Prerequisites
Service team
Section titled “Service team”Schoolyear AVD is a self-managed integration with your own Azure tenant, not a SaaS product. To set up the Schoolyear AVD integration, keep it operational and respond to incidents, you need a service team. Depending on the size of your organization and availability requirements, this could be a one-person team or a two/three-person team with an on-call schedule.
Refer to the Self-Managed page for more information.
Azure Tenant
Section titled “Azure Tenant”Schoolyear AVD is an integration with a service of Azure: Azure Virtual Desktop. This integration connects to your own Azure tenant to deploy resources in your infrastructure.
This means that you need to have your own Azure Tenant. Microsoft or a local distributor will be happy to provide you with one.
Azure Subscription
Section titled “Azure Subscription”Schoolyear AVD assumes you are working from a clean Azure Subscription dedicated to deploying this integration. This integration will be creating and deleting new resource groups in this Subscription, which is not a privilege you want to give to a third party on a Subscription you are using for other purposes.
Furthermore, the resources deployed by this integration may conflict with a policy in your Azure Tenant, which is easier to make an exception for when using a dedicated Subscription.
If you plan to deploy an integration in your beta environment, you will need to set up a separate Azure Subscription for this purpose.
If your Azure reseller charges an additional fee for each subscription, you may want to discuss this with them. A dedicated subscription for Schoolyear AVD typically requires negligible management overhead, making it difficult for them to justify any per-subscription fees. Consider negotiating to waive or reduce these fees for this subscription.
The following Resource Providers must be registered in the Subscription:
Microsoft.VirtualMachineImagesMicrosoft.StorageMicrosoft.ComputeMicrosoft.KeyVaultMicrosoft.ContainerInstanceMicrosoft.DesktopVirtualization
On this page you can learn how to register these Resource Providers.
Students must be member users
Section titled “Students must be member users”Due to a restriction in Azure Virtual Desktop, the Microsoft accounts that students will use to log in must be member users in the tenant. They cannot be guest users. This is a hard requirement that we nor Microsoft support can circumvent. You must host the Azure infrastructure in the home tenant of the students.
Microsoft 365 license
Section titled “Microsoft 365 license”To use Azure Virtual Desktop, you usually need a Microsoft 365 license that includes Windows virtualization rights and Office 365.
For most educational institutes you will need an A3 or A5 license.
Dummy student account
Section titled “Dummy student account”Your service team should have access to a dummy student account that is similar to the accounts that the students would have. It should have similar permissions, licenses and login methods. This account is essential to testing and troubleshooting operations of the service team.
Entra ID P1 or Intune for Education license
Section titled “Entra ID P1 or Intune for Education license”To set up Schoolyear AVD, you need to create a Dynamic Group in Entra ID. This requires either a Microsoft Entra ID P1 license or an Intune for Education license. For more information, see https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership.
Isolated ChromeOS network
Section titled “Isolated ChromeOS network”In case you are planning to use ChromeOS devices, you must configure an isolated network for these machines with a dedicated public IP or IP range. This network must only be accessible from within the Schoolyear Kiosk app to ensure exam security.
Specifically, this means two things:
- The network must not be accessible to devices not running the Schoolyear Kiosk app.
- The devices that do have access to the network must not allow users to bypass the Schoolyear Kiosk app. For example, guest users should be disabled.
This only applies to ChromeOS devices, not Windows or macOS devices.
The security of your exams relies on the proper configuration of this network. Since any traffic from this public IP or IP range is trusted as originating from a secure Schoolyear-ChromeOS device, it is essential to ensure the network is properly isolated and access is restricted.
Azure CLI
Section titled “Azure CLI”You must have the Azure CLI installed locally and be logged in (az login).
Refer to the Get Started with Azure CLI
guide from Microsoft.
GitHub account (recommended)
Section titled “GitHub account (recommended)”We recommend the service team members working on image building to get a free GitHub account. Having such an account allows them to download images provided by Schoolyear and community members easily.
This is an optional requirement.