Prerequisites
The below highlights the prerequisites required to use Azure Virtual Desktop and configuration in Parallels RAS environment.
Microsoft Azure subscription
You need a Microsoft Azure subscription, including:
- An Azure Tenant ID.
- An Azure subscription with sufficient credit.
Azure Virtual Desktop user license entitlement
Customers with the licenses listed below are entitled to use Azure Virtual Desktop at no additional charge apart from Azure compute, storage, and network usage billing.
To run Windows 10 and Windows 11 with Azure Virtual Desktop you need to have one of the following per user license:
- Microsoft 365 F3, E3, E5, A3, A5, Student Use Benefits or Business Premium
- Windows 10 Enterprise E3, E5
- Windows 10 Education A3, A5
- Windows 10 VDA per user
To run Windows Server 2012 R2, 2016, 2019, 2022:
- Per user or per device Remote Desktop Services (RDS) Client Access License (CAL) with active Software Assurance (SA).
For further information, please refer to Microsoft licensing requirements at https://docs.microsoft.com/en-us/azure/virtual-desktop/overview.
Permissions and Azure resource providers
The below highlights permissions and resource providers to be registered in the subscription:
- Permissions to enable resource providers on your Azure subscription and create virtual machines (VMs).
- The necessary Microsoft Azure resource providers (Azure Portal > Subscription > Resource Providers) must be enabled, including Microsoft.ResourceGraph, Microsoft.Resources, Microsoft.Compute, Microsoft.Network, Microsoft.DesktopVirtualization.
Microsoft Azure AD application
For a detailed information about creating an Azure AD application, please see Create a Microsoft Azure AD application.
Once an Azure AD Application is created, give the application the following API permissions in the Microsoft Azure Portal (Azure Active Directory > App Registrations > API permissions > Add a permissions > Microsoft.Graph > Application permission):
- Group > Group.Read.All
- User > User.Read.All
Note: Please make sure that when adding Graph API permissions, User and Group, the permission type is "Application" not "Delegated".
Give the application read and write access to resources:
- The Azure AD application that you created must have read and write access to Azure resources as described in Create a Microsoft Azure AD application. Look for "Give the application read and write access to resources".
Roles and permissions for the application should include:
- "User Access Administrator" role for the application from Subscription > Access Control (IAM).
- "Contributor" role at the Resource group level from Resource group > Access Control (IAM).
If a resource group creation is required, also assign contributor role at the subscription level Subscription > Access Control (IAM).
Note: If you would like to also view/read resources outside the resource group make sure that the application is also given read access at the subscription level.
Active Directory
- A Server Active Directory environment or Azure Active Directory Domain Services (AADDS). See https://azure.microsoft.com/services/active-directory-ds/.
- Azure AD Connect — AD must be in sync with your Azure AD, so users can be associated between the two.
- The user must be sourced from the same Active Directory that's connected to Azure AD. Azure Virtual Desktop does not support B2B or MSA accounts.
- The user configured in the Parallels client with access to Azure Virtual Desktop resources must exist in the Active Directory domain the session host it is joined to.
Other
- Azure Virtual Network providing session hosts connection to the domain.
- Session hosts must be domain-joined to Active Directory.
- (optional) Site-to-site VPN or ExpressRoute is required if hybrid Parallels RAS deployment is used.
- (optional) Shared network location to be used for FSLogix Profile Containers which may run on Azure Files or Azure NetApp Files.
Note: At the time of writing, Windows 7 is not supported by Parallels RAS as an Azure Virtual Desktop session host.
Additional notes
Please also note the following Provider and Azure Application requirements for different RAS Farm and RAS Site scenarios:
- Same RAS Farm, same RAS Site: The same Farm, Site, and Application ID is possible to be used for both VDI and Azure Virtual Desktop. Build the guest VM list with Azure Virtual Desktop tags for Azure Virtual Desktop provider and guest VMs with VDI tags (or no tags) for Azure VDI provider.
- Same RAS Farm, same RAS Site: It is recommended to use different Azure Applications for multiple providers of the same type. For example, multiple Azure Virtual Desktop or multiple VDI providers but not mixed.
- Same RAS Farm, different RAS Sites or different RAS Farms: The point above applies. Alternatively, different RAS Farms or Sites can (and must in this case) reside in different virtual networks with no communication to common set of VMs.
Important: It is recommended that Parallels RAS managed Azure Virtual Desktop objects are managed through the Parallels RAS console. Configuration changes outside Parallels RAS console may result in a broken state of Azure Virtual Desktop objects. For such cases, Parallels RAS provides the ability to repair objects. For example, auto created friendly names and associated tags for workspaces and host pools can also be viewed from the Microsoft Azure portal, however they are not to be edited as these are used to ensure proper functionality.
|