How-to deploy Windows Virtual Desktop in Azure

If you want to know how to manage WVD, check this post.


1. Add RDS Tenant
2. Add Service Principal
3. Assign permissions
4. Deploy WVD through marketplace
5. Open HTML5 webclient
6. Add users to your desktop

I see a lot of people struggle deploying Windows Virtual desktop. Most people face this error message:

VM has reported a failure when processing extension 'dscextension'. Error message: \\\"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service

This is because you need to create a service principal with the correct permissions. A normal user will work as well, but it’s failing too many times for people.
Following these steps should get you through the deployment.

Keep in mind that the user deploying your WVD VMs to your domain, also needs the Owner role on your Azure Subscription! Because it needs to be able to run some Powershell DSC commands.

NOTE: User ‘Cloudcrusader’ suggests in the comments that it should work with the ‘Virtual Machine Contributor’ role only as well.

Start fresh. Delete all WVD tenants created before. Check if a tenant still exists with Get-RdsTenant.

This post is not going to help you, configuring WVD with AAD DS. It should be possible though, someone was able to configure it succesfully using this post.

Remember, don’t use an MFA enabled account. It doesn’t work.

Also try: Get-RdsDiagnosticActivities. Others succeeded finding the root cause with that command

I have deployed WVD multiple times already, so that’s how I know this works. If it doesn’t work for you, let me know, maybe I can help you.

Run through step one of the Microsoft documentation:

Add RDS tenant

Run these commands to add the RDS tenant.

# Don't change the deploymenturl
Add-RdsAccount -DeploymentUrl ""
# Use any name for your tenant, get your ID from Azure portal > Azure Active Directory > Properties > Directory ID. To get your SubscriptionID, go to Azure Portal > All services > subscriptions > click the subscription where the VM's will reside and copy the subscription ID:
New-RdsTenant -Name YourTenantName -AadTenantId YourAzureADTenantID -AzureSubscriptionId YourSubscriptionID

Add Service Principal

Next, follow these steps. Never change the Default Tenant Group, as per the Microsoft docs.

$myTenantGroupName = "Default Tenant Group"
$myTenantName = "tenantname" #As you used in the previous step
$hostpoolname = "Hostpoolname"

# create the service principal:
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

# Don't change the URL below.
Add-RdsAccount -DeploymentUrl ""
Set-RdsContext -TenantGroupName $myTenantGroupName
New-RdsHostPool -TenantName $myTenantName -name $hostpoolname

Assign permissions

Now below is the most important step, that’s where you assign the service principal permissions to the RDS environment. If you do this correctly, you can deploy the WVD template from the Azure Marketplace, without errors.

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

Go to the Azure Portal and open the app just created and create your own key:
Azure Portal > app registrations > Windows Virtual Desktop Svc Principal > Settings > Keys.
Create your own key and save the value During the next step, deploying Windows Virtual Desktop from the marketplace, in step 3 of that template you need this password.

Deploy WVD through marketplace

Next step is to follow this Microsoft doc:
You should be able to get passed the error as mentioned above, also with help from these screenshots below.

If you keep No selected below Specifiy domain or OU, it’s going to try joining the domain behind the @, used below AD domain join UPN. So in the example below it will use If your domain is, set Yes below the Specifiy domain or OU.

Finally, your deployment is succesful as you can see in the screenshot below. It took about 9 minutes for the DSCextension completed, per VM:

Open HTML5 webclient

Now go to the HTML5 client to open your desktop:

Add users to your desktop

As a final step, add users to your desktop:

Add-RdsAppGroupUser -TenantName $myTenantName -HostPoolName $hostpoolname -AppGroupName $appgroupname -UserPrincipalName upn