Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Managed identity support for Azure Virtual Desktop host pools is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Azure Virtual Desktop supports assigning permissions to Managed identities for Azure resources for features that need to perform Azure Resource Manager (ARM) operations on virtual machines, key vault, and virtual networks in the Azure subscription. The following feature can use a managed identity:
Some Azure Virtual Desktop features can't use a managed identity. The features that require you Assign Azure RBAC roles for Microsoft Entra roles to a service principal using the Azure Virtual Desktop service principal approach are:
- App Attach (when using Azure Files and your session hosts joined to Microsoft Entra ID).
- Autoscale.
- Start VM on Connect.
When using a managed identity, you have two options:
- System-assigned managed identity
- User-assigned managed identity
Learn more about the Differences between system-assigned and user-assigned managed identities.
Important
You can only assign a managed identity to a host pool that is configured for validation environments.
Prerequisites
To create and assign a system-assigned managed identity to a host pool, you need:
An existing host pool.
An Azure account assigned the Desktop Virtualization Host Pool Contributor at the scope of the host pool, or higher.
If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and Azure PowerShell with Azure Virtual Desktop to make sure you have the desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure Cloud Shell.
Create and assign a system-assigned managed identity
Select the relevant tab for your scenario.
Here's how to create a system-assigned managed identity with the Azure portal:
Sign in to the preview Azure portal.
In the search bar, enter Azure Virtual Desktop and select the matching service entry
Select Host pools, then select the name of the host pool you want to configure.
Select Identity (Preview).
Select Assign a Managed Identity so that the box is checked, then select System assigned managed identity.
Select Save to create and assign a system-assigned managed identity.
Prerequisites
To assign a user-assigned managed identity to a host pool, you need:
An existing host pool.
An Azure account assigned:
- Desktop Virtualization Host Pool Contributor at the scope of the host pool, or higher.
- Managed Identity Operator at the scope of the managed identity, or higher.
If you want to use Azure CLI or Azure PowerShell locally, see Use Azure CLI and Azure PowerShell with Azure Virtual Desktop to make sure you have the desktopvirtualization Azure CLI extension or the Az.DesktopVirtualization PowerShell module installed. Alternatively, use the Azure Cloud Shell.
Assign a user-assigned managed identity
Select the relevant tab for your scenario.
Here's how to assign a user-assigned managed identity with the Azure portal:
Sign in to the preview Azure portal.
In the search bar, enter Azure Virtual Desktop and select the matching service entry
Select Host pools, then select the name of the host pool you want to configure.
Select Identity (Preview).
Select Assign a Managed Identity so that the box is checked, then select User assigned managed identity.
For Subscription, select the appropriate subscription from the drop-down menu.
For Existing user assigned managed identities, select the appropriate managed identity from the drop-down menu.
Select Save to apply the new managed identity.
Remove a managed identity
Removing a managed identity from a host pool has slightly different behavior, depending on the identity type of the managed identity:
- System-assigned: When you complete the removal, Azure automatically deletes the managed identity and all associated metadata.
- User-assigned: When you complete the removal, Azure removes the association between the host pool and the managed identity, but doesn't make any other changes. For example, it doesn't change any permissions assigned to the managed identity.
Important
Host pools configured with a session host configuration will require a managed identity starting November 1st, 2025 in order to add session hosts to the host pool. This replaces reliance on the Azure Virtual Desktop service principal and allows for a more secure configuration. Learn more about using managed identities with Azure Virtual Desktop host pools.
Select the relevant tab for your scenario.
Here's how to remove a managed identity with the Azure portal:
Sign in to the preview Azure portal.
In the search bar, enter Azure Virtual Desktop and select the matching service entry
Select Host pools, then select the name of the host pool you want to configure.
Select Identity (Preview).
Select the Assign a Managed Identity so that the box is unchecked.
Select Save to complete the removal of the managed identity.
Related content
- Take the next steps to Assign Azure RBAC roles or Microsoft Entra roles to a service principal using the managed identity approach.