Azure Virtual Desktop with Intune & Cloud-Only Users

Setting up Azure Virtual Desktop usually means dealing with domain controllers, complex hybrid identity setups, and a lot of moving parts that can break. But what if you could skip all that complexity and build a modern AVD environment that runs entirely in the cloud?

Microsoft now supports Entra ID-joined session hosts managed through Intune, with FSLogix profiles that work seamlessly with cloud-only users. No domain controllers required, no hybrid sync headaches, just clean cloud architecture that actually works.

This approach is perfect if you’re building greenfield environments, migrating from on-premises VDI solutions, or simply want to embrace a cloud-first strategy without compromising on functionality. Your users get the same seamless experience they expect, while knowing there are fewer moving parts to break

What You’ll Learn in This Guide:

• Deploy AVD without any on-premises dependencies
• Configure Intune for automated session host management
• Set up FSLogix with cloud-only user authentication
• Implement single sign-on for seamless user experience

Traditional AVD deployments require:

• On-premises Active Directory or Azure AD Domain Services
• Hybrid identity synchronization
• Additional infrastructure to maintain
• Complex networking and domain join processes

The cloud-native approach eliminates these dependencies with:

• Pure Entra ID joined session hosts
• Intune handles all device management
• FSLogix works with Azure Files using Kerberos authentication
• Single sign-on experience for users

Architecture Overview:

Here are some of the key benefits of doing this:

• Reduced infrastructure complexity
• Faster deployment and scaling
• Simplified user management
• Lower operational overhead

Prerequisites and Setup Information

Before we dive into the technical implementation, let’s make sure you have everything needed for a successful deployment

Licensing Requirements

You’ll need these for a complete setup:

• For Azure Virtual Desktop access, you’ll need one of the following license: Microsoft 365 E3/E5/F3, Windows E3/E5, M365 Business Premium or you can enroll for Per-User access pricing.
• Microsoft Intune Enrollment Enabled and Domain Connected for the MDM functionality
• Active Azure subscription (with VM quota)

Optional but recommended:

• Entra ID P1 (for dynamic groups and conditional access)

Creating the AVD Network Infrastructure

The foundation of your AVD environment starts with proper network configuration. This provides the secure connectivity framework for your session hosts.

Step 1: Create Virtual Network

At this point, you have your foundational network component ready to host the virtual machines for AVD.

Using Azure CLI for Create the Resource Group and the Virtual Network (Optional)

If you prefer to use Azure CLI instead for faster deployment and repetitive setup for testing, you can follow the instructions below and run the commands in your terminal while ensuring that you are logged into your desired Azure account with right subscription context.

If you are new to Azure CLI, considering reading this article to understand how to install and setup your workstation for Azure CLI use for automated deployment.

• Create the resource group using the following Azure CLI command:

  az group create --name rg-avd-prod-001 --location canadacentral
  

  

  If you are using an existing resource group, you can skip over this command and continue with the following instructions.

• Use the following Azure CLI command to setup your virtual network with desired values for the resource group and location:

  az network vnet create --resource-group rg-avd-prod-001 --location canadacentral --name vnet-avd-prod-001 --address-prefix 10.0.0.0/16 --subnet-name snet-avd-sessionhosts --subnet-prefix 10.0.1.0/24
  

  

  It is important to note that you may need to update/adjust the values for resource group and region if you choose to setup the environment matching your desired configuration.

• After running these command, you will see the virtual network inside the newly created resource group at this point now.
  

Step 2: Configure Network Security Group

The Network Security Group (NSG) provides an additional layer of security to your environment by defining the traffic controls and rules to ensure you don’t leave your AVD environment open for anyone to access. It is recommended to have an NSG level control over your subnet instead of individual VMs, however for this demo you can skip the NSG setup if you wish to do so.

To setup the NSG, follow the instructions below and create the essential outbound rules to secure your network and the resources.

