Home » Blog » Simplifying Azure Virtual Desktop Management with Managed Identities

Simplifying Azure Virtual Desktop Management with Managed Identities

Managing Azure Virtual Desktop (AVD) environments can be complex—especially when it comes to scaling, security, and automation. Traditionally, administrators had to assign permissions to the AVD service principals and manually add session hosts to a host pool, which introduced operational overhead and potential security risks. But with Session Host Configuration and Managed Identities, Microsoft has introduced a smarter, more secure way to manage AVD.

What Is Session Host Configuration?

Session Host Configuration changes the way AVD host pools are managed. Instead of creating a fixed number of session hosts upfront, you define a configuration and let Azure handle the rest. This enables dynamic scaling, including the ability to add or remove session hosts automatically as demand changes. It’s more than just turning VMs on and off; it’s about creating a flexible, automated environment that adapts to user needs.

Why Managed Identities Matter

To automate deployments and scaling, AVD needs access to other Azure resources, such as virtual networks, image galleries, and Key Vault secrets. Previously, this required assigning permissions to service principals. Managed Identities eliminate that complexity.

Managed Identities are non-human identities tied to Azure resources that allow secure access without storing credentials. They’re free, integrate with Microsoft Entra ID, and simplify security management. There are two types:

System-assigned managed identity: Created with the resource (e.g., host pool) and deleted when the resource is removed.
User-assigned managed identity: Standalone and reusable across multiple resources—ideal for large environments or scenarios requiring extra permissions.

Key Roles and Permissions

For Managed Identities to work with AVD, they need specific roles:

Desktop Virtual Machine Contributor for session host resource groups, image galleries, and networking components.
Key Vault Secrets User for accessing secrets like local admin passwords or domain join credentials.

Additionally, the Key Vault must allow trusted Microsoft services to bypass the firewall and enable Azure Resource Manager for template deployments.

Benefits for Cloud Security and Automation

By using Managed Identities with Session Host Configuration, you:

Reduce credential management risks.
Improve cloud security through identity-based access.
Enable autoscale for session hosts.
Streamline AVD deployments and updates.

Getting Started

The accompanying video walks through:

Creating a Key Vault and adding secrets.
Deploying a host pool with a system-assigned identity.
Configuring a user-assigned identity.
Deploy a host pool with a user-assigned identity.
Updating existing host pools to use Managed Identities.

Both features are currently in public preview, so expect refinements over time. If you’re managing AVD environments, now is the perfect time to explore these capabilities.

Ready to simplify your AVD management? Watch the full tutorial above.