Adding a new user to a WVD app is really easy. Start by establishing a connection with the WVD tenant:

1. Start a Powershell console as an Administrator
2. Connect to the WVD tenant using: Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com – note you will need to login as a tenant administrator. Tenant admins can be created using https://docs.microsoft.com/en-us/azure/virtual-desktop/virtual-desktop-fall-2019/tenant-setup-azure-active-directory
3. Add the user to the app group with the command: Add-RdsAppGroupUser [tenant-name] [host-group-name] [app-group] -UserPrincipalName [user-name]. To remove a user, use the Remove-RdsAppGroupUser command
4. To confirm that they are added correctly, you can list all users assigned to the app group: Get-RdsAppGroupUser [tenant-name] [host-group-name] [app-group]

Issues

If you get User is not authorized to query the management service when running Add-RdsAppGroupUser then get an RDS owner on the tenant to run the following command:

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -SignInName "[user-name]" -TenantGroupName "Default Tenant Group" -TenantName "[tenant-name]"

This will provide access to all host-pools / app-groups on the tenant.

If you are unable to run the Add-RdsAccount command successfully, it could mean you need to be added as a TenantCreator or that you need to install and import the libraries you need to run this. To do this run the following commands before the Add-RdsAccount command:

1. Install-Module -Name Microsoft.RDInfra.RDPowerShell, and then
2. Import-Module -Name Microsoft.RDInfra.RDPowerShell

See https://docs.microsoft.com/en-gb/powershell/windows-virtual-desktop/overview for more details.

Sometimes you need to use Powershell to manipulate Exchange Online. When MFA is enabled, you may get something like the following error:

New-PSSession : [ps.outlook.com] Connecting to remote server ps.outlook.com failed with the following error message :Access is denied.

To fix this situation, you'll need to setup EXO V2 on your local PC. To do this:

• Make sure EXO V2 is installed on your local PC - https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#install-and-maintain-the-exo-v2-module
• Make sure WINRM is running. Do this by opening a command prompt (in admin mode) and running: winrm quickconfig

• Then connect to Exchange using the following instructions: https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps
  • Use the following command to connect: Connect-ExchangeOnline -UserPrincipalName [admin-account] -ShowProgress $true

When working with Exchange Online, sometimes you'll come across issues in sharing calendars with others. As an administrator, you can use the following steps to check calendar permissions and to update them as you need.

To get current calendar permissions for a user

1. Run Powershell as Administrator
2. Get Office 365 credentials: $LiveCred = Get-Credential
3. If MFA is not turned on for your account:
   1. Start a session with the Office 365 tenant - $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
      1. You may have to execute the above command a second time if you get a connection error – note that you may also get an authentication error if the login account has MFA turned on and EXO V2 is not installed on the PC you are using. Check this out to fix this. Then follow the instructions If MFA is enabled for your account.
   2. Import Powershell session: Import-PSSession $Session
4. If MFA is enabled for your account:
   1. Connect-ExchangeOnline -UserPrincipalName [user-name] -ShowProgress $true
5. Get calendar permission details: Get-MailboxFolderPermission [user-account]:\calendar

This will then list out all of the accounts that have been granted access, including groups.

To add or update calendar permissions

We normally have a group called All Staff of which all staff are a member. Then default permissions for calendars are defined for this group (normally Reviewer - so that anyone can see calendar items of others but can't change them). Elevated permissions (if needed) can be granted specifically for people or groups on top of this default.

If say user-A doesn't have access to user-B's calendar and needs Reviewer access, run the command: Add-MailboxFolderPermission -Identity [user-B]:\Calendar -User [user-A] -AccessRights Reviewer

Alternatively, if say user-A had AvailabilityOnly access to user-B's calendar and needs Reviewer access then run: Set-MailboxFolderPermission -Identity [user-B]:\Calendar -User [user-A] -AccessRights Reviewer

To remove permissions one-by-one, you can use: Remove-MailboxFolderPermission -Identity [user-B]:\Calendar -User [user-A] -AccessRights Reviewer

Alternatively, use the following to remove permissions in bulk for a specific user calendar (and leaving Default or Anonymous permissions):

Get-MailboxFolderPermission [user-B]:\Calendar ` 

| ? {$_.User -notmatch "^(Default|Anonymous)$"} `

| % { Remove-MailboxFolderPermission -Identity $_.Identity -User $_.User.DisplayName -Confirm:$false }

