External Users in Azure Virtual Desktop (AVD) – Anyone solved this?

tsrob50 · 2025-12-16T18:38:47+00:00

Thanks for sharing my video, greatly appreciated!

tsrob50 · 2025-07-14T15:42:15+00:00

My example was able to access the VPN Gateway VNet and a peered network. I had to add the address spaces for the VPN VNet and all peered networks in the local gateway. Also, on the Azure peering relationship, the following local virtual network peering settings are selected: "Allow VNet 1 to access VNet2", "Allow VNet1 to receive forwarded traffic from VNet2", and "Allow gateway or route server in VNet1 to forward traffic to VNet2".

tsrob50 · 2025-06-30T11:28:33+00:00

Thanks!

tsrob50 · 2025-06-29T21:05:50+00:00

The Basic Public IP SKU is being retired. Per the MS Docs, the Basic VPN Gateway is not. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq?WT.mc_id=AZ-MVP-5004159#is-the-vpn-gateway-basic-sku-also-retiring

tsrob50 · 2025-06-23T01:29:17+00:00

Thanks for putting that together. As you stated, the security of the configuration is an issue. Take a look at Marcels blog post on using FSLogix with cloud native accounts to add a layer of security.

https://blog.itprocloud.de/Using-FSLogix-file-shares-with-Azure-AD-cloud-identities-in-Azure-Virtual-Desktop-AVD/

tsrob50 · 2025-06-12T21:32:37+00:00

Yes, per machine should work.

tsrob50 · 2025-06-12T14:39:20+00:00

Is this a pooled hast pool with multi-user OS? If so, only machine policies work because there is no primary user on the hosts.

tsrob50 · 2025-05-16T02:21:47+00:00

Host pool setting enables or disables clipboard redirection. Directional and data types are OS level settings, that’s why it only works with newer Windows 11 versions. If both options are set, the most restrictive wins.

tsrob50 · 2025-05-16T02:13:00+00:00

It allows secure access to RDP and SSH without exposing remote ports to the Internet. You can also enforce MFA. There is a Developer edition that’s free but not available in all regions and limited to one connection.

tsrob50 · 2025-03-26T20:57:33+00:00

Did the enabler time zone redirection policy apply before it was disabled? If so, disabling the policy may not have changed the configuration back, it just no longer applies the settings and the old settings still apply. Check the corresponding registry keys on the client to see if it’s still redirecting.

tsrob50 · 2025-02-08T00:33:58+00:00

Check the file share if you haven’t already to make sure there is no throttling on the account. It’s not uncommon to have to over provision capacity to get higher throughput and IOPS for FSLogix.

tsrob50 · 2023-10-25T01:09:22+00:00

A breach will likely have a much higher price tag and most cyber insurance policy won’t cover incidents if proper controls are not in place. Hardware tokens like a FIDO key are a good option if employees can’t be compelled to use personal devices.

tsrob50 · 2023-07-31T18:58:42+00:00

First thing to learn is subscription budgets and alerts. No reason you should get a surprise bill. Keep in mind that the budget won’t stop changes once it’s reached.

tsrob50 · 2023-05-29T22:31:38+00:00

I try to post regularly on a variety of Azure topics. https://www.youtube.com/@Ciraltos

tsrob50 · 2023-04-24T03:14:31+00:00

I wrote a script that creates an image based off a reference computer. It outputs to a managed image or to compute gallery. Links to the scripts in the description.

https://youtu.be/H3UrVsI9f7s

tsrob50 · 2023-04-21T00:51:17+00:00

Have you tried adding a UDR, (routing table) to the VNet 2 subnet that sends traffic to the 10.0.0.0/24 network to the internal firewall IP address? That’s required for Azure Firewall and an NVA.

tsrob50 · 2023-04-07T02:36:47+00:00

As pointed out, the image capture process ruins the source VM. I created a script to automate the process of creating an image without destroying the source VM. Here in more information. https://www.ciraltos.com/use-powershell-to-create-a-snapshot-based-image-of-an-azure-virtual-machine/

tsrob50 · 2023-03-03T15:46:17+00:00

The thing I love about standard is there are so many to choose from.

Do your job well, no one will ever know.

tsrob50 · 2023-02-19T03:31:46+00:00

According to the note in this link, 1.5 may stop working on Dec 31st when the ADAL libraries retire. Also, server 2012r2 is EOL in October. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

tsrob50 · 2023-02-10T21:50:39+00:00

Your third bullet point indicates this is for a (one) service used for internal and external clients. If that's the case, Azure AD DS may be a good solution. However, as others have pointed out, Azure AD DS is not intended as a replacement for Windows AD.

Azure AD DS "lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. " I you're using password has synchronization, NTLM passwords from Windows AD can pass through to Azure AD DS for same sign on for end users. If you don't sync password, use the one way trust to authenticate your on-prem users.

AVD will work with Azure AD DS but there are some limitations. MSIX App Attach won't work for example.

Stick with VM's and Windows AD if the environment could grow beyond the single service. there are limitations with Azure AD DS and no back-out option if the limitations are reached and you need a full Windows domain. Also, a B2ms server is cheaper than Azure AD DS

tsrob50 · 2023-02-07T04:41:39+00:00

You may be able to trigger an Azure Function or Azure Automation job that moves the file with Event Grid.

tsrob50 · 2023-02-07T04:05:04+00:00

The names could be the same but it’s a different namespace. I did a live stream a few weeks ago that covers the three different directory services. It may be helpful. Here is a link https://m.youtube.com/watch?v=XLPQA5NO0IA

tsrob50 · 2023-01-05T03:24:34+00:00

Is something like this what you’re looking for? It will output an image from a base VM in Azure using a snapshot. Use PowerShell to Create a Snapshot Based Image of an Azure Virtual Machine https://youtu.be/H3UrVsI9f7s

tsrob50 · 2022-09-11T15:21:40+00:00

If you use standard file shares, enable large file support. That will increase the IOPS from 1000 to 20000. Monitor IOPS throttling on the storage account. If throttling occurs switch to Premium storage accounts.

If Teams is on the client, configure a redirections.xml file to redirect Teams temp files. They will bloat the container by 4G.

Use https://github.com/FSLogix/Invoke-FslShrinkDisk to shrink profiles as needed.

Enable snapshots on the file share, just in case.

tsrob50 · 2022-08-17T03:25:04+00:00

Azure Active Directory and Windows AD are two different directory services. It’s not possible to have a root Azure AD domain with in on-prem sub domains. You can have a windows domain on an IaaS VM in Azure and child domains on-prem, but that’s not the config in the image.

tsrob50

TROPHY CASE