Welcome back to my article series on VMware Horizon Cloud on Microsoft Azure. In the previous articles, we have learned what is needed to prepare the infrastructure to be able to enroll new virtual desktop via the VMware Universal Console. We went through the initial Azure configuration and had a look on how to prepare the certificate for the UAG setup, which we will complete in this tutorial.
If you missed my previous articles, please find them hereafter:
Facebook Twitter LinkedInOn the 11th February 2022 I had the pleasure to attend the GeekSprech Podcast. Eric Berg, fellow MVP and Blogger / Podcaster is running this awesome format and invited me to be a guest in his show! It was a real fun session where we have spoken about all things Azure Virtual Desktop and Horizon Cloud on Azure. We explained the differences and
Facebook Twitter LinkedInAfter a few years working on old hardware (self made PCs) running VMware ESXi it was getting time to upgrade the lab environment to be able to write blogs about VMware Horizon and Cloud Pod Architecture, as well as doing more advanced blogs on Azure migration scenarios in the future. I researched a lot, which device could be a good fit to save
Facebook Twitter LinkedInWelcome back everyone to the next chapter of the Mastering Horizon Cloud on Azure article series. In the past articles, I have shown you how to setup the Azure subscription, Resource Groups, networks and accounts as well as the creation of the first POD infrastructure on Azure. In this article, we’re going to complete the setup by enabling the infrastructure to authenticate to the
Facebook Twitter LinkedInWelcome back to my article series on VMware Horizon Cloud on Microsoft Azure. In the previous articles, we have learned what is needed to prepare the infrastructure to be able to enroll new virtual desktop via the VMware Universal Console. We went through the initial Azure configuration and had a look on how to prepare the certificate for the UAG setup, which we
Facebook Twitter LinkedInWelcome back to part 2 of my article series on how to master VMware Horizon Cloud on Azure. In the first part I gave a general overview on what the service actually represents and how it can be seen especially in the Azure Virtual Desktop ecosystem. Now we’re proceeding to a more technical blog, describing how to prepare our environment before we can
Facebook Twitter LinkedInIt’s been quiet for a while on this blog, which was primarily related due to a very successful AVD Tech Fest, which we have performed in November. With a new year, there are new blogs and content to share and I’m happy to present you another blog series, this time about VMware’s Horizon Cloud on Azure service. I’ve seen some blogs around Citrix
In this article, I will walk you through the configuration settings to enroll our first cloud based POD on Microsoft Azure.
Table of Contents
Prepare a Service Principal for the VMware Universal Console
Before we can start to configure the Universal Console and create the core infrastructure, we need to ensure that we equip our account with administrative privileges in a secure way. For that reason we require to have a Service Principal in place that provides the console with the necessary rights in our tenant, while ensuring that no passwords are exchanged in clear text.
To do so, please login to the Azure portal via https://portal.azure.com and select Azure Active Directory.
In the following window, we need to select App registrations to be able to create our Service Account.
Once, we entered the App registrations view, click on “+ New registration” in the top center of the screen.
Now we can provide our Service Principal a random name that we want to assign, in my case I name the principal based on the naming convention from the previous article. Make sure to change the Redirect URI to “Web” and provide the URL “http://localhost:8000“. Once we provided the information, click on “Register” to complete the creation.
Redirect URI: Web
Attention! Once the Service Principal has been create make sure to copy the following information and store them in a safe location, as you will need them for later.
Copy the application (client) ID and Directory ID (Azure AD tenant ID)
Once you noted down the information, we navigate to “Certificates & secrets” on the left hand side to generate the required secret.
In here we need to click on “+ New client secret” and provide a client secret description, which is “Client Secret Horizon” in my case and we set the duration to “24 months“. You can also choose a lower time, before the secret expires, but you have to keep in mind to regenerate the secret and update the Universal Console to not lose access or control over the resources.
Attention! Please make sure to copy the Secret Value once you see it, because it will only appear once like this. In case that you missed to copy it, you need to regenerate the client secret.
Create a Custom Role for Service Principal (Least Privileges)
Now we are nearly finished with our Service Principal creation, but need to equip it with the required permissions in order to perform tasks in our environment. While doing this we have two options. First, we can assign Contributor rights to our new Service Principal on our subscription, which provides quite a lot of permissions, which we might don’t want if we want to follow the principal of least permissions.
I recommend creating a custom role, with only the required rights, the Service Principal needs on our subscription. I found an article on the VMware KB, stating the creation of the custom role, which unfortunately doesn’t work for my tenant, for that reason, I’m sharing with you the steps that worked out for me.
To do so, we switch to the Subscription menu in our Azure tenant, while searching for “Subscriptions” or selecting it from the portal menu.
Now, we switch to the Access control (IAM) menu on the left hand side, clicking on “+ Add” and selecting “Add custom role” as the following step.
Now we need to provide the name for our custom role, I called mine “CR-AVDLogix-HorizonCloudAzure“. Select “Start from scratch” as the Baseline permission and continue to the “JSON” tab by clicking “Next” two times or by directly clicking on “JSON“