WVD - Creating New User Accounts via PowerShell

Recently I've been working with a client on a Windows Virtual Desktop (WVD) deployment. Their administrator asked "Can I create some new user accounts?" of course you can, but remember with WVD it isn't just a case of creating a user and assigning a license.

We need to remember a few things:

  • User Account Creation
  • License Assignment
  • Creation of the Azure Role defintion (Only needs to happen once)
  • Assigment of Azure Role defintion
  • Access to the WVD tenant, hostpool and apps
  • FSLogix NTFS permission on the fileshare

The following scirpt is what I'm using to create new accounts so feel free to grab a copy and modify where requried for your environment.

# Set Execution Policy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

# Connect to MSOL

# Create your new user and assign an appropriate license - In this example I'm using SPB (MICROSOFT 365 BUSINESS)
New-MsolUser -UserPrincipalName "Neil.Petersen@domain.com" -DisplayName "Neil Petersen" -FirstName "Neil" -LastName "Petersen" -UsageLocation "GB" -LicenseAssignment "PetersenIT:SPB" -Password Pae@fjj4rd157

# Install required Module
Install-Module -Name az.storage -force -AllowClobber
Install-Module -Name az.resources -force -AllowClobber

# Import Modules
Import-Module -Name az.storage -Force
Import-Module -Name az.resources -Force

# Connect to Azure

# Ensure you are connected to the correct Subscription
Set-AzContext -SubscriptionId <azure-subscription-id>

# ONLY NEEDS TOP BE CREATED ONCE - Create AZ Role Definition -  first edit sample JSON - https://github.com/exexpat/WVDscripts/blob/master/azurefilesreadwriterole.json
New-AzRoleDefinition -InputFile "C:\Users\NeilPetersen\Downloads\WVDscripts-master\azurefilesreadwriterole.json"

# Assign the new user the AFReadWriteRole to allow them to use FSLogix for Profile Storage - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/getting-started-with-fslogix-profile-containers-on-azure-files/ba-p/746477

$FileShareContributorRole = Get-AzRoleDefinition "AFReadWriteRole"
$scope = "/subscriptions/<azure-subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>/fileServices/default/fileshare/<share-name>"
New-AzRoleAssignment -SignInName Neil.Petersen@domain.com -RoleDefinitionName $FileShareContributorRole.Name -Scope $scope

# Install & Import PowerShell modules
Install-Module -Name Microsoft.RDInfra.RDPowerShell
Import-Module -Name Microsoft.RDInfra.RDPowerShell

# Setting WVD Deployment context
$brokerurl = "https://rdbroker.wvd.microsoft.com"
$aadTenantId = "<tenant-id>"
$azureSubscriptionId = "<azure-subscription-id>"
Add-RdsAccount -DeploymentUrl $brokerurl

# Add the user as an WVD User, TenantName,HostPoolName,AppGroupName needs to be amended to what you have it configured as - https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

Add-RdsAppGroupUser -TenantName WVDPOC -HostPoolName Win10Desktop -AppGroupName "Desktop Application Group" -UserPrincipalName Neil.Petersen@domain.com

# If you are using FXLogix for user profiles, we now need to assign NTFS permissions on the profile share - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/getting-started-with-fslogix-profile-containers-on-azure-files/ba-p/746477

# Ensure the client you are running this from has access to the fileshare through teh Firewall settings within the Storage Account. 
net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> <storage-account-key> /user:Azure\<storage-account-name>

icacls z: /grant Neil.Petersen@domain.com:(f)

# Get the users to install the WVD client - https://docs.microsoft.com/en-us/azure/virtual-desktop/connect-windows-7-and-10#install-the-windows-desktop-client