Getting started with Windows 365 - Part 2. Provisioning an Azure Ad Joined Cloud PC

[anyweb]

Introduction

This is Part 2 in a new series of guides about getting started with Windows 365. This series of guides will help you to learn all about Windows 365 in a clear and insightful way. This series is co-written by Niall & Paul, both of whom are Enterprise Mobility MVP’s with broad experience in the area of modern management. At the time of writing, Paul is a 6 times Enterprise Mobility MVP based in the UK and Niall is a 12 times Enterprise Mobility MVP based in Sweden. In this series we aim to cover everything we learn about Windows 365 and share it with you to help you to deploy it safely and securely within your own organization. In Part 1, we introduced you to what Windows 365 actually is, selecting the right edition with the level of management that you need, choosing the plan that suits your users needs at a cost you can afford, or modifying the configuration to make it more suited to your individual needs, purchasing licenses and saving money for your organization via the Windows Hybrid Benefit. In this part, we'll learn how to provision an Azure Ad joined Cloud PC and take a look at the different network options available when provisioning an Azure Ad joined Cloud PC.

Below you can find all parts in this series:

• Getting started with Windows 365 - Part 1. Introduction
• Getting started with Windows 365 - Part 2. Provisioning an Azure Ad Joined Cloud PC <- you are here
• Getting started with Windows 365 - Part 3. Provisioning a Hybrid Azure Ad Joined Cloud PC
• Getting started with Windows 365 - Part 4. Connecting to your Cloud PC
• Getting started with Windows 365 - Part 5. Managing your Cloud PC
• Getting started with Windows 365 - Part 6. Point in time restore
• Getting started with Windows 365 - Part 7. Patching your Cloud PCs with Windows Autopatch
• Getting started with Windows 365 - Part 8. Windows 365 boot
• Getting started with Windows 365 - Part 9. Windows 365 switch
• Getting started with Windows 365 - Part 10. Windows 365 offline

In this part we'll cover the following:

• Azure AD join capabilities for Windows 365 Cloud PCs
• Assigning licenses to users
• Adding licensed users to an Azure AD group
• Decide which network your Azure AD Joined Cloud PCs will use
• Create or reuse resource group (optional)
• Create or reuse a virtual network (optional)
• Create azure network connection (optional)
• Create provisioning policy

Azure ad join capabilities for Windows 365 Cloud PCs

When Windows 365 was originally released (July 2021), it initially supported the Hybrid Azure AD join scenario. Based on customer feedback, Microsoft announced support for Azure AD joined Cloud PCs in Windows 365 Enterprise November 2021 and that went through a private preview before it was initially released in February 14th, 2022, and Globally Available in May 2022.

Note: Azure AD Join doesn't require connectivity to a Windows Server Active Directory (AD) domain unlike Hybrid Azure AD Join, which does require that connectivity.

Azure ad joined Cloud PCs have the following benefits:

• You can create Azure AD joined Cloud PCs without bringing any additional Azure infrastructure.
• You can create Azure AD joined Cloud PCs on your own network, by using an on-premises network connection.
• You can provide Cloud PCs for cloud-only users in your organization.
• Gain more flexibility to sign in to your Cloud PC using Windows Hello for Business.

Assigning licenses to users

You need to assign a Windows 365 license to your user(s) in order for them to use the service, much as you would with any Microsoft 365 product. To do this, open the Microsoft 365 admin center and expand the Billing node, select Licenses, and choose the appropriate Windows 365 product from those you've purchased.

Next click on + Assign licenses and select the user(s) you wish to apply the license to in the Assign licenses to users window. Finally click on Assign.

You will get a confirmation of the action showing the type of Windows 365 license.

Adding licensed users to an Azure AD group

Next, you need to add the licensed user(s) to an Azure AD group, you can name the group whatever you want but it would be a good idea to match the name of your Azure AD group to the Provisioning policy that we will create later in this guide by using a naming convention. In this example, we have created an Azure AD group called W365 North Europe AAD W11 and we've added the licensed user(s) to that group. That way we can quickly determine that members of this group will get a Windows 365 Cloud PC configured for Northern Europe, using Azure AD Join and running Windows 11.

