Welcome back to my article series on VMware Horizon Cloud on Microsoft Azure. In the previous articles, we have learned what is needed to prepare the infrastructure to be able to enroll new virtual desktop via the VMware Universal Console. We went through the initial Azure configuration and had a look on how to prepare the certificate for the UAG setup, which we will complete in this tutorial. 

If you missed my previous articles, please find them hereafter:

ArticleSeries
pkoehler

Workspace ONE Access 22.09 – Integration with Horizon On-Premises

Welcome to part 4 (actually 5) of the series on how to integrate Workspace ONE Access with Microsoft Azure and Horizon resources on-premises and in the Azure cloud. In this smaller part of the series, we’re highlighting the integration of Horizon (on-premises) assignments to Workspace ONE Access, including the capability of using the Workspace ONE mode, which is a dedicated mode to redirect the authentication

Read More »
ArticleSeries
pkoehler

Workspace ONE Access 22.09 – Part 3.1 Configure Microsoft Azure as Third-Party IdP

Hey everybody and welcome back to part 3 of this article series on Workspace ONE Access in combination with Microsoft Azure and VMware Horizon On-Premises and on Azure. In the last parts we have covered the general design and how to configure the Access appliances. In the second part we covered the load balancing part, which has been configured via VMware NSX Advanced Load Balancer,

Read More »
ArticleSeries
pkoehler

Workspace ONE Access – Load Balancing with NSX ALB

Hey everybody, it’s Patrick again with the second part of the series on how to setup Workspace ONE Access. In the last episode we covered, how to configure the Workspace ONE Access appliance and stopped at a point which is relevant for most production environments, enabling the Load Balancer in the environment. In this tutorial, we will have a look at NSX Advanced Load Balancer

Read More »
ArticleSeries
pkoehler

Workspace ONE Access 22.09 – Setup

Hey everybody, it’s Patrick again with a new blog post on how to install and configure Workspace ONE Access On-Premises. Many of my customers and community friends have asked for support during the last weeks on how to get up and running with Workspace ONE Access in combination with a Microsoft Azure federation. There are some quite good community posts out there on how to

Read More »
Azure Virtual Desktop
pkoehler

Guest speaker in GeekSprech Podcast

On the 11th February 2022 I had the pleasure to attend the GeekSprech Podcast. Eric Berg, fellow MVP and Blogger / Podcaster is running this awesome format and invited me to be a guest in his show!  It was a real fun session where we have spoken about all things Azure Virtual Desktop and Horizon Cloud on Azure. We explained the differences and the advantages

Read More »
Azure Virtual Desktop
pkoehler

Upgrading the Homelab with an Intel NUC 11 Extreme Kit

After a few years working on old hardware (self made PCs) running VMware ESXi it was getting time to upgrade the lab environment to be able to write blogs about VMware Horizon and Cloud Pod Architecture, as well as doing more advanced blogs on Azure migration scenarios in the future.  I researched a lot, which device could be a good fit to save space in

Read More »

In this article, I will walk you through the configuration settings to enroll our first cloud based POD on Microsoft Azure.

Table of Contents

Prepare a Service Principal for the VMware Universal Console

Before we can start to configure the Universal Console and create the core infrastructure, we need to ensure that we equip our account with administrative privileges in a secure way. For that reason we require to have a Service Principal in place that provides the console with the necessary rights in our tenant, while ensuring that no passwords are exchanged in clear text. 

To do so, please login to the Azure portal via https://portal.azure.com and select Azure Active Directory.

In the following window, we need to select App registrations to be able to create our Service Account. 

Once, we entered the App registrations view, click on “+ New registration” in the top center of the screen.  

Now we can provide our Service Principal a random name that we want to assign, in my case I name the principal based on the naming convention from the previous article. Make sure to change the Redirect URI to “Web” and provide the URL “http://localhost:8000“. Once we provided the information, click on “Register” to complete the creation. 

Name: SP-HZNC-AVDLogix
Redirect URI: Web
URI: http://localhost:8000

Attention! Once the Service Principal has been create make sure to copy the following information and store them in a safe location, as you will need them for later.

Copy the application (client) ID and Directory ID (Azure AD tenant ID)

 

Once you noted down the information, we navigate to “Certificates & secrets” on the left hand side to generate the required secret. 

In here we need to click on “+ New client secret” and provide a client secret description, which is “Client Secret Horizon” in my case and we set the duration to “24 months“. You can also choose a lower time, before the secret expires, but you have to keep in mind to regenerate the secret and update the Universal Console to not lose access or control over the resources. 

Attention! Please make sure to copy the Secret Value once you see it, because it will only appear once like this. In case that you missed to copy it, you need to regenerate the client secret. 

Create a Custom Role for Service Principal (Least Privileges)

Now we are nearly finished with our Service Principal creation, but need to equip it with the required permissions in order to perform tasks in our environment. While doing this we have two options. First, we can assign Contributor rights to our new Service Principal on our subscription, which provides quite a lot of permissions, which we might don’t want if we want to follow the principal of least permissions. 

I recommend creating a custom role, with only the required rights, the Service Principal needs on our subscription. I found an article on the VMware KB, stating the creation of the custom role, which unfortunately doesn’t work for my tenant, for that reason, I’m sharing with you the steps that worked out for me. 

To do so, we switch to the Subscription menu in our Azure tenant, while searching for “Subscriptions” or selecting it from the portal menu. 

Now, we switch to the Access control (IAM) menu on the left hand side, clicking on “+ Add” and selecting “Add custom role” as the following step. 

Now we need to provide the name for our custom role, I called mine “CR-AVDLogix-HorizonCloudAzure“. Select “Start from scratch” as the Baseline permission and continue to the “JSON” tab by clicking “Next” two times or by directly clicking on “JSON