Submit a request

Nerdio Help Center

How does NMM support AAD join in existing accounts?

Avatar Nerdio Support
Follow

Applies to: Nerdio Manager for MSP (NMM) v2.3+

Overview

Your accounts created in NMM must have an AD to join the session host. NMM allows you to configure directory profiles (Azure AD or Active directory or Azure AD DS) for each of your host pools. Before we proceed further, let us briefly understand each directory profile type. Traditionally, AVD requires both Active Directory (AD) as well as Active Directory Domain Services (AD DS). AD DS is available in two formats:

  • Traditional AD DS from Windows server: The AD DS domain controllers can either be located on-prem and accessed over a site-to-site VPN or ExpressRoute. Or they can be VMs located within Azure itself or both. All AVD needs is a network line of sight to a domain controller, to facilitate the VM domain join at deployment time and to perform user authentication.
  • Azure Active Directory Domain Services (AAD DS), which is a Microsoft-managed PaaS service to provide AD DS inside of Azure. Customers do not manage the virtual machines for this service and were originally designed for just cloud-only organizations but have had recent updates to support trust relationships to existing on-prem AD DS.

Azure AD-joined VMs remove the need to have line-of-sight from the VM to an on-premises or virtualized Active Directory Domain Controller (DC) or to deploy Azure AD Domain services (Azure AD DS). In some cases, it can remove the need for a DC entirely, simplifying the deployment and management of the environment. This reduces your costs and complexity significantly. Azure AD-joined VMs can also be automatically enrolled in Intune for ease of management.

In this article, we will learn about:

How to configure various directory profiles for your account

How the directory profile type impacts host pool creation

 

How to configure various directory profiles for your account

Login to NMM portal and click "Manage" option on an existing account:

Manage_account.PNG

From the main menu on your account's page, select "Settings->Integrations" tab as shown below:

Account_level_settings_integrations_page.PNG

On the "Directory" tile, click "Add" link to add another AD profile:

Directory_tile.PNG

Provide the following details and click "OK" button:

  • DIRECTORY: Select directory type (Active Directory, Azure AD DS, Azure Active Directory) from the drop-down
  • AD DOMAIN: Specify the active directory domain (in FQDN format) for session host VMs to join
  • AD username: Specify AD username in FQDN format
  • AD password: Specify admin user's password
  • Organization unit: Specify OU in distinguished name (DN) format. If left blank, all computer objects will be placed in Computer's AD container

Configure_directory_profile.PNG

For example, you can add an "Azure AD DS" directory profile as shown below:

Configure_directory_profile_filled.PNG

You can also add "Azure Active directory" as shown below:

Configure_directory_profile_AAD.PNG

 Note: In this case, there is no option to specify a particular AAD. This is because the VMs will be automatically joined to the same AAD that the Azure subscription is connected to.
Once you configure the directory profile, the Settings > Integrations page will look like this:
Directory_tile_after_adding_ADs.PNG
Click "remove" link in case you want to delete any existing directory profile. On the pop-up, click "Confirm" button as shown below:
Confirm_directory_profile_removal.PNG

How the directory profile type impacts host pool creation

Directory profile information is used while creating or re-imaging sessions hosts. Let us look at how the directory profile type impacts host pool creation. From the account's main menu, navigate to AVD > Host Pools as shown below:
AVD_hostpools.PNG
Scroll down and click "Add host pool" button:
Click_add_host_pool_button.PNG
When you create a host pool, you will be prompted to select AD profile as shown below:
Add_host_pool.PNG
If you select Directory type= "Active Directory" (say nmm-qa-man-ac1.nerdio.net which is also the default directory in our case) and provide other details like name, description, prefix, desktop images, etc, you will be able to create a host pool:
Default_AD_selected.png
If you select Directory type= "Azure AD DS" (say nerdiofoxtrot.onmicrosoft.com) and provide other details like name, description, prefix, desktop images, etc, you will be able to create a host pool:
AD_foxtrot.PNG
If you select Directory type= "Azure Active Directory", you will see a warning message
"There are several limitations, including lack of support for FSLogix. Enabling this feature will set the Validation flag on this host pool, and disable FSLogix.":
AzureAD-directory_with_warning.PNG
Note: You will still be able to create a host pool, despite the warning message. However, there are few  limitations of AADJ while it's in preview:
  • FSLogix profiles are not supported, as a result all host pool desktops support local profiles only.
  • A new RDP custom property needs to be added. This is done for you by Nerdio Manager behind-the-scenes.
  • MFA is not supported for AAD joined session hosts.
It is possible to have session hosts with different directories under the same host pool, hence we display the directory type at the host level instead of pools level. To view the "Directory" type for each session host under the host pool, go to Host Pools > Session hosts as shown in the screenshot below. You will be able to view the directory info in the session host's name. If the host is not Azure AD joined, then its name is displayed in <VM name>.<domain name> format. Otherwise, you will be able to see a label "(AADJ)" next to the host name.
Session_hosts_under_AVDpool.PNG
Was this article helpful?
0 out of 0 found this helpful
Important Notification for NFA Partners Only
  • Microsoft is sunsetting Azure Classic (not Azure Virtual Desktop (AVD)) - Microsoft Article
  • NFA sunset occurs February 20th, 2023
  • Only new account creation will be unavailable on November 30th 2022
  • NFA will be fully supported until the official sunset - nfa.support@getnerdio.com

Comments

Please sign in to leave a comment.