Getting Started with Azure Virtual Desktop

Organizations are rethinking how they deliver desktops and applications. Traditional on-premises VDI solutions are steadily giving way to more flexible, scalable, and secure cloud-based alternatives for delivering Windows desktops and apps.

This guide walks you through setting up Azure Virtual Desktop (AVD) using the Azure Portal to build a sample environment and explore the core concepts.

But before we dive into the hands-on steps, we’ll take a moment to clarify what AVD is, where it fits in the real world, and what you should know before deploying it.

📚 Learn the core concepts → 🔧 Build your solution → 🔁 Repeat (Learn more)

⏱️ Estimated time to complete: 60–90 minutes

This includes time to set up your environment, create virtual machines, assign users, and test the desktop connection. Your time may vary depending on your familiarity with the Azure portal and whether you’re working with a fresh tenant.

What is Azure Virtual Desktop?

Azure Virtual Desktop (AVD) is Microsoft’s cloud-based virtual desktop infrastructure (VDI) service. It allows you to provide secure, remote access to a full Windows experience, whether that’s a desktop or just specific applications.

With AVD, users can access virtual machines hosted in Azure from almost any device. Everything is streamed to them over the internet, and as an admin, you get centralized control over updates, user access, and system performance.

Instead of managing physical machines or worrying about hardware failures, you manage your environment in the cloud and scale it based on actual usage.

📘 Official docs:

• Deployment guide

Real-World Scenarios

Here are some common ways organizations use AVD today:

• Remote employees: Give them access to a secure, pre-configured desktop without shipping hardware.

• Contractors and third-party vendors: Provide temporary access to apps or environments with strict access controls.

• BYOD setups: Let users log in from personal laptops while keeping corporate data off local drives.

• Training labs: Spin up disposable desktop environments for student sessions, then wipe everything afterward.

• Legacy app delivery: Host legacy Windows apps in the cloud and make them accessible from modern devices.

Architecture & Best Practices

Before diving in, it helps to understand how AVD is structured:

• Host pool: The group of virtual machines users connect to.

• App group: Defines the desktop or apps available to the user.

• Workspace: A logical container that holds app groups.

• Users and groups: Who can access what.

• Role-based access control (RBAC): Controls permissions.

🔗 AVD for Enterprise ; Service architecture resilience

Best practices to keep in mind:

• Start small: use just one or two session hosts to begin with.

• Use Microsoft Entra ID (formerly Azure AD) to simplify login and access.

• Tag everything clearly (environment, owner, etc.) for better resource tracking.

• Configure autoscaling and session limits to optimize cost and performance.

• Enable SSO and consider conditional access policies if you're in a secure environment.

Step-by-Step: Deploying an Azure Virtual Desktop sample environment

🧪 For this walkthrough, we’ll build a basic Azure Virtual Desktop environment suitable for testing and learning. The configuration choices, such as region, VM size, and security settings are designed for simplicity and may differ from what you’d use in production.

1. Sign into Entra ID and Azure Portal

Make sure you’re signed into both:

• Entra ID Portal

• Azure Portal

2. Set up Security Groups

In Entra ID Portal:

• Go to Groups

• Create two groups:

  • AVD Users

  • AVD Admins

• Add relevant users to each group.

  

3. Create a Resource Group

In the Azure Portal:

• Search for Resource Groups and click Create

  

• Name it something like AVD-RG01

• Select your subscription and region

• Click Review + Create (For this example we will not setup any tags)

  

4. Set up a Virtual Network

• Search for Virtual Networks

• Create a new one (e.g., AVD-Network)

• Use default IP ranges unless needed

  

• Same region as the rest of your resources

  

5. Create the Host Pool

Please note t

Go to:

• Azure Virtual Desktop → Create a host pool

  

• Fill out the Basics tab:

  • Subscription → Resource Group

  • Host Pool Name: AVD-HP01

  • Location: East US

  • Validation environment: No (for the purpose of the exercise I set to No, but this option allows you to validate the host pool to test service changes before they are deployed to production)

  • Preferred app group type: Desktop (for the purpose of the exercise, the other option is RemoteApp)

  • Type: Pooled

  • Create Session Host Configuration: No

    💡

    Advanced Tip: A session host configuration lets Azure Virtual Desktop automate the creation of session hosts based on a configuration you set

  • Load balancing: Breadth-first or Depth-first

  • Max session limit: 5

    

• Under Session Hosts:

  • Add virtual machines: Yes

  • Resource Group: AVD-RG01

  • VM prefix: ITLearnMode

  • Virtual Machine type: Azure virtual machine

    💡

    Azure virtual machines provide scalable, on-demand, computing resources in the cloud. Azure Local virtual machines allow session hosts to be deployed on-premises or at the edge

  • Virtual Machine location: East US

  • Availability options: No infrastructure redundancy required

  • Security type: Trusted launch virtual machines

    💡

    Advanced Tip: Choose a type of security that matches your needs: Standard includes basic protections at no additional cost. Trusted launch virtual machines provide additional security features on Gen2 virtual machines to protect against persistent and advanced attacks.

