AVD Managed identities: New era of AVD security

JohanAVD / SecurityLeave a comment
Tweet
Share
Share
Pin
0 Shares

Hello,

Welcome again to my blog. This time I’m focusing on security and Azure Virtual Desktop.

Until now, Microsoft relied on the Windows virtual Desktop service principal to do security for AVD for example to acces the key vault where a secret is stored.

Microsoft is changing this and wants us to use managed identities. This can be either a system assigned or user assigned. In a situation where you have a lot of host pools, it can be a better idea to use a user assigned identity instead of an identity per host pool.

All info about this new feature can be found here:

https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-managed-identity?tabs=portal&pivots=user-assigned#assign-a-user-assigned-managed-identity

There are currently 2 possible scenario’s. You can either activate the Identity feature on an existing host pool or, you can create a new host pool and use the feature.

In order to use a user assigned identity you need an existing host pool. In below screenshot you see where an how to activate the identity.

Important is that as from November 2025, the managed identity will be required for all new host pools.

This make this work, we need several permissions to be In place:

  • Desktop Virtualization host pool contributor at host pool scope or higher
  • Managed identity operator at managed identity or higher

Assign identity on existing host pool

In the host pool menu, we now have a new option, Identity to choose. Here we can activate the box and choose from system assigned or user assigneD. In this example, I take system assigned.

You can see that there is a Permissions option here, let check out what is hidden here. We see here all the permissions that were assigned to the identity automatically.

Now that we activated the managed identity, let’s see what happens In the background. When checking the IAM blade of the key vault, we see that the following permission was added automatically. A managed identity with the name of the host pool was added as Key Vault Secrets User.

We can also choose to assign a user assigned identity to the host pool. In the below screen you see that I choose a custom name for it and place it in a specific resource group.

To assign it to the host pool, select the second option and select the managed identity.

Conclusion

Shifting from the service principal to a managed identity is a huge shift from Microsoft. But it also gives a lot of benefits in regards to security. Using a managed identity gives the option to split the security in environments like dev and prd and adding more security.

I hope you found this blog post helpful and until next time.

Post Views: 51
Tweet
Share
Share
Pin
0 Shares

Leave a Reply

Your email address will not be published. Required fields are marked *