SSO group for AVD

The first time a student connects to AVD, an Oauth popup is shown asking them to grant access to the sessionhost VM. We need to prevent this popup from showing, as it negatively impacts the end-user experience and introduce a failure point during the onboarding of new students. Additionally, the Schoolyear Safe Exam Workspace blocks all browser popups, making this step a requirement.

This guide describes the step-by-step plan. If you want more information, see this Microsoft Article

Enable RDP

You need to enable an RDP setting for two “magic” Service Principles that are internal to Azure Virtual Desktop. Execute the following PowerShell script. Make sure your terminal is using the Azure Subscription in which you are implementing Schoolyear AVD.

Install required modules if you haven’t already (you need to do this as an Administrator).

Install-Module Microsoft.Graph.Authentication
Install-Module Microsoft.Graph.Applications

# import & connect
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications

Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"

# get the service principals for some magic apps
$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id

# set the properties
If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}

If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId -IsRemoteDesktopProtocolEnabled
}

# check if it was set
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId
Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId

You should expect an output like this:

Id IsRemoteDesktopProtocolEnabled
-- ------------------------------
id True

Configure Dynamic Group

Next, you need to create a Dynamic Group in Entra ID. You must configure this group to include any future sessionhost used for Schoolyear AVD.

Navigate to Microsoft Entra ID > Manage > Groups
Click New Group and configure the following
- Group Type: Security
- Group Name: schoolyear-avd-sessionhost
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Dynamic Device
Click Add dynamic query and click Edit above the Rule syntax textarea
Paste (device.displayName -startsWith "syvm")
Click “Save”
Click “Create”

Note down the name and device group

Create Target Device Group

Now, you need to link the Dynamic Group you just created to the RDP services of Azure Virtual Desktop.

Make sure you have Microsoft.Graph installed.

Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

Execute the following PowerShell script. Make sure your terminal is using the Azure Subscription in which you are implementing Schoolyear AVD.

$tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup
$tdg.Id = "<Group object ID>" # the ID of the Dynamic Group you just created
$tdg.DisplayName = "schoolyear-avd-sessionhost" # the name of the Dynamic Group you just created

Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"

# get the service principals for some magic apps
$MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
$WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id

New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -BodyParameter $tdg
New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -BodyParameter $tdg