Decide which network your Azure AD joined Cloud PCs will use

You need to decide which network type your Cloud PC's will use for the Azure AD Join scenario. There are 2 choices listed below.

•  A Microsoft-hosted network
•  Your own network (using an Azure network connection)

Tip: If you want your Azure AD Joined Windows 365 Cloud PCs to be 100% Cloud Only then select the built-in Microsoft-hosted network. If you select that choice then you can skip the next three optional steps. If however you want to control the region where your network is located (in relation to your users) and which DNS settings your Cloud PC's will use plus many other additional network settings, then you should configure the next three steps.

Create or reuse a Resource Group (optional)

Windows 365 uses Resource Groups in Azure to store certain resources, such as Virtual networking. When creating a provisioning policy for a Cloud PC you can select to use the Microsoft hosted network (cloud only) or use a previously created Azure network connection (ANC). If you choose the option to use your own network via an Azure network connection, that ANC needs to be in a Resource Group. To prepare for that, we'll create a new Resource Group in Azure.

Note: If you want your Azure AD Join based Windows 365 Cloud PC's to be cloud only you can skip this step.

Login to https://portal.azure.com and click on Create a resource, select Resource Groups, select Create and create a new resource group in an Azure region close to you. Click Review + create to complete the wizard.

Create or reuse a Virtual Network (optional)

Windows 365 in an Azure AD Join scenario can use a Microsoft Hosted Network to be completely cloud only, or can use Virtual Networks to allow your Cloud PC's to use specific network settings that you define.

Note: If you want your Azure AD Join based Windows 365 Cloud PC's to be cloud only you can skip this step.

To use your own network and provision Azure AD joined Cloud PCs, you must meet the following requirements:

• Azure virtual network: You must have a virtual network (vNET) in your Azure subscription in the same region as where the Windows 365 desktops are created.
• Network bandwidth: See Azure’s Network guidelines.
• A subnet within the vNet and available IP address space.

In your newly created Resource Group, click on Create and select Virtual Network. Here you can define the ip addresses to use if that's your preference.

define the IP Addresses and additional network info for the virtual network, followed by Create.

 

Create Azure network connection (optional)

Windows 365 in an Azure AD Join scenario can use a Microsoft Hosted Network to be completely cloud only, or can use an Azure network connection to allow your Cloud PC's to access your on-premises network resources.

Note: If you want your Azure AD Join based Windows 365 Cloud PC's to be cloud only you can skip this step.

To create your own Azure Network connection, open the Microsoft Endpoint Manager console, select the Windows 365 node, and then select Azure network connection. Keep in mind that each tenant has a limit of 10 Azure network connections, if you need more than that you must contact Microsoft support.

 

Next, click on + Create and select Azure AD Join from the two available options.

Next give the Azure network connection (ANC) a suitable name, before selecting the Resource Group (that you created above) and the Virtual Network (that you also created above).

Click on Next and then click on Review + Create.

The ANC status will initially be running checks

and if all goes well it'll change status to Checks Successful after approximately 30 minutes.

 

Create provisioning policy

Next you need to create a provisioning policy. In the Windows 365 node, click on the Provisioning policies tab.

 

Click on + Create policy and start filling in the details. In the General screen once you select Azure AD Join as Join type,that you'll have the choice of selecting the Microsoft hosted network or to use an Azure network connection (ANC) that you created previously. If you want your Windows 365 Cloud PC's to be cloud only select the Microsoft hosted network, otherwise select the ANC that is applicable to your region.

 

On the Image screen, you can select the type of image from built-in images provided by Microsoft (Gallery image) to using one you make yourself (Custom image). If you select Gallery image you'll need to click on Select to select from a list of created images. In this example we'll go with the Windows 11 Enterprise + Microsoft 365 apps image

 

On the Configuration screen, select your desired Language + Region (preview) and whether or not you want to use the new Windows Autopatch feature.

On the Assignments screen, select one or more groups that you want to target with this Provisioning Policy. We'll use the previously created W365 North Europe AAD W11 Azure AD Group for this purpose.

when done click on Review + Create and your provisioning policy is complete.