More details can be found at: https://www.michev.info/Blog/Post/2500/how-to-reset-mailbox-folder-permissions

Other references

• More information at: https://theitbros.com/add-calendar-permissions-in-office-365-via-powershell/
• Look at -ResetDefault for removing delegated permissions on mailboxes - https://docs.microsoft.com/en-us/powershell/module/exchange/remove-mailboxpermission?view=exchange-ps

There are a few things you need to do before you can access a Windows Virtual Desktop app for the first time. The following are instructions for users. [Will soon provide pre-requisites that IT need to rollout before the steps below can be done]

Part 1: Enable Self-Service Password Reset

As a preliminary step before moving to IRIS in the cloud, everyone that needs access will need to reset their Office 365 password. Once self-service password reset is turned on for the tenant, this is a really simple thing a user can do themselves. The added bonus is that they can use this feature to reset their password anytime you may need to (like if they have forgotten it or they want to change it for some other reason).

To use self-service password reset, you'll need to register. To do this go to https://aka.ms/ssprsetup and follow the instructions.

Then, to reset your password, there are 2 ways of doing this:

1) If you are logged in to your PC, go to https://account.activedirectory.windowsazure.com/ChangePassword.aspx and follow the instructions.
2) If you are not logged in, start up your PC and you'll notice a new link underneath the PIN entry box that says I forgot my PIN. Click on this to continue the process to reset your password.

All users will need to compete the above before they can access the WVD app.

Part 2: Verify you can access your WVD app

Perform the following steps:

1. Type Remote Desktop into the search bar in the tool tray at the bottom of the screen. Hit Enter to run. Note that it is the red icon, not the Remote Desktop Connection
2. Click the Let’s Get Started button. Remote Desktop will now search for remote applications you have access to.
3. If you see a prompt to update Remote Desktop, please get in touch with Charlie Mac who will update the software on your behalf.
4. Click on the icon for your WVD app.
5. Enter your Office 365 credentials when asked. Make sure that your username is correct and that you being asked to enter your password. Note that if you are asked to enter your PIN or use Face ID, you’ll need to select More Options and select the option that enables you to enter your password. Note that PIN or Face ID do not work at this stage.
6. After a bit, you should see the login screen for your WVD app.

Deploying a new app on Windows Virtual Desktop (WVD) consists essentially of three steps: 1) Install the app on the VM that hosts the master WVD image, 2) publish the app, 3) assign users to the app.

Install the app on the master WVD image

1. Take a backup of the target VM – login to Azure and search for Backup Centre. Initiate backup from here. It may take a couple of hours to complete.
2. Login to the VM as local admin and over RDP – locate the VM, select Connect and then RDP to download the connection file. Run this and enter the local admin account credentials to connect.
3. Install the software you want to publish on the VM.

Publish the app

1. Open a Powershell console as an administrator on the VM hosting the master WVD image
2. Run Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" – to initiate session
3. Obtain the app alias by running the following to get a list of those available - Get-RdsStartMenuApp Corpapps [host group] [app-group]
4. If this returns an error (can’t find module), go ahead and install the modules needed using Install-Module -Name Microsoft.RDInfra.RDPowerShell
5. Publish the app you just installed using New-RdsRemoteApp [tenant-name][host-group] [app-group] -Name [name you want to give the app] -AppAlias [the app alias you got from step 3]

Assign users

To publish a remote app to a user, run the following Powershell command. This can be done on any PC connected to the internet: Add-RdsAppGroupUser [tenant-name] [host-group] [app-group] -UserPrincipalName [username]

Other useful commands

• Add-RdsAccount -DeploymentUrl https://rdbroker.wvd.microsoft.com – to connect PS to WVD
• Get-RdsAppGroupUser [tenant-name] [host-pool-name] [app-group] – get a list of users that are offered apps in the app group as remote apps
• Get-RdsAppGroup -TenantName [tenant-name] -HostPoolName [host-pool-name] – gets all app groups in the host pool
• Remove-RdsRemoteApp [tenant-name] [host-pool-name] [app-group] -Name "[name you gave the app]” -AppAlias [alias that was obtained in step 3 above] – remove app from the app group