Using Azure CLI to Create NSG (Optional)

If you are more comfortable using Azure CLI to set this up, use the following commands to create the necessary settings and the resource itself.

az network nsg create --resource-group rg-avd-prod-001 --name nsg-avd-sessionhosts

az network nsg rule create --resource-group rg-avd-prod-001 --nsg-name nsg-avd-sessionhosts --name Allow-HTTPS-Outbound --direction Outbound --priority 100 --destination-port-ranges 443 --protocol Tcp
az network nsg rule create --resource-group rg-avd-prod-001 --nsg-name nsg-avd-sessionhosts --name Allow-HTTP-Outbound --direction Outbound --priority 100 --destination-port-ranges 80 --protocol Tcp
az network nsg rule create --resource-group rg-avd-prod-001 --nsg-name nsg-avd-sessionhosts --name Allow-SMB-Outbound --direction Outbound --priority 100 --destination-port-ranges 445 --protocol Tcp

az network vnet subnet update --resource-group rg-avd-prod-001 --vnet-name vnet-avd-prod-001 --name snet-avd-sessionhosts --network-security-group nsg-avd-sessionhosts

Configuring Azure Premium Files Share for FSLogix

Now we are going to setup the user profile settings to enable FSLogix remote profile for the AVD environment. It is important to do this now so that the users can start to use this on the first login. However, you can optionally configure this anytime later as well.

Step 3: Create Premium Storage Account

Follow the steps below to create a premium file share enabled storage account where the user profiles will hosted.

Step 4: Create File Share and Enable Kerberos

Let’s create the file share and enable the Entra ID authentication for the storage file share to use with AVD Session hosts.

Important: The Kerberos authentication must be enabled at the file share level, not just the storage account level. This allows Entra ID users to authenticate directly without any hybrid infrastructure!

Deploying AVD Host Pool with Intune Integration

This is where the cloud-native magic happens. You will be creating session hosts with Entra ID login and enroll the machines to Intune directly without any additional setup.

Step 5: Create Host Pool using Azure Portal

Step 6: Configure RDP Single Sign-On

This critical step enables seamless authentication for Entra ID users:

1. Once the resources are deployed, go to your host pool and select the host pool from the list:
   
2. Click RDP Properties and Advanced tab:
   
3. Add custom property and click Save:enablerdsaadauth:i:1

Note: Without this configuration, users cannot access the virtual desktop pool.

Issues with Joining Domain with Azure AD

If you encounter the following error during the host pool creating, follow the steps below to fix the error and return back to host pool view to add the host pools again. If not, you can skip over this step.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see  for usage details.","details":[{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'AADLoginForWindows' (publisher 'Microsoft.Azure.ActiveDirectory' and type 'AADLoginForWindows'). Error message: 'AAD Join failed with status code: -2145648526. Device successfully unjoined from Azure AD.'. More information on troubleshooting is available at . "},{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'AADLoginForWindows' (publisher 'Microsoft.Azure.ActiveDirectory' and type 'AADLoginForWindows'). Error message: 'AAD Join failed with status code: -2145648526. Device successfully unjoined from Azure AD.'. More information on troubleshooting is available at . "}]}

Access Control and User Management

Azure Virtual Desktop with Microsoft Entra joined session hosts requires a dual-layer access control model. Unlike traditional domain-joined environments where users authenticate once to Active Directory, cloud-native AVD requires two separate permission sets:

1. Virtual Machine Login Roles: These Azure RBAC roles control whether users can authenticate and sign into the session hosts themselves
2. Application Group Access: This determines which AVD resources (desktops/apps) users can see and launch from their workspace

Without both permission layers configured correctly, users will either be unable to sign into session hosts or won’t see any published resources in their AVD workspace.

Step 7: Create User Groups for AVD Users

You’ll need some way to filter and scope the users to enable access to AVD which in this case will be using a Entra Groups.

• Navigate to Microsoft Entra ID → Groups → New group:
  
• Create standard user group using the following settings:
  • Group type: Security
  • Group name: AVD-Users
  • Group description: Standard users with desktop access to AVD
  • Membership type: Assigned
  • Members: Add your regular AVD users

  

Step 8: Create Dynamic Device Group for Session Hosts

Dynamic device groups automatically capture AVD session hosts as they’re deployed, ensuring all Intune policies (FSLogix, security settings, etc.) apply consistently without manual group management.

Note: Microsoft Entra ID P1 license is required for this step. If unavailable, use an assigned group instead.

