Skip to content
Schoolyear AVD
Search limited to the 1 version. Switch to the latest version for up-to-date results.

SSO group for AVD

This content is for the 1 version. Switch to the latest version for up-to-date documentation.

The first time a student connects to AVD, an Oauth popup is shown asking them to grant access to the session host VM. We need to prevent this popup from showing, as it negatively impacts the end-user experience and introduces a failure point during the onboarding of new students. Additionally, the Schoolyear Safe Exam Workspace blocks all browser popups, making this step a requirement.

This guide describes the step-by-step plan. If you want more information, see this Microsoft Article

Enable RDP

Section titled “Enable RDP”

You need to enable an RDP setting for two “magic” Service Principles that are internal to Azure Virtual Desktop. Execute the following PowerShell script. Make sure your terminal is using the Azure Subscription in which you are implementing Schoolyear AVD.

Install required modules if you haven’t already (you need to do this as an Administrator).

Terminal window
Install-Module Microsoft.Graph.Authentication
Install-Module Microsoft.Graph.Applications
Terminal window
# import & connect
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications


Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All" -NoWelcome


# get the service principals for some magic apps
$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id


# set the properties
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}


If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled
}


# check if it was set
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId

You should expect an output like this:

Id IsRemoteDesktopProtocolEnabled
-- ------------------------------
id True

Configure Dynamic Group

Section titled “Configure Dynamic Group”

Next, you need to create a Dynamic Group in Entra ID. You must configure this group to include any future session host used for Schoolyear AVD.

  1. Navigate to Microsoft Entra ID > Manage > Groups

  2. Click New Group and configure the following

    • Group Type: Security
    • Group Name: schoolyear-avd-sessionhost
    • Microsoft Entra roles can be assigned to the group: No
    • Membership type: Dynamic Device

  3. Click Add dynamic query and click Edit above the Rule syntax textarea

  4. Paste (device.displayName -startsWith "syvm")

  5. Click “Save”

  6. Click “Create”

Note down the name and device group

Create Target Device Group

Section titled “Create Target Device Group”

Now, you need to link the Dynamic Group you just created to the RDP services of Azure Virtual Desktop.

Make sure you have Microsoft.Graph installed.

Terminal window
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

Execute the following PowerShell script. Make sure your terminal is using the Azure Subscription in which you are implementing Schoolyear AVD.

Terminal window
$tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<Group object ID>" # the ID of the Dynamic Group you just created
$tdg.DisplayName = "schoolyear-avd-sessionhost" # the name of the Dynamic Group you just created


Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All" -NoWelcome


$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id


# Check if the target device group already exists for MSRD service principal
$existingMSRDGroups = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId
$MSRDGroupExists = $existingMSRDGroups | Where-Object { $_.Id -eq $tdg.Id }


if (-not $MSRDGroupExists) {
    Write-Host "Adding target device group to MSRD service principal..."
    New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -BodyParameter $tdg
} else {
    Write-Host "Target device group already exists for MSRD service principal."
}


# Check if the target device group already exists for WCL service principal
$existingWCLGroups = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId
$WCLGroupExists = $existingWCLGroups | Where-Object { $_.Id -eq $tdg.Id }


if (-not $WCLGroupExists) {
    Write-Host "Adding target device group to WCL service principal..."
    New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -BodyParameter $tdg
} else {
    Write-Host "Target device group already exists for WCL service principal."
}