Having adds in hub Not having adds in hub & their limitation For AVD what are the auth options with security measure? list of security controls that can be enforced from Entra Id, AVD, on session host & on file share Outbound NAT with a public IP Auth options for session host if we don't have sub 2 & if we have sub2. whats's the purpose the sub 2, if we can remove it what will be the impact what are the avd auth options why adds server is needed here? write up for Adds "Hi I am having this questions regarding azure virtual desktop"

Hi shelly kapoor , Thanks for sharing the information; it helps us clarify your requirements. I have discussed this query with my team and gathered inputs. Still have the possibility to associate a Public IP with AVD and create a NAT rule. However, the users are unable to access the AVD VMs directly. We can only access AVD from Remote Desktop client app and Workspace URL. We can use both ADDS and Microsoft Entra ID as Azure Virtual Desktop supports different types of identities for accessing corporate resources and applications. As a workload owner, you can select from various types of identity providers according to your business and organizational needs. Review the identity design areas in this section to assess what's best for your workload. Azure Virtual Desktop supports hybrid identities through Microsoft Entra ID, including identities that are federated by using AD FS. You can manage these user identities in AD DS and sync them to Microsoft Entra ID by using Microsoft Entra Connect . You can also use Microsoft Entra ID to manage these identities and sync them to AD DS . Microsoft Entra ID: Azure Virtual Desktop supports cloud-only identities when you use VMs that are joined by using Microsoft Entra ID . These users are created and managed directly in Microsoft Entra ID. You can use third-party identity providers as long as they federate with Microsoft Entra ID. Please refer to this link- https://learn.microsoft.com/en-us/azure/virtual-desktop/authentication#federated-identity I would recommend that you refer to the link given below for more information on AVD. https://learn.microsoft.com/en-us/azure/virtual-desktop/users/ If you have any further queries, please let us know. I am happy to assist you! Thank you!

azure virtual desktop setup

shelly kapoor 0

Having adds in hub
Not having adds in hub & their limitation
For AVD what are the auth options with security measure?
list of security controls that can be enforced from Entra Id, AVD, on session host & on file share
Outbound NAT with a public IP
Auth options for session host if we don't have sub 2 & if we have sub2.

whats's the purpose the sub 2, if we can remove it what will be the impact

what are the avd auth options

why adds server is needed here? write up for Adds "Hi I am having this questions regarding azure virtual desktop"

Srinud 3,610 Reputation points Microsoft Vendor

2025-01-29T14:47:50.93+00:00

Hi shelly kapoor,
Thank you for reaching out to us on the Microsoft Q&A forum.

The setup of Azure Virtual Desktop (AVD) involves several considerations related to Active Directory Domain Services (AD DS), authentication options, and security measures.

Azure Virtual Desktop supports different types of identities for accessing corporate resources and applications. As a workload owner, you can select from various types of identity providers according to your business and organizational needs.

Utilizing AD DS in a hub architecture enables centralized management of identities and access, providing a secure and scalable environment for AVD. Without AD DS, limitations may arise in user authentication and access management, as AVD requires a directory service for user validation and resource access.

Microsoft Entra ID is used for authentication, and Multi-Factor Authentication (MFA) can be enforced to enhance security. Conditional Access policies can be implemented to manage user access based on specific conditions.

Implementing network security groups to filter traffic, isolating host pools in separate virtual networks, and utilizing Azure Private Link to ensure secure traffic.

Outbound NAT allows AVD resources to communicate with the internet via a public IP, which is essential for securely accessing external services.

Microsoft Entra ID can be used for authentication. However, if AD DS is available, both AD DS and Microsoft Entra ID can be leveraged for a more integrated authentication experience.

The Subnet is typically used to isolate resources and manage network traffic. Removing it could impact security and resource accessibility, potentially exposing the AVD environment to risks.

AVD supports authentication through Microsoft Entra ID, AD DS, and Microsoft Entra Domain Services, providing flexibility in how users access virtual desktops. AD DS is vital for managing user identities, enforcing security policies, and providing the directory services that AVD relies on for user authentication and resource access.

Please find the below document for more information:
Design considerations for central platform, identity, and networking teams
Identity and access management considerations for Azure Virtual Desktop
Security recommendations for Azure Virtual Desktop

If the information is helpful, please consider by clicking the "Upvote" on the post. If you have any further queries, please let us know in the comment.
shelly kapoor 0 Reputation points

2025-01-30T06:14:11.6266667+00:00

@Srinud Can you please clarify how we can achive outbound nat with one public ip of avd. what are the limitations if we not using active directory domain controller for avd instead of that we will using microsoft entra id.

we are recomended client to create two subscription in one subscription mention hub network which include adds what are the impact if we not take 2 subscription and what are the authentication option available in that case.
shelly kapoor 0 Reputation points

2025-01-30T06:34:29.1666667+00:00

@Srinud can you please how we can achive outbound nat with one public ip for avd all session host. we are recommended them to create one subscription for avd and fr domain domain controller there are saying why we need this and what if not using adds for avd setup instead we will be using entra id so what will impact they want to create pool host pool with file share and access third party application as well.
Srinud 3,610 Reputation points Microsoft Vendor

2025-01-31T18:16:37.6566667+00:00

Hi shelly kapoor,
I just wanted to check if you had a chance to review comment. If you found it helpful, could you kindly click the “upvote” on my post.

If you have any further queries, please let us know in the comment.

Thank you.

1 answer

Srinud 3,610 Reputation points Microsoft Vendor

2025-01-30T13:07:25.1833333+00:00

Hi shelly kapoor,

Thanks for sharing the information; it helps us clarify your requirements.

I have discussed this query with my team and gathered inputs. Still have the possibility to associate a Public IP with AVD and create a NAT rule. However, the users are unable to access the AVD VMs directly. We can only access AVD from Remote Desktop client app and Workspace URL.

We can use both ADDS and Microsoft Entra ID as Azure Virtual Desktop supports different types of identities for accessing corporate resources and applications. As a workload owner, you can select from various types of identity providers according to your business and organizational needs. Review the identity design areas in this section to assess what's best for your workload.

Azure Virtual Desktop supports hybrid identities through Microsoft Entra ID, including identities that are federated by using AD FS. You can manage these user identities in AD DS and sync them to Microsoft Entra ID by using Microsoft Entra Connect. You can also use Microsoft Entra ID to manage these identities and sync them to AD DS.

Microsoft Entra ID: Azure Virtual Desktop supports cloud-only identities when you use VMs that are joined by using Microsoft Entra ID. These users are created and managed directly in Microsoft Entra ID.

You can use third-party identity providers as long as they federate with Microsoft Entra ID. Please refer to this link- https://learn.microsoft.com/en-us/azure/virtual-desktop/authentication#federated-identity

I would recommend that you refer to the link given below for more information on AVD. https://learn.microsoft.com/en-us/azure/virtual-desktop/users/

If you have any further queries, please let us know. I am happy to assist you!

Thank you!
Please sign in to rate this answer.

1 person found this answer helpful.
Srinud 3,610 Reputation points Microsoft Vendor

2025-02-03T14:53:22.1833333+00:00

Hi shelly kapoor,
I Hope you are doing well!!

I just wanted to check if you had a chance to review answer. If you found it helpful, could you kindly click the “Accept Answer” on my post. This will help increase its visibility of this question for other members of the Microsoft Q&A community. Thank you for your contribution in enhancing Microsoft Q&A!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

azure virtual desktop setup

1 answer

Your answer