Configuring User Restrictions by Using AD Group Policies and Azure Policies
Start course

An important aspect of any Azure Virtual Desktop (AVD) environment is ensuring it is accessible and secure to not only meet best practices standards but also meet your organization’s requirements. To get the most out of this cloud-hosted service, it is important to use the correct features and components that make up the AVD environment, which will, in turn, give a much better experience for your users. 

 AVD allows organizations to set up redundant, scalable, and agile environments that offer the following key capabilities:

  • Configure an unlimited number of host pools that can accommodate different workloads within an organization
  • Create custom images for your multiple workloads or utilize the ready to deploy images in the Azure Gallery for testing
  • Integrate Azure services to automate updates, power on/off, and autoscaling to help reduce costs and admin overhead
  • Provision Personal (persistent) desktops which will allow for individual ownership

From a management perspective, you can utilize the Azure Portal, PowerShell, and REST interfaces to manage and implement AVD resources. You can publish a fully-featured desktop or single remote application for different sets of users. You also can assign multiple users to multiple application groups to reduce the number of images.

This course will help you implement access to your Azure Virtual Desktop environment and understand how it integrates with the other Azure services. It covers understanding Azure roles and RBAC for Azure Virtual Desktop, managing roles on session hosts, and configuring user restrictions via group policy and Azure policy.

Learning Objectives

  • Plan and implement Azure roles and role-based access control (RBAC) for Azure Virtual Desktop
  • Manage roles, groups, and rights assignment on Azure Virtual Desktop sessions
  • Configure user restrictions by using AD group policies and Azure policies

Intended Audience

This course is intended for anyone who wants to become an Azure Virtual Desktop Specialist and/or is preparing to take the AZ-140 exam.


To get the most from this course, it is recommended that you have a good understanding of Azure administration, although this is not essential.


Welcome to this module on configuring user restrictions by using AD group policies and Azure policies. In this module, we'll cover the following topics: We'll discuss how to manage Azure Virtual Desktop with Group Policy. Finally, we'll take a look at the features available when managing Azure Virtual Desktop with Endpoint Manager.

Let's start by looking at managing Azure Virtual Desktop with Group Policy. The policies available depend on what domain the session hosts are joined to. You can join session hosts to either Active Directory or Azure Active Directory Domain services. Both allow you to use the Group policy management tool to manage the various policies. If you use Azure AD Domain Services, you need to ensure your administrator account is a member of the Azure AD DC administrators group.

If the session hosts are joined to an Azure AD Domain Services tenant, you have two main policies called AADDC Computers and AADDC Users which you can edit and use to manage the Azure Virtual Desktop environment. If the session hosts are joined to an Active Directory Domain, either on-premises or a VM in Azure, then you can utilize all the standard GPOs that are available with a Domain Controller to manage the Azure Virtual Desktop environment. Let's now move on to discussing managing Azure Virtual Desktop with Endpoint Manager.

Session hosts need to not only be domain joined but also enrolled into Intune to enable management, which is better known as Hybrid join. Once your session hosts are hybrid joined, you can start to manage them and take advantage of Endpoint Management features, such as compliance policies, which allow you to set baseline compliance the sessions hosts must meet. Configuration profiles, which allow you to configure settings including control panel access and desktop background on the session hosts. You can also utilize Windows Update for Business to manage update patching on the session hosts.

Finally, you can deploy applications to the session hosts including Office, other Win32 apps, and also, apps via the Windows Store.

About the Author

Shabaz Darr is a Senior Infrastructure Specialist at Netcompany based in the UK. He has 15 years plus experience working in the IT industry, 7 of those he has spent working with Microsoft Cloud Technologies in general, with a focus on MEM and IaaS. Shabaz is a Microsoft MVP in Enterprise Mobility with certifications in Azure Administration and Azure Virtual Desktop. During his time working with Microsoft Cloud, Shabaz has helped multiple public and private sector clients in the UK with designing and implementing secure Azure Virtual Desktop environments.