Lab: Create an Azure Virtual Desktop (AVD) host pool in the Azure portal (pooled)

What you’ll build

1 Host pool (Pooled)
2 Session host VMs (Windows Enterprise multi-session)
1 Workspace
1 Application group (Desktop or RemoteApp)
User assignment and client connection test

Microsoft’s end-to-end flow (host pool → session hosts → app group → workspace → user connects) is documented here. (Microsoft Learn)

Prerequisites

Access and permissions

Azure subscription where you can create:
- Resource groups, VNets, VMs
- Azure Virtual Desktop resources (DesktopVirtualization)
Recommended roles (minimum):
- Contributor on the subscription or target resource group
- User Access Administrator if you need to grant RBAC to others
If you’re Global Administrator in Entra ID but not Owner in Azure, you may need to elevate access to see/manage subscriptions. (Microsoft Learn)

Identity model decision (pick one)

Option	Best for	Notes
Microsoft Entra ID joined session hosts	Cloud-first	No traditional domain join. Great for cloud-only orgs.
AD DS (traditional domain join)	Hybrid orgs	Requires line-of-sight to domain controllers + DNS.
Microsoft Entra Domain Services	No on-prem DCs, still need “domain join” style	Managed domain controllers in Azure.

Licensing quick check

Users need an eligible license to access Windows Enterprise multi-session (rights vary by license type). Confirm against Microsoft’s licensing guidance before rollout.

Network allow-listing (important)

Your session hosts must reach Azure Virtual Desktop service endpoints. Start with Microsoft’s required URL list and align firewall/proxy rules accordingly. (Microsoft Learn)

Note on transport behavior: Azure Virtual Desktop connectivity details can change over time (for example, Microsoft has noted changes around Shortpath and UDP behavior). Validate in your environment and keep network/security teams aligned. (Microsoft Learn)

Part A: Prepare Azure (baseline setup)

1) Create a resource group

Azure portal → Resource groups → Create
Name: rg-avd-lab
Region: pick your preferred region (example: Canada Central or East US)
Review + create

Expected result: One clean container for all lab resources.

2) Create a virtual network (VNet)

Azure portal → Virtual networks → Create
Resource group: rg-avd-lab
Name: vnet-avd-lab
Address space: e.g. 10.50.0.0/16
Subnet: snet-avd-hosts = 10.50.1.0/24
Review + create

If using AD DS join (hybrid)

VNet → DNS servers
- Set to Custom
- Add your domain controller DNS IPs (at least two if possible)

Expected result: Session hosts can resolve your AD domain and domain-join works reliably.

3) (Optional) Register the DesktopVirtualization resource provider

If your tenant is new to AVD:

Azure portal → Subscriptions → your subscription
Resource providers
Search: Microsoft.DesktopVirtualization
Register (if not already)

Part B: Create the host pool + session hosts (portal wizard)

4) Start the host pool wizard

Azure portal → search Azure Virtual Desktop
Go to Host pools → Create

You can also follow Microsoft’s deployment flow as a reference. (Microsoft Learn)

5) Basics tab (host pool metadata)

Fill in:

Subscription: your subscription
Resource group: rg-avd-lab
Host pool name: hp-avd-lab-pooled
Location (metadata): choose the region where you want AVD metadata stored
Host pool type: Pooled
Load balancing algorithm:
- Breadth-first: spreads users across hosts
- Depth-first: fills one host up to a limit, then moves on
Max session limit:
- Required if using Depth-first (example: 10–20 depending on sizing)
- For Breadth-first, you can still set a cap, but it’s less central

Tip (practical):

Start with Breadth-first for user experience.
Move to Depth-first when you’re optimizing cost and have good monitoring.

