Azure AD only joined hosts in Azure Virtual Desktop: Join and re-join hosts

Azure AD-only joined are getting more common in Azure Virtual Desktop. There are some challenges running AVD hosts as AAD-only. One challenge is that you can roll out a new session host in AAD only if a device with the same name doesn’t exist. In the past, that was possible, but that may be changed over the last few months.

If you roll out a new session host with AAD-only integration and a device with the same exist, you get an error message:

Another object with the same value for property hostnames already exists.

So, if you roll out session hosts after an update of the image again and you try to reuse the names, you have to remove the older - no longer existing devices - from AAD first.

To make this a bit easier, I added two options to do this with Hydra for Azure Virtual Desktop in an automated way:

  1. If you added the service principal Hydra used to the role “Cloud Device Administrator” and ticked the box “Azure Active Directory: Try to delete old device” in the rollout configuration, Hydra will delete existing devices with the same name from Azure AD. Note: “Cloud Device Administrator” is a highly privileged role. Alternatively, the 2nd option doesn’t need this role.
  2. Run a script shortly before deleting a session host to remove the device. Running dsregcmd.exe locally on a device will remove the device from AAD. To automate this, a script collection can be selected in the base settings of the host pool configuration: Run script or collection on specific events -> On-Delete -> Select the collection “BuiltIn: Remove device from Azure Active Directory before deleting host”. The collection moves the host into the drain mode and runs the script shortly before the host is deleted. (Note: If the script collection is not visible, update the build-in scripts by clicking on the update button in the upper right corner of the script menu). The on-delete option can also be used for other aspects.

Note: In WVDAdmin the script to remove a host can be triggered with: “Remove device from Azure Active Directory”