Azure Virtual Secure Administration Workstation – Part 3 – Session hosts and access

Azure Secure Admin Workstation posts:


In the interest of enabling source control and potentially automation, the deployment is conducted using PowerShell commands. In this example I am using Azure CloudShell, for manual and exploratory activities it is handy as it is secure, includes all required modules, removes any authentication faff.

  • If you want to create Microsoft Entra joined session hosts, we only support this using the Azure portal with the Azure Virtual Desktop service. (Add session hosts to a host pool | Microsoft Learn)
  • You can create session hosts and register them to a host pool in a single end-to-end process with the Azure Virtual Desktop service using the Azure portal or an ARM template. You can find some example ARM templates in our GitHub repo

Reference Materials

Key Terms

Deployment Procedure

When using Azure CLI or Azure PowerShell you’ll need to create the virtual machines outside of Azure Virtual Desktop, then add them as session hosts to a host pool separately.

  1. Add members to the saw_user_group
  2. Generate a registration key
    • When you add session hosts to a host pool, first you’ll need to generate a registration key. A registration key needs to be generated per host pool and it authorizes session hosts to join that host pool. It’s only valid for the duration you specify. If an existing registration key has expired, you can also use these steps to generate a new key.
  3. Create and register session hosts with the Azure Virtual Desktop service

Add Entra joined Session Host

Following is direct from Add session hosts to a host pool – Azure Virtual Desktop | Microsoft Learn:

  1. Sign in to the Azure portal.
  2. In the search bar, enter Azure Virtual Desktop and select the matching service entry.
  3. Select Host pools, then select the name of the host pool you want to add session hosts to.
  4. On the host pool overview, select Session hosts, then select + Add.
  5. The Basics tab will be greyed out because you’re using the existing host pool. Select Next: Virtual Machines.
  6. On the Virtual machines tab, complete the following information:
  • (this is for our use case and assumes you followed Part 1, of course customise this as appropriate)
    • Name prefix: SAW
    • Availability options: No infrastructure redundancy required
    • Security Type: Trusted launch virtual machines
    • Enable secure boot: True
    • Enable vTPM: True
    • Integrity monitoring: True
    • Image: Latest Windows 11 Enterprise multi-session
      • If we select Personal instead of Pooled in Part 1, we would have non-Enterprise options here…
    • Virtual machine size, Number of VMs, OS disk type
      • Use case dependent with no impact on procedure/security
    • Boot diagnostics: Enabled with managed storage account
    • Network and security
      • Virtual Network: SAWVnet
      • Subnet: SAWSubNet
      • Network security group type: Basic
      • Public inbound ports: No
    • Domain to join
      • Select which directory you would like to join: Microsoft Entra ID
      • Enroll VM with Intune: Yes
    • Virtual machine administrator account
      • Required for Azure to provision the VM, once it joins Entra and Intune your Configuration Profile should remove the local administrator
    • Custom configuration
      • Custom configuration script url: None for now…
  • Tags?
    • Suggest adding ‘ResougeTag:AzureSAW’ for now… tags can be handy
  • Download a template for automation, suggest doing this as a default behaviour
  • Create!

Post Host Deployment

  • After launching your first Session Host, Azure will take several (20?!) mins to deploy the session host and add it to the Host Pool. You can verify this was successful via Host pools – Microsoft Azure:

Enable Entra ID SSO


Disk Encryption???



Connect to my Azure Virtual SAW!


Set up Azure Virtual Desktop Client

  1. Download and install the Client App (or deploy to users via Add Microsoft Store apps to Microsoft Intune | Microsoft Learn)
  2. Run it, on first run, assuming you installed unconfigured from the MS store you will be asked to subscribe (do this with your SAW access user)
    • …. Thats it… you will see Session Host to connected to if all worked!
  3. Noting that Entra SSO was not working for me so… Part 4 – Configuring Entra SSO

Validate Session Host can talk to required Azure endpoints

You can validate that your session host VMs can connect to these URLs by following the steps to run the Required URL Check tool.

2 replies on “Azure Virtual Secure Administration Workstation – Part 3 – Session hosts and access”

Leave a Reply

Your email address will not be published. Required fields are marked *