MonthSeptember 2019

WVD Management Tool – Cross Tenant Access Fix

With the announcement of WVD (Windows Virtual Desktop) moving into GA today I thought I’d spin my lab back up again and try and get the WVD Management Web App Tool working.

My last attempt a few weekends ago was unsuccessful and I didn’t have any time to carry on troubleshooting so I deleted the Resource Group and forgot about it the long To-Do list for another day.

So this evening as the working day was nearing it’s end, I headed back into the Azure portal and attempted to deploy the WVD Management Tool.

My WVD Setup – Azure AD, Subscriptions & Resources

Issue #1 – Azure Automation Job Failing

This was a pretty simple one in the end. The Azure AD user’s password I was giving in the ARM template parameters had expired.

This user needs to be an Azure AD Global Administrator and have the RBAC permissions on the Subscription you want to deploy the WVD Management Tool too.

Issue #2 – My Subscription & Azure AD Tenant Aren’t Linked

Now most people will have a single Azure AD Tenant and all their users synced to this and also all of their Azure Subscriptions linked to the same tenant.

However I do not, for a number of reasons, mainly for giving me the opportunity to test a lot of the more complicated deployments.

See the above diagram in this post for my setup explained; hopefully!

So when the WVD Management Web App Tool deploys I have to put it in my subscriptions linked to the ‘jackjacktraceyco.onmicrosoft.com’ Azure AD Tenant.

However all of my WVD authentication is sourced from my ‘jtlab.cloud’ Azure AD Tenant as I use Azure AD Connect to sync my users & groups from the ‘LAB-DC-01’ Active Directory Domain Controller.

Once I figured out Issue #1 and the WVD Management Tool was successfully deployed I tried to login to it with my WVD Tenant Admin User (in the ‘jtlab.cloud’ tenant) and got the below error:

As you can, sort of, see it is saying that the Application with the ID of XXXXXXXX cannot be found in the directory ‘jtlab.cloud’ (you’ll have to trust me on this one).

Now this isn’t really an issue caused by an error in the ARM template provided by Microsoft, its actually done exactly as I’ve told it too. The issue is my setup!

However this setup is likely to be fairly common, especially in a partner world or a provider doing a DaaS (Desktop-as-a-Service) offering.

The Fix

Luckily this is quite an easy one.

  1. Login to the Azure Active Directory Management Portal as a user with the Global Administrator role into the Azure AD Tenant where your Subscriptions and therefore WVD Management Tool is deployed – https://aad.portal.azure.com
  2. Select the ‘Azure Active Directory’ blade > then ‘App Registrations’ > then search for the Application ID referenced in the error or search for ‘wvd’.
  3. Select the App Registration > then select ‘Authentication’ > then scroll to the bottom of the show blade on the right until you get to the ‘Supported account types’ section. Change the radio button select to the option called: ‘Accounts in any organizational directory (Any Azure AD directory – Multitenant)’
  4. Click Save

And that is all you need to do to fix the login. This now allows other Azure AD tenants to sign into the WVD Management Tool that you created. Which is exactly what I need for my setup!

Hope this helps some of you out there!

 

Like, Share, Follow!
error

Partner Admin Link (PAL) PowerShell Script

** Update 21/09/2019 –  PowerShell Script V2 Released **

Just a quick post today to share a new tool I have created for all Microsoft Partners out there who are helping customers design, build, manage and operate Azure.

Partner Admin Link (PAL) Overview

Partner Admin Link (PAL) is a method for partners to associate themselves to customers Azure environments, to enable them to associate themselves to that customer Azure Consumed Revenue (ACR – not Azure Container Registry this time).

A blurb from Microsoft on PAL is below:

What is Partner Admin Link?
Partner Admin Link (PAL) is designed for managed service providers (MSPs). Assuming the MSP has access to resources in the customer subscription then they can link their those accounts to their MPN ID. From that point onwards the telemetry for those resources (and only those resources) will be linked to the partner. “

Methods To Setup Partner Admin Link (PAL)

There are 3 ways to configure PAL on a customers Azure environments.

  • Via The Azure Portal
  • PowerShell
  • AZ CLI

All of which are documented nicely over in the Microsoft Docs.

My Handy PowerShell Script

I created this script for use at the company I work for, as we need to ensure this is done every time for every user when logging into a new customers Azure environment for the first time.

However, I couldn’t not share it with the community as this will likely help a lot of you out there. Also it was really nice to get some more hands on time with VS Code, Windows Terminal and PowerShell again; it’s been a couple of weeks due to mainly being in meetings etc… and no hands-on time.

Anyway, the script is available via my GitHub account in my ‘PublicScripts‘ repository.

The get access directly to the script in the repository on my GitHub account, click here.

As always please create issues or submit pull requests for any issues with the script  or anything you’d like changed. I will review them as they come in.

Finally, there are no guarantees for the functionality of this script. I have tested it several times in different Azure environments and it has worked perfectly. But please use at your own risk.

Things To Look Out For With Partner Admin Link (PAL)

Here are some quick tips, tricks and pointers about PAL that I have discovered and learnt. (I will update the Microsoft Docs pages as well if these aren’t posted over there too)

  1. You don’t need to do this on CSP Azure Environments as the ACR is already tracked automatically for you.
  2. PAL is linked on a per user, per tenant basis.
    1. With this in mind it is advised to make sure all of your employees with access to customer subscriptions should setup and configure PAL on each customer they have access to.
  3. You can have any RBAC role assigned to setup and configure PAL on a user account in a customers Azure Environment, even as low as ‘Reader’.
    1. This is because even having ‘Reader’ rights shows the customer has placed trust in you as a partner to assist them.
Like, Share, Follow!
error

© 2019 Jack Tracey

Theme by Anders NorénUp ↑