Create a Service Principal
Part 1 provides an overview of the blog series. Part 2 created a Windows Virtual Desktop tenant. Part 3 will create a service principle and assign a role to the service principal in order to allow them to sign in to Windows Virtual Desktop. The service principal will be used for:
Automate your management tasks with Windows Virtual Desktop
Instead of MFA-required users, use Azure Resource Manager templates
Prerequisites
Two PowerShell modules are required to create a service principal or role assignment.
AzureAD
RDPowerShell
If you have completed Part 2, you should already have the RDPowerShell Module installed. Install the AzureAD module using the following cmdlets.
Install-Module AzureAD
Import-Module-Name AzureAD
All of the steps below should be completed in the same PowerShell session. These steps may not work if you close PowerShell and then open PowerShell again later. This is because certain information stored in variables will be lost when you close PowerShell.
This information should be saved in case anything happens (what could go wrong?) I will show you how to view and send the information to a folder. Although saving the information to a file may not be necessary, it might make a difference if you lose power or are attacked by gremlins.
Azure Active Directory allows you to create a service principal
Use the following cmdlet to sign in to Azure
$aadContext = Connect-AzureAD
Next, use the following cmdlets for creating a service principal
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants$true -DisplayName”WVD Svc Principal”
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential-ObjectId $svcPrincipal.ObjectId
This is a good time to review and/or record the information, including the generated password. The variable $aadContext includes your tenantID, which can be retrieved anytime from your Azure portal. The variable $svcPrincipal holds the application ID for the service principal that you just created. This can be retrieved later if needed. Variable $svcPrincipalCreds holds the password that was generated for the service principal. If you lose your PowerShell session due to an event, you won’t be able retrieve it later.
View and/or record service principal credentials
Although the password is the most important piece of information, I prefer to keep the tenant ID, applicationID, and password together so that I can easily find which password was used with which application ID. This information should be stored securely.
PowerShell allows you to view the information and then write it down. To display the values, use the following cmdlets:
Tenant ID:
$aadContext.TenantId.Guid
Application:
$svcPrincipal.AppId
Password:
$svcPrincipalCreds.Value
These cmdlets can be used to write these values into a file. Press enter after each one (replace “D.WVD” by a valid path).
$path = (New-Item-Type File -Path”D:\WVD\svc_creds.txt”).FullName
$tenantID = “Tenant ID: ” + $aadContext.TenantId.Guid > $path
$appID = “Application ID: ” + $svcPrincipal.AppId >> $path
$pass = “Password: ” + $svcPrincipalCreds.Value >> $path
The following command will verify that you have captured the values:
cat $path
In Windows Virtual Desktop, assign a role to create a role
Next, create a role assignment that will allow the service principal created to sign into Windows Virtual Desktop.
Log in to Windows Virtual Desktop using an account that has the permission to create role assignments
Add-RdsAccount -DeploymentUrl “https://rdbroker.wvd.microsoft.com”
After you have authenticated, verify that the name of the tenant created in Part 2 is correct.
Get-RdsTenant
To create the role assignment, use the tenant’s name.
$tenantName = *Your tenant name goes there*
New-RdsRoleAssignment-RoleDefinitionName=”RDS Owner”-ApplicationId $svcPrincipal.AppId -TenantName $tenantName
You should remember that if you close your PowerShell session after creating the service principal, then the variables in the previous cmdlet will not work. Instead, you will need the actual values from where you recorded them. Did you record them? !
Register with the service principal
You can now verify that the service principal has access your Windows Virtual Desktop tenant. Run the following cmdlets.
$creds = New-Object System.Management.Automation.PSCredential($svcPrincipal.AppId, (ConvertTo-SecureString $svcPrincipalCreds.Value -AsPlainText -Force))
Add-RdsAccount -DeploymentUrl “https://rdbroker.wvd.microsoft.com” -Credential $creds -ServicePrincipal -AadTenantId $aadContext.TenantId.Guid
Once you connect,