6) Virtual machines tab (create session hosts)

Set Add virtual machines = Yes

Core settings

Resource group for VMs: rg-avd-lab
Name prefix: avdsh (creates avdsh-0, avdsh-1, …)
Virtual machine location: same region as your VNet
Availability options: optional (leave default for lab)

Image

Pick a multi-session image, commonly:

Windows Enterprise multi-session + Microsoft 365 Apps (if that fits your licensing model)

Size and count

VM size: start small for lab (example: D2s_v5 class)
Number of VMs: 2

Disk

Standard SSD is fine for lab
Use Premium SSD if you’re testing heavier IO profiles

Network

Virtual network: vnet-avd-lab
Subnet: snet-avd-hosts

Domain join / identity join

This section depends on the identity model you chose:

Option 1: AD DS join

Directory type: Active Directory
Domain join account: an account allowed to join computers
Domain: contoso.com (your domain)
OU path (optional): OU=AVD,DC=contoso,DC=com

Option 2: Microsoft Entra ID joined

Choose the Entra join option if available in your tenant/region setup
Ensure your policy and access controls align for Entra-joined sign-in

Local admin account

Set:

Username: localavdadmin
Password: strong password

Common failure point: domain join/DNS issues. If the wizard errors, validate VNet DNS and DC reachability first.

7) Workspace tab

For the smoothest lab:

Register desktop app group: Yes
Create new workspace: ws-avd-lab

(You can also do this later, but doing it now speeds up first connection testing.)

8) Review + create

Review validation results
Click Create

Expected result: After deployment completes, you should see:

Host pool created
2 session hosts created and registered
Default Desktop Application Group created (if selected)
Workspace created/linked (if selected)

Part C: Publish, assign users, and test connectivity

9) Verify session hosts are healthy

Azure Virtual Desktop → Host pools → hp-avd-lab-pooled → Session hosts

Status should show Available
Agent status should be healthy

If hosts show unavailable, check:

NSG/Firewall outbound rules and required URLs (Microsoft Learn)
VM time sync and DNS
Domain join success (if AD DS)

10) Assign users to the application group

Azure Virtual Desktop → Application groups

Open your Desktop Application Group
Assignments → Add → select test user(s)

Tip: Use a dedicated “AVD-Lab-Users” group for cleaner access management.

11) Confirm workspace registration

Azure Virtual Desktop → Workspaces

Open ws-avd-lab
Ensure the application group is linked

12) Connect as a user (validation)

On a client device:

Install and use a supported AVD client (Windows App / Remote Desktop client, depending on platform)
Subscribe using the user’s work account
Launch the published Desktop/Apps

Success criteria

User signs in without licensing/authorization errors
Desktop opens
Session appears in Host pool → Sessions

Licensing is a top cause of “not authorized” style failures, so verify early.

Part D: Post-creation hardening and tuning (recommended)

13) Configure Host pool RDP properties (security posture)

Host pool → RDP properties:

Clipboard: allow/deny
Drive redirection: usually disable in higher-security environments
Printer redirection: decide per business need
USB redirection: consider restricted mode

This is where you align user convenience vs data leakage risk.

14) Add autoscale (cost control)

For non-lab environments, autoscale is a major win:

Create a Scaling plan
Assign it to the host pool
Define schedules (business hours vs after-hours)

Microsoft’s autoscale/scaling plan capability is covered in their guidance.

Cleanup (avoid ongoing costs)

When done:

Delete the resource group rg-avd-lab
Confirm no orphaned resources remain (disks, NICs, public IPs)

Troubleshooting checklist (fast triage)

Domain join failures (AD DS join)

VNet DNS points to DC DNS IPs
DC reachable from subnet (routes, VPN/ER if on-prem)
Join account has rights to join computers
OU DN string is correct

Session host shows “Unavailable”

Outbound access to required AVD URLs is blocked (Microsoft Learn)
Proxy SSL inspection breaking agent traffic
VM time skew (fix NTP/time sync)
Registration token expired (recreate/add hosts)

User can’t launch resources

Not assigned to the Application Group
Workspace not linked
License not eligible

X Facebook LinkedIn Copy Email Pinterest Reddit Telegram ChatGPT SMS