AZ-140 Practice Question Breakdown: Where to Configure Managed Identity and Clipboard Redirection in Azure Virtual Desktop
If you’re studying for AZ-140, you’ll see questions that look deceptively simple. They list a few Azure Virtual Desktop resources, then ask where you should apply a configuration.
The trick is knowing which AVD objects are “publishers” and which objects actually run the workload.
In this post, we’ll break down a common exam scenario:
- A personal host pool with two Windows 11 session hosts
- A RemoteApp app group publishing an app
- A workspace publishing the app group
And you must do two things:
- Enable a managed identity for the app
- Enable clipboard redirection for the app
The scenario (simplified)
You have these AVD resources:
- Pool1: Personal host pool
- Host1: Windows 11 session host in Pool1
- Host2: Windows 11 session host in Pool1
- AG1: RemoteApp app group that publishes App1
- WS1: Workspace that publishes AG1
Now the question:
You need to enable a managed identity for App1 and enable clipboard redirection for App1.
Which resources should you configure?
Key concept: “Where does the app actually run?”
This is the mental model you want for AZ-140:
- Workspace (WS1): a publishing container. It does not run apps.
- App group (AG1): defines what apps/desktops are published. It does not run apps.
- Host pool (Pool1): controls session settings and RDP properties across hosts.
- Session hosts (Host1/Host2): actual VMs where apps run.
So when a configuration is tied to:
- Identity of the runtime → think session host
- RDP / redirection experience → think host pool
1) Where to enable a managed identity for App1
Correct resource: Host1 and Host2
A managed identity is assigned to an Azure compute resource so it can request tokens and access Azure services securely.
RemoteApps published through AVD run inside the session on the session host VMs. That means:
- App1 is running on Host1 or Host2
- Therefore the identity must exist on Host1 and Host2
Why not AG1 or WS1?
Because:
- AG1 and WS1 are publishing objects.
- They don’t execute code.
- A managed identity on them wouldn’t be used by the running application.
Portal steps (quick)
For each session host VM:
- Azure portal → Virtual machines
- Select Host1
- Identity
- Under System assigned, set to On
- Save
- Repeat for Host2
Verification tip
Once enabled, you can:
- Grant the managed identity permissions (RBAC) to services like Key Vault or Storage
- Confirm access from the session host using identity-based auth patterns (common in real deployments)
2) Where to enable clipboard redirection for App1
Correct resource: Pool1
Clipboard redirection is not an “app group setting.” It’s an RDP session behavior, controlled through host pool RDP properties.
In AVD, settings like:
- clipboard
- drive mapping
- printer redirection
- audio
- device redirection
are typically managed via the host pool’s RDP properties.
The key RDP property
To enable clipboard redirection:
redirectclipboard:i:1
Portal steps (quick)
- Azure portal → Azure Virtual Desktop
- Host pools → select Pool1
- RDP Properties
- Add or enable clipboard:
redirectclipboard:i:1
- Save
Important real-world note
Even if you enable clipboard at the host pool:
- A stricter Intune policy or Group Policy on the session hosts can still block it.
- The most restrictive layer wins.
So if clipboard is still not working after setting Pool1 RDP properties, you check:
- Intune configuration profiles
- AD GPO (if domain-joined)
- Local security baselines
Final answer summary (what you’d select in the exam dropdown)
| Configuration | Correct resource |
|---|---|
| Managed identity | Host1 and Host2 |
| Clipboard redirection | Pool1 |
Exam tip: Spot the “publishing vs runtime” trap
When you see AVD resources listed, quickly classify them:
Publishing objects (don’t run apps)
- Workspace
- App group
Runtime and session control objects
- Session hosts (run apps)
- Host pool (controls RDP session settings)
If the question is about:
- Identity, drivers, installed apps, OS settings → session hosts
- Redirection, RDP behavior, session settings → host pool
