Skip to main content
HashnodeAn Azure Cloud Lab Journey...

Command Palette

Search for a command to run...

AZ-140 Lab Tips

Updated
5 min read
A
Amir Rouhanipoor

I’m Amir Rouhanipoor, an IT Consultant specializing in Azure and cloud solutions. I help organizations streamline their IT and drive growth through secure, efficient cloud technologies.

S
Shirin Soodmand

Security-focused Cloud & Automation Engineer with a Master’s in Computer Science and 6+ years of experience automating and supporting enterprise IT environments across multi-site corporate and operational infrastructures. Proficient in Python scripting, Azure infrastructure, Windows Server, and identity management. Skilled in integrating third-party platforms, securing configurations, and streamlining operations. Currently pursuing the Cybersecurity Architect Expert certification with a strong focus on cloud security and automation.

Part of seriesAZ-140

Tip 1 : Register the Microsoft.DesktopVirtualization

Before using AVD make sure to register it. In the PowerShell session in the Azure Cloud Shell pane, run the following command to register the Microsoft.DesktopVirtualization resource provider:

Register-AzResourceProvider -ProviderNamespace Microsoft.DesktopVirtualization

New Azure tenants don’t have all providers registered by default – Some resource providers are automatically registered when you create a related resource, but others (like AVD) require manual registration.

When do you need to run the command?

Before setting up Azure Virtual Desktop for the first time

If AVD deployment fails with a missing resource provider error

When migrating AVD resources between subscriptions that might not have the provider registered

Tip 2: The core concept of AVD is:

  1. **Prepare Azure Subscription: (**Register Microsoft.DesktopVirtualization, Create a vNet and subnet)

  2. **Deploy AVD Host Pool:(**Create a host pool with a Pooled type, Deploy session hosts(VMs) in the Subnet)

  3. Assign the user or user group to the default desktop application group.

  4. Create AVD Workspace: Register application group in the workspace.

  5. Grant Access to AVD Host Pool: Assign Virtual Machine User Login role to AVD-DAG.

**Tip 3:**To log in to an Azure Virtual Desktop (AVD) VM, a user needs the following permissions and configurations:

1. Role Assignments in Azure

Users must have appropriate Azure RBAC (Role-Based Access Control) roles assigned at the VM, resource group, or subscription level:

Virtual Machine User Login – Allows users to log in to the VM via RDP(ResourceGroup level through IAM).

Virtual Machine Administrator Login (if admin access is needed).

(If the user is assigned the Virtual Machine User Login or Virtual Machine Administrator Login role at the VM, resource group, or subscription level, Azure automatically grants remote access without requiring manual group membership.)

2. AVD-Specific Role Assignments

Users must be assigned to the appropriate AVD resources:

Host Pool – The VM must be part of a configured AVD host pool.

Application Group – The user (or a group the user is in) must be assigned to an app group that provides access to the desktop or apps.

Workspace – The app group should be associated with a workspace that the user can subscribe to.

3. VM-Level Access Permissions

• The user must be part of the Remote Desktop Users group on the VM (or have admin privileges).

• Network security rules and NSGs must allow inbound RDP (port 3389) or necessary connections for AVD.

4. Conditional Access & MFA (If Enabled)

• If Conditional Access Policies or Multi-Factor Authentication (MFA) are enforced, the user must comply with those security requirements. Tip : When using the Breadth-first load balancing algorithm, the max session limit parameter is optional.

TIP 3: Azure Local Virtual Machine:

Azure Local VMs: Run on-premises (local hardware) but can be managed through Azure’s services like Azure Arc or Azure Stack HCI.

Note: When using Microsoft Entra-joined session hosts, you must assign the appropriate Azure role-based access control (RBAC) roles to Azure Virtual Desktop users and administrators. Specifically:

• The Virtual Machine User Login role is required for users to sign in to session hosts.

• The Virtual Machine Administrator Login role is required for local administrative privileges.

Tip 4: While you can change the image and VM name prefix when adding session hosts to an existing pool, it’s generally not recommended unless you intend to replace all VMs in the pool for consistency.

Tip 5: On a host pool the “Start VM on Connect” feature helps reduce costs by powering on session host VMs only when needed. For personal host pools, it powers on a VM assigned to a user. For pooled host pools, it powers on a VM only when none are running and additional VMs are powered on when the first reaches its session limit. (To use the “Start VM on Connect” feature, the Desktop Virtualization Power On Contributor RBAC role must be assigned to the Azure Virtual Desktop service principal at the subscription level.)

  1.     $subId = (Get-AzSubscription).Id

  2.     $parameters = @{ 
    RoleDefinitionName = "Desktop Virtualization Power On Contributor" 
    ApplicationId = "9cdead84-a844-4324-93f2-b2e6bb768d07" 
    Scope = "/subscriptions/$subId" }

  3.     New-AzRoleAssignment @parameters

Tip 6: The Scheduled Agent Updates feature in host pool setting allows you to set up to two maintenance windows for updating the Azure Virtual Desktop agent, side-by-side stack, and Geneva Monitoring agent, ensuring updates occur outside of business hours.

Tip 7: Set Microsoft Entra SSO in RDP Properties of a host pool to set to use SSO which is equal to the string below on advanced tab then Read this

enablerdsaadauth:i:value

Tip 8: KQL code for maximum number of concurent sessions

WVDConnections //Simultaneous Sessions with Details
| where TimeGenerated > ago(30d)  // time range
| extend PacificTime = TimeGenerated - 8h  // Convert UTC to Pacific Standard Time (PST)
| summarize ActiveSessions = dcount(SessionHostSessionId), 
            Users = make_set(UserName), 
            Hosts = make_set(SessionHostName) 
    by bin(PacificTime, 5m)
| top 1 by ActiveSessions desc  // Get the peak time

Tip 9: Maximum number of session in each session hosts in a graph(KQL Query):

WVDConnections
| extend PacificTime = TimeGenerated - 8h  // Convert UTC to PST
| make-series ActiveSessions = dcount(SessionHostSessionId) default=0 on PacificTime from datetime(2024-01-22 19:10:00) to datetime(2024-01-25 20:20:00) step 5m by SessionHostName
| render areachart

Tip 10: Number of sessions overal in last month

WVDConnections
| where TimeGenerated > ago(30d)
| summarize TotalSessions = count()

or during specific time:

WVDConnections
| where TimeGenerated between (datetime(2025-02-12 00:00:00) .. datetime(2025-02-28 23:59:59))  
| summarize TotalSessions = count()

Some Acronyms:

AVD: Azure Virtual Desktop

DAG: Desktop Application Group

#avd#dag
47 views

Comments

Join the discussion

No comments yet. Be the first to comment.

AZ-140

Part 6 of 10

All my notes on AZ-140

Up next

AZ-140 Note #1 Plan an Azure Virtual Desktop implementation

Azure Virtual Desktop (AVD) is a cloud-based desktop and application virtualization service that supports multiple devices (Windows, Mac, iOS, Android, and Linux) and modern web browsers. AVD Architecture We can integrates on-premises networks with t...

More from this blog

A

An Azure Cloud Lab Journey...

45 posts