  • Enable Secure boot: Yes

  • 💡

    Advanced Tip: Secure boot helps protect your VMs against boot kits, rootkits, and kernel-level malware

  • Enable vTPM: Yes

  • 💡

    Advanced Tip: Virtual Trusted Platform Module (vTPM) is TPM2.0 compliant and validates your VM boot integrity apart from securely storing keys and secrets

  • Integrity monitoring: Yes

  • 💡

    Advanced Tip: Integrity monitoring enables cryptographic attestation and verification of VM boot integrity along with monitoring alerts if the VM didn't boot because attestation failed with the defined baseline

  • Image: Windows 11 Enterprise multi-session, Version 24H2 + Microsoft 365 Apps

  • Size: D2as_v4 or similar

  • Number of VMs: 1

  • OS disk type: Premium SSD

    💡

    Advanced Tip: Standard SSD Disks are a cost effective storage option optimized for workloads that need consistent performance at lower IOPS levels. Premium SSD disks offer high-performance, low-latency disk support for I/O-intensive applications and production workloads. Use Standard HDD disks for Dev/Test scenarios and less critical workloads at lowest cost

  • OS disk size: Default size (128GB)

  • Boot diagnostics: Enabled with managed storage account (recommended)

    💡

    Advanced Tip: Use this feature to troubleshoot boot failures for custom or platform images. Boot diagnostics with managed storage account significantly improves creation time of virtual machines by using pre-provisioned storage accounts managed by Microsoft

  • Virtual Network: AVD-Network (select your network)

  • Subnet: Default (select your subnet network)

  • Network Security group type: Basic

    💡

    A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, the virtual machine. To simplify management of security rules, it's recommended that you associate a network security group to individual subnets, rather than individual network interfaces within the subnet, whenever possible

  • Public inbound ports: No

    💡

    Advanced Tip: By default, access to the virtual machine is restricted to sources in the same virtual network, and traffic from Azure load balancing solutions. Select None to confirm, or choose to allow traffic from the public internet to one of these common ports

  • Select which directory you would like to join: Microsoft Entra ID

  • Enroll VM with Intune: No (I don’t have Intune enabled on my Azure test tenant)

    💡

    Advanced Tip: If Intune is configured in your Microsoft Entra tenant, you can choose to have the virtual machine autmatically enrolled during the deployment by selecting Yes

  • Virtual machine administrator account:

    • User name: AVDAdmin

    • Password: YourLocalAdminPassword

    • Confirm Password: YourLocalAdminPassword

• Workspace: No (in my exercise I’ll create the Workspace after the Host Pool have been created)

  

• Management: Default

  

• Tags: Default

  

• Create

  

  

6. Create a Workspace and Register the App Group

After Host Pool is deployed:

• Go to Workspaces → Create

  

• Fill out the Basics tab:

  • Subscription → Resource Group

  • Name your workspace (e.g., ITLearnMode)

  • Location: EastUS

    

• Register the default application group: Yes

  • Click: Register application groups

  • Click: Plus sign of your application group automatically created when creating the Host Pool.

  • Click: Select

    

• Advanced: Default

  

• Tags: Default

  

• Review + Create

  

7. Assign Users

• Open the app group (Azure Virtual Desktop → Application Groups → YourApplicationGroupName) → Assignments → Add

  

• Add both AVD Users and AVD Admins groups → Click Select

  

• Go to Access Control (IAM) under your resource group:

  • Assign Virtual Machine User Login to AVD Users

    

    

    

    

    

  • Assign VM Administrator Login to AVD Admins

    

    

    

    

    

8. Enable SSO (Optional but Recommended)

• Go to the host pool → RDP Properties

  

• Enable Microsoft Entra single sign-on by setting the RDP property to: Connections will use Microsoft Entra authentication to provide single sign-on

  💡

  Determines if the connection will attempt to use Microsoft Entra authentication to sign in to Microsoft Entra-joined session hosts and enable a single sign-on experience. To use this property with Hybrid Microsoft Entra-joined hosts, you must create a Kerberos Server object

  

  Source: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID

9. Test the Environment - Connect to the Desktop

Because my device is a macOS, I’ll be sharing the steps for a macOS device. If you are using a Windows device, please follow these steps - Connect to the Desktop

1. Download and install Windows App from the Mac App Store. When Windows App is installed, open it.

   💡

   If it's your first time using Windows App, navigate through the tour to learn more about Windows App, then select Done, or select Skip.

2. Windows App opens on the Devices tab. Select the plus (+) icon, then select Add Work or School Account and sign in with a user account you assigned during deployment.

   

3. After you sign in, make sure you're on the Devices tab.

4. The desktop you created is shown as a tile called SessionDesktop. Double-click SessionDesktop to connect.

   

5. By default, using single sign-on requires the user to grant permission to connect to the session host, which lasts for 30 days before prompting again.

   💡

   You can hide this dialog by configuring a list of trusted devices. For more information, see Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID.

   To grant permission, at the prompt Allow remote desktop connection, select Yes.

   

6. Once you're connected, your desktop is ready to use.

   

Wrapping It Up

You just built a full AVD setup from the ground up inside the Azure portal. Whether you're doing this for learning, a production rollout, or to support a hybrid workforce, you're now equipped to go further.

Next, you might explore user profile containers with FSLogix or set up autoscaling with Azure Automation.

Learn. Build. Repeat.