What's managed by Microsoft and what you manage
The following diagram shows what services Microsoft manages and what you manage:
What Microsoft manages
Azure Virtual Desktop provides a virtualization infrastructure as a managed service. Azure Virtual Desktop's core components are as follows:
- Web client: The Web Access service within Azure Virtual Desktop management enables users to access virtual desktops and remote apps through the HTML5-compatible web browser, as they would with a local PC – from anywhere and on any device. In addition, you can secure Web Access by using MFA in Azure AD.
- Diagnostics: Remote Desktop Diagnostics is an event-based aggregator service that's provided through Azure Virtual Desktop management that marks each user or administrator's action on the deployment as a success or failure. Administrators can query the aggregation of events to identify failing components.
- Management: With this option, you can manage Azure Virtual Desktop configurations in the Azure portal, as well as manage and publish host pool resources. Azure Virtual Desktop also includes several extensibility components. You can manage Azure Virtual Desktop by using Windows PowerShell or with the provided REST APIs, enabling support from third-party tools.
- Broker: The Connection Broker service manages user connections to virtual desktops and remote apps. This also handles load balancing and reconnecting to existing sessions.
- Load balancing: This option provides session host load balancing by depth-first or breadth-first. The broker controls how new incoming sessions are distributed across the VMs in a host pool.
- Gateway: The Remote Connection Gateway service connects remote users to Azure Virtual Desktop remote apps and desktops from any internet-connected device that can run an Azure Virtual Desktop client. The client connects to a gateway that then orchestrates a connection from the VM back to the same gateway.
Windows Virtual Desktop uses Azure infrastructure services for compute, storage, and networking.
What does the customer manage?
Now, let's look at what you, as the customer, manage. First, we'll look at the desktop and remote apps part of Azure Virtual Desktop.
Desktop and remote apps
With this option, you can create application groups to group, publish, and assign access to remote apps or desktops:
- Desktop: Remote Desktop application groups give users access to a full desktop. You can provide a desktop where the session host's VM resources are shared or pooled. You can give dedicated personal desktops to those users who need to add or remove programs without impacting other users.
- Apps: RemoteApp applications groups provide users access to the applications you individually publish to the application group. You can create multiple RemoteApp app groups to accommodate different user scenarios. For example, you can use RemoteApp to virtualize an app that runs on a legacy OS or needs secured access to corporate resources.
- Images: When you configure session hosts for application groups, you have a choice of images. You should use a recommended image such as Windows 10 Enterprise multi-session and Office 365. Alternatively, you can choose an image in your gallery or an image provided by Microsoft or other publishers.
Management and policies
Now, let's look at the customer responsibilities for management and policies:
- Profile management: Configure FSLogix profile containers with a storage solution such as Azure Files to containerize user profiles and provide users with a fast and stateful experience.
- Sizing and scaling: Here, you can specify session host VM sizes, including GPU-enabled VMs, as well as specify depth or breath load balancing when you create a host pool. Finally, you can configure automation policies for scaling.
- Networking policies: Define a network topology to access the virtual desktop and virtual apps from the intranet or internet based on the organizational policy.
- Connect your Azure Virtual Network to your on-premises network by using a virtual private network. Alternatively, you can use Azure ExpressRoute to extend your on-premises networks into the Microsoft cloud platform over a private connection.
- User management and identity: Use Azure AD and RBAC to manage user access to resources. Take advantage of Azure AD security features such as conditional access, MFA, and Intelligent Security Graph. Azure Virtual Desktop requires Active Directory Domain Services (AD DS). Domain-joined sessions host VMs on this service. You can also sync AD DS with Azure AD so that users are associated between the two. Once you've done this, you can use Azure AD Join to deliver virtual desktops to your users.