporting group-based assignment of users. Users needs to be assigned induvidial to Virtual Desktops or AppGroups.
The mainpart of our costumers runs hybrids setup where users and computer accounts are based on identity from a traditional Active Directory AD. In the following guide I will descripe how to dynamicly assign users to WVD from the membership of a Security Group In AD in a safe way.
Supporters can then assign users from the “Active Directory Users and Computers” Console, without usage of powershell or other 3 party tools even if multiple AppGroups exists, this is possible because we use a runbook in azure that checks the security group every 30 minutes or more frequently if necessary, then it adds them or removes them based on their membership of the security group.
In our setup we are running vm’s in azure and Azure AD Connect to sync users between AD and AAD, the reason for doing this is that, our customer still have applications that can’t support cloud only, so we move all vm’s to azure and move all the features we can to a cloud only solution.
Now, before we begin with the setup we will need to complete a few prerequisites first.
Now, before we begin with the setup we will need to complete a few prerequisites first.
First of all we will need to gather some information for the script to work.
Fill out the variables with data that fits your environment, and save the script somewhere on your computer, so you can use it for later.
You will need to install two PowerShell modules on the same server, where your hybrid worker is installed.
Set-PSRepository -Name "PSGallery" -SourceLocation
"https://www.powershellgallery.com/api/v2" -InstallationPolicy Trusted
Find-Module "Microsoft.RDInfra.RDPowershell" | Install-Module
Add-WindowsFeature RSAT-AD-PowerShell
Set-PSRepository -Name "PSGallery" -SourceLocation
"https://www.powershellgallery.com/api/v2" -InstallationPolicy Untrusted
When you have run these three commands, you will then have installed the two modules. You don’t need to configure anything else for your on-premises environment. The Add-WindowsFeature command is used to get the Active Directory module installed. The reason for doing it this way, is because the Active Directory module is actually a feature for the Windows servers.
There are two ways we can make a schedule. We can make a normal runbook schedule, which works perfectly but it can only run once per hour, so if you need it to run more frequently, then you need to make a logic app to run it for you. We made the runbook execute every 30 minutes. I will provide guidelines on how to create the logic app as well.
Making a normal runbook schedule is pretty straight forward. You just go into your runbook and select Schedules, and then press the “Add a schedule” button.
Then you just press the “Link a schedule” button and create a new schedule. Then you give it a name and select “Recurring”. You can then select the amount of time between the executions of the runbook.
The next step is very important. You need to press the parameters and run settings button. Then select the hybrid worker on run settings, followed by selecting the hybrid worker. This is very important, because if you don’t, then your runbook will execute in Azure and it will fail.
With a logic app, it will be possible to run the runbook every minute, but first you will need to create a service account that can run the logic app for us. It doesn’t matter which type of account it is, as long as MFA is disabled for the account, otherwise it will not be able to run the runbook.
When the account has been created, we will need to give it some rights to our automation account, we do that by going to our automation account and selecting the access control tab and pressing the add button on the right.
Now you have to select the tenant where your automation account is stored and then login with the account we created before.
If you want to use it for more then one application then its really easy to setup, first of all you will need to give your AD service account read and write permessions on the new Security Group that you created, or you can make a new service account for this specific security group, if you want to make it even more secure. then you will need to copy this part of the script.
To make sure everything works, you can do a few different things to test it out.
If you run into any problem or have questions, you can reach me at dpg@automize.dk and I will reply as soon as possible.
You will find the script below:
https://github.com/dani9335/wvdaddgroupmember/blob/master/add-appgroupmember.ps1
Daniel Pagh Greve
dpg@automize.dkFind script on GitHub
If you are interested in hearing from us, you are very welcome to contact us by email or phone. You can also use our contact form