Microsoft's Azure Virtual Desktop now works without Active Directory – but there are caveats

General availability of Azure AD-joined VMs


Microsoft has declared general availability for Azure Virtual Desktop with the VMs joined to Azure AD rather than Active Directory, but the initial release has many limitations.

Azure Virtual Desktop (AVD), once called Windows Virtual Desktop, is Microsoft's first-party VDI (Virtual Desktop Infrastructure) solution.

Although cloud-hosted, Azure Virtual Desktop is (or was) based on Microsoft's Remote Desktop Services tech which required domain-joined PCs and therefore a connection to full Windows Active Directory (AD), either in the form of on-premises AD over a VPN, or via Azure Active Directory Domain Services (AAD DS) which is a Microsoft-managed AD server automatically linked to Azure AD. In the case that on-premises AD is used, AD Connect is also required, introducing further complexity.

Microsoft has now stated that Azure AD-joined VMs are generally available for AVD. "This new configuration allows you to provide access to cloud-only users (created in Azure AD and not synchronized from an on-prem directory) which wasn't possible before," said senior program manager David Belanger.

Why AVD and not the shiny new Windows 365? Although both offer virtual Windows desktops on Azure there are many differences – even though the company states that Windows 365 uses AVD under the covers.

One key difference is that Windows 365 is not elastic: it is priced per user/month irrespective of usage. Using AVD, the administrator has control of the VMs and they can be scaled for most efficient concurrent use, or even shut down when not required – though there could be availability issues if the Azure region were overloaded and a deallocated VM could not be restarted.

Another difference is that AVD supports pooled desktops, and is the only scenario in which multi-user Windows 10 is permitted. A quick play with Microsoft's Azure price calculator shows that the price per user could be under $10 per month with a pooled host, versus Windows 365 which starts at $24 per month, since it only supports a full VM per user. AVD also has extra features including remote applications, rather than full desktops. The licensing for AVD is also relatively generous in that many Microsoft 365 plans come with access rights included, starting at Microsoft 365 Business Premium.

"Azure Virtual Desktop virtual machines (VMs) are charged at Linux compute rate for Windows 10 single-session, Windows 10 multi-session and Windows Server," Microsoft states.

Joining an AVD host pool (collection of VMs) to Azure AD

Joining an AVD host pool (collection of VMs) to Azure AD

The downside is that AVD is more complex than Windows 365 to set up and administer. The AD dependency has been one of the factors in this. The ability to dispense with this and simply use Azure AD join for the VMs is a considerable advantage, especially for small-scale deployments or businesses. The service (with Azure AD join) has been in preview since July, but there are a number of limitations.

The biggest of these is that only local user profiles are supported. Microsoft has a solution for storing user profiles on Azure Files, for scalability and the ability for users to roam between hosts calls - FSLogix (a technology bought in via acquisition in November 2018). Yet "Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach," the docs inform us. This also means there is only limited support for pooled desktops, one of the primary attractions of AVD. Microsoft offers as a supported configuration "pooled desktops or apps where users don't need to save data on the VM. For example, for applications that save data online or connect to a remote database." There may be ways around this devised by resourceful admins but it is a severe constraint.

Some users have also found FSLogix problematic, especially with Microsoft's updated versions since the acquisition. One issue was "random days where the frxsvc.exe process will delete files and folders from the C: drive. Based on what's deleted, I suspect it's actually trying to delete everything but can't do the stuff that's in use," reported a user. This was believed to have been fixed in a recent update.

An inherent problem with FSLogix is that by default if the agent fails to mount the remote profile for any reason, a local profile is created, and then the local profile persists and the FSLogix one will not reattach. There is a setting to have local profiles automatically deleted, but in this case the user may lose documents. Profile management is not trivial, and such issues are perhaps one of the reasons behind the more easily managed Windows 365 solution. ®

Similar topics


Other stories you might like

  • Developers offered browser-based fun in VSCode.dev and Java action in Visual Studio Code

    Looking at code here, there and (almost) everywhere

    Microsoft has whipped the covers off yet another take on code-in-the-browser with a lightweight version of Visual Studio Code, while unveiling the version 1.0 release of support for Red Hat Java in the freebie source wrangler.

    It comes after last month's preview of the code editor that runs entirely in the browser, and will doubtless have some users pondering the difference between this and Microsoft-owned GitHub's github.dev, which also pops a development environment into the browser. One of the biggest of those differences is a lack of compulsory integration with the VS source-shack; this is unavoidable with github.dev (the clue is, after all, in the URL.)

    VSCode.dev, on the other hand, will permit the opening up of a file from a local device (if the browser allows it and supports the File System Access API) in what looks for all the world like an instance of Visual Studio Code, except surrounded by the gubbins of a browser.

    Continue reading
  • No swearing or off-brand comments: AWS touts auto-moderation messaging API

    Automate everything – but while human moderation is hard, robot moderation tends not to work

    AWS has introduced channel flows to its Chime messaging and videoconferencing API, the idea being to enable automatic moderation of profanity or content that "does not fit" the corporate brand.

    Although Amazon Chime has a relatively small market share in the crowded videoconferencing market, the Chime SDK is convenient for developers building applications that include videoconferencing or messaging, competing with SDKs and services from the likes of Twilio or Microsoft's Azure Communication Services. In other words, this is aimed mainly at corporate developers building applications or websites that include real-time messaging, audio or videoconferencing.

    The new feature is for real-time text chat rather than video and is called messaging channel flows. It enables developers to create code that intercepts and processes messaging before they are delivered. The assumption is that this processing code will run on AWS Lambda, its serverless platform.

    Continue reading
  • UK government puts £5bn on the table in trawl for public sector networks services

    I dream of wires, say Whitehall’s big buyers

    The UK's central government procurement agency is chumming the waters around the market's swimmers, hoping to tempt suppliers into providing a range of computer network services and kit with a £5bn tender.

    The buying spree, which will officially begin when a framework agreement starts in fiscal 2023, involves a large spread of hardware, software and services around IT networks. Included are categories such as networking, internet and intranet software packages, network interfaces, network operating system software development services and so on.

    Crown Commercial Service, the cross-government buying organisation that sits within the Cabinet Office, has launched what is known as a "prior information notice" to start talking to suppliers before it forms the official competition to be on the framework: a group of contracted suppliers from which a huge number of public sector bodies can buy.

    Continue reading

Biting the hand that feeds IT © 1998–2021