What do I need to consider when setting up an AVD environment?
I don't want to go into the actual setup in the following blog, as several good tutorials can be found on the internet, which will guide you through all the necessary steps to deploy a working environment. However, I would like to highlight some points that deserve special attention.
Hybrid joined, or Azure AD only joined?
Two ways exist to run an AVD environment:
with Active Directory linked devices, which also connects them to Azure AD via Azure AD Connect -> Hybrid joined,
with Azure AD only joined devices.
Currently, there is no right or wrong. However, the following facts may help to decide which scenario is the best for your situation:
For a hybrid joined approach, you need, of course, an Active Directory, as well as an Azure AD Connect service, which synchronizes the AD objects between the on-prem and the cloud AD.
To have a persistent user profile in a pooled environment (shared session hosts), you need a storage account to store the profiles via FSLogix. The previous step is currently only possible using AD (Active Directory) or AADDS (Azure Active Directory Domain Services). Without FSLogix, the use of OneDrive is neither supported.
If user profiles are to be stored on AAD only joined hosts and OneDrive to be appropriately used, personal desktops must be provided on which the profiles are stored locally.
With AAD only joined hosts, Hybrid Identities might be used to store the profiles centrally on a storage account. This feature is currently in Public Preview status.
When sizing the session hosts for multi-user systems, it is possible to save money, but this does not necessarily make you more popular with the users 😉. The table on the following Microsoft page gives a good overview of which VM size should be selected for which workload: Virtual machine sizing | Microsoft Docs
It is essential always to choose a D-series VM for productive AVD environments. The B-Series VMs are suitable for users who do not always need the maximum CPU performance.
Furthermore, I recommend you to use the OS disk type Premium SSD to provide the performance needed. Standard SSD' or even 'Standard HDD' should be avoided.
Access from non-domain devices
To allow access from devices not connected to Azure AD (e.g. MAC or Linux), the setting targetisaadjoined:i:1 needs to be added to the host pool as a custom RDP property. Connections from those devices will then need to enter username and password when logging in to the session host.
MFA / Conditional Access
Since the AVD environment is publicly accessible, I strongly recommend that MFA (Multi-Factor Authentication) via Conditional Access be enabled for all users.
On the one hand, it's important to note that the deprecated 'per-user MFA setting' is disabled for each user.
On the other hand, if login is not restricted to solid authentication methods such as Windows Hello for Business, the cloud app 'Azure Windows VM Sign-In' must be excluded from the Conditional Access policy:
Can AVD be deployed via IaC?
To further streamline the deployment of an AVD environment, the whole process can be automated using Infrastructure as Code (IaC). The complete setup is mapped into an ARM template, and as soon as it's activated, all required resources are created automatically. It only takes a few minutes from the start of the deployment until a user is able to log on to a desktop.
Moreover, automation through IaC and following policies defined in your Azure Governance can guarantee that no uncontrolled growth occurs in the cloud environment, thus avoiding unnecessary costs. Finally, IaC ensures that the infrastructure meets the desired definition at all times, dramatically simplifying the operational support and achieving standardization in provisioning.
Do you need support in setting up an AVD environment, or do you want to tune your existing environment? Do not hesitate and contact us! Our experts are at your disposal and will support you in providing the best for your users.