At this point all the hard work is done and you can select the All Cloud PCs tab. This will reveal the status of any Windows 365 licensed users targeted by the provisioning policy.

 

This process can take some time to deploy the actual Cloud PC, so you'll have to refresh this view in order to see when everything is complete. While you are waiting, please up-vote the following Windows 365 feedback so that we can get an email notification once the provisioning process is completed.

Note that if the licensed user(s) opens the Windows 365 web page https://windows365.microsoft.com at this point, they'll see something liked the following (after satisfying MFA). This is another reason why an email notification to both the Admin and the User would be great.

Note: During this process we did not create any User settings to define Local administrator settings, or Point in time restore options. If you need to configure them, then do so in the User settings tab. You can always add those settings after provisioning a Cloud PC, just ensure that the Cloud PC restarts to get the new policy.

After some time, the Cloud PC will be provisioned and you can see that in the MEM console, in addition to details of its provisioning policy, the device name, PC Type, Azure network connection and image.

At this point, the licensed user(s) can access their Cloud PC directly at the Windows 365 web page.

After clicking on Open in browser, the user will be prompted for credentials, MFA prompt and they are in.

Job done !

That's it for this part, please join us in Part 3 where we'll learn how to provision a Hybrid Azure AD Join Cloud PC.

Recommended reading

• Windows 365 networking deployment options- https://learn.microsoft.com/en-us/windows-365/enterprise/deployment-options?WT.mc_id=windowsnoob.com
• Windows 365 requirements - https://docs.microsoft.com/en-us/windows-365/enterprise/requirements
• Azure Virtual Network requirements - https://docs.microsoft.com/en-us/windows-365/enterprise/requirements-network
• Azure Network guidelines - https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/network-guidance
• Azure network connections (ANC) - https://docs.microsoft.com/en-us/windows-365/enterprise/azure-network-connections

 

[ALX]

Hello, Niall!

Can you describe this Windows 365 Enterprise Azure AD join scenario in details about environments/ subscriptions (M365 & Azure)/ permissions? What’s needed to organize a TEST environment like your’s for this scenario?

At my test environment I can’t create Azure Network Connection because the dropdown field for subscription choice at the ANC is empty. I have a test M365 subscription by cdx.transform.microsoft.com and two Azure subscriptions – Trial and another one by the Visual Studio. All required permissions assigned at the Azure subscription, but ANC can’t see Azure subscription:

Kind regards, Alex

  

[anyweb]

hi Alex

can you verify that you meet these requirements when creating the ANC ? as you are just doing AAD the first line is what you need

 

Intune Administrator, Windows 365 Administrator, or Global Administrator role.

and... once created, if you need to edit it... you'll also need > to have the Subscription Reader role in the Azure Subscription where the VNET associated with the ANC was located.

for more info > Azure network connection overview | Microsoft Learn

cheers

niall

 

Permissions required for Azure network connections

The ANC wizard requires access to Azure and, optionally, on-premises domain resources. The following permissions are required for the ANC:

• Intune Administrator, Windows 365 Administrator, or Global Administrator role.
• An Active Directory user account with sufficient permissions to join the AD domain into this Organizational Unit( (Hybrid Azure AD Join ANCs only).

To create or edit an ANC, you must also have the Subscription Reader role in the Azure Subscription where the VNET associated with the ANC was located.

For a full list of requirements, see Windows 365 requirements.

[ALX]

Hi, Naill, again!

As I wrote, all required permissions assigned at the Azure subscription – for one user was assigned Subscription Reader role, another one has – Owner role (two different users had added for experiments)

 

These users have all required permissions at M365 tenant – they’re Global Administrators.

Downhere my test environment illustration:

 

Of course, I read this official documentation https://learn.microsoft.com/en-us/windows-365/enterprise/azure-network-connections and related docs. Also read a lot of other articles (like yours’s) and watched many videos (officials / by bloggers).

All things must be simple, but… ☹

What could be wrong?

 

Kind regards, Alex