• Navigate to Microsoft Entra ID → Groups → + New group
• Configure a dynamic group using the following settings:
  • Group type: Security
  • Group name: AVD-SessionHosts-Dynamic
  • Group description: Dynamic group for all AVD session hosts managed by Intune
  • Membership type: Dynamic Device

  

• On Dynamic device members, click Add dynamic query and set the following rule and save when done:
  • Property: Select displayName
  • Operator: Select Starts With
  • Value: Type avd-vm (Matches your session host naming pattern)
• You can optionally validate the rule by doing the following:
  • Click Validate Rules tab
  • Test with existing session host names to confirm matching

Note: The dynamic device group created above will be used in Intune Configuration to scope all FSLogix and security policies to session hosts only.

If you don’t have the P1 license on your tenant, consider creating an assigned security group and add the hosts as they are deployed manually to the group membership.

Step 9: Assign RBAC Permissions for AVD User Login

These Azure RBAC roles are mandatory for Microsoft Entra joined VMs. They control the fundamental ability to authenticate and sign into the session hosts.

• Navigate to Resource groups → rg-avd-prod-001
• Select Access control (IAM) → + Add → Add role assignment:
  
• Select the Role: Virtual Machine User Login by searching in the roles list and click Next:
  
• On the Members tab, click + Select members and add the AVD-Users group created earlier:
  
• Click Review + assign and finish adding the role assignment.

Step 10: Configure Application Group Access for AVD Users

VM login roles only allow signing into session hosts but the users also need explicit permission to access AVD published resources (desktops or applications) through application group assignments. You’ll setup the access to the AVD application group now:

• Navigate to Azure Virtual Desktop → Application groups
• Select your desktop application group (created automatically with the host pool)
• Go to Assignments → + Add
• Search and select AVD-Users group
• Click Select to finish this step:
  

Critical Note: Users need both VM login roles and application group access to successfully access AVD. Missing either will result in authentication failures or empty workspaces.

Configuring Intune for FSLogix Management

Now you need to get FSLogix working properly across your session hosts. Since you’re running without traditional Active Directory, there’s no Group Policy to handle this – that’s where Intune comes in.

You’ll configure FSLogix settings through Intune’s Settings Catalog, which pushes the necessary registry configurations to all your session hosts automatically. We’ll also need to set up some custom registry settings that aren’t available in the standard catalog, specifically for handling Azure AD credentials with your cloud-only users. Think of this as giving your session hosts the instructions they need to properly store and retrieve user profiles from Azure Files.

Step 11: Creating FSLogix Configuration Profile

Navigate to your Microsoft Intune admin center and follow the steps below to setup the Intune policy for FSLogix redirect:

Step 12: Configure Azure AD Cloud Kerberos Settings

Click on create policy again to create this policy to enforce and configure Cloud Kerberos with Azure AD Login on the Intune managed devices now.

This setting is critical for Microsoft Entra Kerberos authentication to work properly with roaming profiles.

Accessing Azure Virtual Desktop

Ensure that any user trying to access the AVD must have a valid license assigned.

• Navigate to the following URL in a new tab and login with an account that is part of the AVD-Users group create in the Entra ID:Windows App
• Click Connect on the listed SessionsDesktop:
  
• Sign in to your Microsoft Account if prompted and you will be on the desktop soon.

Conclusion

Building Azure Virtual Desktop with cloud-only users and Intune management eliminates the complexity of traditional VDI while delivering enterprise-grade functionality. This cloud-native approach removes dependencies on domain controllers, simplifies identity management, and provides users with seamless single sign-on experiences.

The key to success lies in proper configuration of critical components: RDP single sign-on settings, FSLogix registry configurations, and appropriate RBAC assignments. Take time to validate each step before moving to production, and use the troubleshooting commands provided to verify your configuration.

By following this guide, you now have a robust foundation for modern virtual desktop infrastructure that scales with your business needs while reducing operational complexity. The total setup time is typically 2-3 hours, but the long-term benefits of simplified management and enhanced user experiences make it a worthwhile investment.

 

If you like reading this article, consider subscribing to my newsletter and stay tuned for the upcoming articles soon!