Prerequisites
Before deploying Azure Virtual Desktop, ensure your environment is properly configured.
System Requirements
Locally Installed Tools
| Tool | Version | Purpose | Download |
|---|---|---|---|
| Azure CLI | 2.40+ | Azure resource management | Install Guide |
| Bicep CLI | 0.20+ | Infrastructure-as-code compilation | Included with Azure CLI 2.20+ |
| PowerShell | 5.1+ | Deployment orchestration | Install Guide |
| Git | Any version | Repository cloning | Download |
Verification
Check installed versions:
# Check Azure CLI
az --version
# Check Bicep CLI
az bicep version
# Check PowerShell
$PSVersionTable.PSVersion
# Check Git
git --version
Azure Prerequisites
Azure Subscription
- ✅ Active Azure subscription.
- ✅ Contributor or Owner role on the subscription.
- ✅ Quota available for virtual machines in your chosen region.
To verify your role:
az role assignment list --assignee (az account show --query user.name -o tsv) --query '[].roleDefinitionName' -o tsv
Entra ID (Azure AD)
- ✅ Entra ID tenant access (usually available to organisations using Microsoft 365).
- ✅ User account in the Entra ID tenant.
- ✅ Ability to create role assignments (typically available to Global Admins or subscription Owners).
To verify Entra ID access:
az ad signed-in-user show
Azure Region
Deploy in a region that supports all required services:
Supported UK regions:
uksouth.ukwest(default in this template).
Other popular regions:
northeurope.westeurope.eastus.westus2.canadacentral.
Security & Credentials
Admin Credentials
The deployment requires a strong admin password for session host VMs:
| Requirement | Details |
|---|---|
| Username | Alphanumeric, can contain ., -, _ (not allowed: spaces, special chars). |
| Default username | avdadmin (configurable). |
| Password | Must be strong: 8+ chars, mixed case, numbers, special chars. |
| Storage | Never stored in parameters.json – prompted at deployment time. |
| Encryption | Marked @secure() in Bicep; not logged in Azure activity. |
Generate Secure Password (PowerShell)
# Interactive prompt (recommended)
$adminPassword = Read-Host "Enter admin password for session hosts" -AsSecureString
Entra ID Authentication
This deployment uses Entra ID-joined VMs, which means:
- ✅ VMs authenticate using cloud-based Entra ID identity (no on-premises AD required)
- ✅ Users sign in with Entra ID credentials (same as Microsoft 365)
- ✅ Supports modern authentication (passwordless, Windows Hello, FIDO2)
- ✅ Automatic Windows Updates and cloud policies
What this enables:
- Remote workers can connect without VPN
- No hybrid identity synchronisation required
- Cloud-native security policies apply to VMs
Role Assignment Requirements
Why Two Roles Are Required
After deployment, users need two separate role assignments to connect:
- Desktop Virtualization User – Access the AVD workspace and application group
- Virtual Machine User Login – Log into the Entra ID-joined session host VMs
Without both roles, users will receive:
- “Workspace not available” in Windows App, or
- “Your account is configured to prevent you from using this device” when trying to log in
Assigning Roles
See Quick Start: Step 3 for automated commands, or follow the manual steps below.
Manual Assignment via Azure Portal
For Desktop Virtualization User role:
- Open Azure Portal
- Go to Resource Groups >
avd-occasional-rg - Find the Desktop Application Group (name:
avd-dev-dag-*) - Click the resource name to open it
- Go to Access control (IAM) tab
- Click + Add > Add role assignment
- Search for and select Desktop Virtualization User
- Click Next
- Select User, group, or service principal
- Click + Select members
- Search for your Entra ID user account
- Click your account to select it
- Click Select > Next > Review + assign
For Virtual Machine User Login role:
- Repeat the steps above, but:
- Find each Session Host VM (name:
avd-dev-vm-0-*, etc.) - Select role Virtual Machine User Login
- Assign to the same user account
- Find each Session Host VM (name:
Allow 5–10 minutes for role propagation before attempting to connect.
Role Assignment via Azure CLI
Desktop Virtualization User role:
$appGroupId = (az resource list --resource-group avd-occasional-rg `
--resource-type "Microsoft.DesktopVirtualization/applicationGroups" `
--query '[0].id' -o tsv)
$userId = (az ad signed-in-user show --query id -o tsv)
az role assignment create `
--role "Desktop Virtualization User" `
--assignee $userId `
--scope $appGroupId
Virtual Machine User Login role (for all VMs):
$userId = (az ad signed-in-user show --query id -o tsv)
$vmIds = @(az vm list --resource-group avd-occasional-rg --query '[].id' -o tsv)
foreach ($vmId in $vmIds) {
az role assignment create `
--role "Virtual Machine User Login" `
--assignee $userId `
--scope $vmId
}
Assigning Roles to Multiple Users
To add other users or your entire team, repeat the role assignment steps for each user.
For large-scale deployments, consider:
- Assigning roles to Entra ID groups instead of individual users
- Using Azure Lighthouse for delegated access
Connectivity
Outbound Internet Access
The deployment requires outbound internet access for:
- Windows Updates
- Azure Virtual Desktop agent downloads
- DSC script downloads
- SSL certificate validation
The VMs’ Network Security Group allows all outbound traffic by default.
Inbound Access
No inbound ports are required. Azure Virtual Desktop uses reverse connections from the VM to the Azure Virtual Desktop service. Users connect through:
- Windows App
- Web browser (Azure Virtual Desktop web client)
- Remote Desktop Protocol (RDP) clients
Post-Deployment Verification
After reviewing prerequisites, you’re ready to deploy. Start with the Quick Start Guide.
Next: Quick Start Guide
Last Updated: February 2026