Hey folks! We're tasked with deploying an Azure Virtual Desktop (AVD) pilot for 20 users spread across three groups: Group A, Group B, and a General Group. Group A and Group B require access to specific applications, as well as the applications available to the General Group. We expect to run some medium-heavy Line of Business applications which need Multi-Factor Authentication (MFA) and Windows Hello for Business during user login. I have a few questions regarding the setup:
a) How many host pools should we create?
b) How many application groups do we need and how should we assign them to host pools, considering we might need more than three?
c) Users will authenticate via Entra ID. What RBAC roles should we establish for session hosts, fileshares, etc.?
d) Do we need to convert our EXE applications to MSIX format, and then to VHDX for user login?
I'd appreciate any insights or advice you can share!
4 Answers
There are many variables to consider for your AVD setup. I recommend starting with a matrix that looks at identities (like Microsoft Entra DS), storage options for applications (Azure files or blobs), local profiles versus FSLogix, and your hybrid setup. It helps you visualize your deployment's structure.
Check out this useful video for a detailed guide on setting up AVD from scratch! It shows how to configure FSLogix profiles with Azure premium storage integration. Definitely worth a watch!
You could get away with just a single host pool if you're using remote apps. Check out application groups to categorize apps for your user groups. If you need full desktops, you might need separate pools for each group or one for all with apps attached based on the group. For authentication, make sure to set up the Virtual Machine User Login RBAC role on the Session Host. Good luck!
Thanks for the feedback! Just to clarify, we've got a requirement for all apps to show up in a desktop environment, rather than as remote apps. How can we tailor this approach?
Yep, a single host pool can definitely do the job, especially if you implement FSLogix App Masking. It lets you install everything on one image and only show specific apps to the respective groups. Super handy!
There are several ways to go about this. Are you thinking of publishing remote apps, or do you need full desktop access? For a full desktop experience with apps for specific users, look into using app attach. You can keep a single host pool with core apps and then attach the rest based on user groups. If you're just doing remote apps, multiple application groups might work better.
Got it, but our requirement leans toward a full desktop experience. We also need users to see their group logo as soon as they log in. What about the conversion of apps to MSIX and VHDX?
Exactly, we need all users to see their designated apps on login. What RBAC roles or authentication setups are essential for ensuring smooth file operations between session hosts and fileshares?
Thanks for that! This gives me a solid direction for planning. If I can get the matrix right, I should be on the right track!