Microsoft's Azure Virtual Desktop now works without Active Directory – but there are caveats

General availability of Azure AD-joined VMs


Microsoft has declared general availability for Azure Virtual Desktop with the VMs joined to Azure AD rather than Active Directory, but the initial release has many limitations.

Azure Virtual Desktop (AVD), once called Windows Virtual Desktop, is Microsoft's first-party VDI (Virtual Desktop Infrastructure) solution.

Although cloud-hosted, Azure Virtual Desktop is (or was) based on Microsoft's Remote Desktop Services tech which required domain-joined PCs and therefore a connection to full Windows Active Directory (AD), either in the form of on-premises AD over a VPN, or via Azure Active Directory Domain Services (AAD DS) which is a Microsoft-managed AD server automatically linked to Azure AD. In the case that on-premises AD is used, AD Connect is also required, introducing further complexity.

Microsoft has now stated that Azure AD-joined VMs are generally available for AVD. "This new configuration allows you to provide access to cloud-only users (created in Azure AD and not synchronized from an on-prem directory) which wasn't possible before," said senior program manager David Belanger.

Why AVD and not the shiny new Windows 365? Although both offer virtual Windows desktops on Azure there are many differences – even though the company states that Windows 365 uses AVD under the covers.

One key difference is that Windows 365 is not elastic: it is priced per user/month irrespective of usage. Using AVD, the administrator has control of the VMs and they can be scaled for most efficient concurrent use, or even shut down when not required – though there could be availability issues if the Azure region were overloaded and a deallocated VM could not be restarted.

Another difference is that AVD supports pooled desktops, and is the only scenario in which multi-user Windows 10 is permitted. A quick play with Microsoft's Azure price calculator shows that the price per user could be under $10 per month with a pooled host, versus Windows 365 which starts at $24 per month, since it only supports a full VM per user. AVD also has extra features including remote applications, rather than full desktops. The licensing for AVD is also relatively generous in that many Microsoft 365 plans come with access rights included, starting at Microsoft 365 Business Premium.

"Azure Virtual Desktop virtual machines (VMs) are charged at Linux compute rate for Windows 10 single-session, Windows 10 multi-session and Windows Server," Microsoft states.

Joining an AVD host pool (collection of VMs) to Azure AD

Joining an AVD host pool (collection of VMs) to Azure AD

The downside is that AVD is more complex than Windows 365 to set up and administer. The AD dependency has been one of the factors in this. The ability to dispense with this and simply use Azure AD join for the VMs is a considerable advantage, especially for small-scale deployments or businesses. The service (with Azure AD join) has been in preview since July, but there are a number of limitations.

The biggest of these is that only local user profiles are supported. Microsoft has a solution for storing user profiles on Azure Files, for scalability and the ability for users to roam between hosts calls - FSLogix (a technology bought in via acquisition in November 2018). Yet "Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach," the docs inform us. This also means there is only limited support for pooled desktops, one of the primary attractions of AVD. Microsoft offers as a supported configuration "pooled desktops or apps where users don't need to save data on the VM. For example, for applications that save data online or connect to a remote database." There may be ways around this devised by resourceful admins but it is a severe constraint.

Some users have also found FSLogix problematic, especially with Microsoft's updated versions since the acquisition. One issue was "random days where the frxsvc.exe process will delete files and folders from the C: drive. Based on what's deleted, I suspect it's actually trying to delete everything but can't do the stuff that's in use," reported a user. This was believed to have been fixed in a recent update.

An inherent problem with FSLogix is that by default if the agent fails to mount the remote profile for any reason, a local profile is created, and then the local profile persists and the FSLogix one will not reattach. There is a setting to have local profiles automatically deleted, but in this case the user may lose documents. Profile management is not trivial, and such issues are perhaps one of the reasons behind the more easily managed Windows 365 solution. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021