Cloud-Only Deployment (The Modern Path)

Architecture Overview

Entra Join (No Domain Controllers)

For Azure Virtual Desktop (AVD) and modern physical devices, the "Gold Standard" is 100% Entra Join. This removes the dependency on line-of-sight to a Domain Controller, complex VPNs, and "Hybrid" sync latency. The device identity lives solely in the cloud.

Instant Intune Enrollment

Unlike Hybrid Join, which requires a GPO to trigger enrollment, Entra Joined devices enroll in Intune automatically the moment they join the directory (provided the MDM User Scope is correctly configured).

AVD Authentication

In the AVD model, authentication is handled by Azure RBAC policies rather than Domain Controller ACLs. Users authenticate using their Entra ID (M365) credentials directly.

Implementation Checklist

Because we have removed the "Sync" and "GPO" layers, this deployment is significantly faster and less prone to "retry" loops. However, the DNS and RBAC prerequisites are strict.

Phase 1: DNS Discovery Records (GCC High)

Even though these machines are in Azure, they still act as "Clients" that need to discover their management endpoints. Ensure your public and private DNS entries have these records.

Why it matters for AVD: If these are missing, the "Join" may succeed, but the automatic hand-off to Intune can fail, leaving you with an unmanaged VM.

Host Name	enterpriseregistration.[yourdomain.com]
Record Type	CNAME
Value	enterpriseregistration.windows.net
Purpose	Tells the device where to register its identity in Entra ID.

GCC High

Host Name	enterpriseenrollment.[yourdomain.com]
Record Type	CNAME
Value	enterpriseenrollment-s.manage.microsoft.us
Purpose	Tells the device where the GCC High Intune enrollment server is located.

Commercial

Host Name	enterpriseenrollment.[yourdomain.com]
Record Type	CNAME
Value	enterpriseenrollment-s.manage.microsoft.com
Purpose	Tells the device where the Commercial Intune enrollment server is located.

Phase 2: Entra Configuration (The Trigger)

In a Cloud-Only world, there is no GPO to push enrollment. The "MDM User Scope" is the only trigger.

• [ ] Configure MDM User Scope:
  • Navigate to Entra ID > Mobility (MDM and MAM) > Microsoft Intune.
  • MDM User Scope: Set to All (or target your AVD User Group).
  • WIP User Scope: Set to None.
    • Warning: If set to "All," the enrollment may default to "MAM" (App management only) rather than full device management.

Phase 3: AVD Host Pool Configuration

The "Join" happens at the Host Pool level during provisioning.

• [ ] Host Pool Settings:

  • When creating or updating the Host Pool, ensure:
    • Domain to join: Select Microsoft Entra ID.
    • Enroll VM with Intune: Select Yes.

• [ ] RDP Properties (SSO):

  • To ensure users don't get double-prompted (once for the gateway, once for the VM), enable SSO.
  • In the Host Pool RDP Properties:
    • enablerdsaadauth:i:1 (Enables Entra ID authentication)
    • targetisaadjoined:i:1 (Tells the client the target is Entra Joined)

Phase 4: RBAC Permissions (The "Logon" Right)

Unlike AD, being a "Domain User" grants you nothing here. You must explicitly grant login rights via Azure RBAC.

• [ ] Assign Virtual Machine User Login:
  • Navigate to the Resource Group containing your AVD VMs.
  • Assign the role Virtual Machine User Login (for standard users) or Virtual Machine Administrator Login (for admins) to your AVD User Group.
  • Note: Without this role, users will see a "Login Failed" or "Access Denied" error when attempting to connect, even if the VM is healthy.

Phase 5: Verification & Success Indicators

Once the VM is provisioned, verifying the state looks different than Hybrid.

• [ ] Connect to the VM:

  • Log in as an Administrator (using the RBAC role assigned above).

• [ ] Run Verification Command:

  • Open Command Prompt and type: dsregcmd /status

• [ ] Verify Identity State:

  • AzureAdJoined : YES (The device is natively cloud).
  • DomainJoined : NO (This is Correct for cloud-only. If this says YES, you accidentally Hybrid Joined it).
  • AzureAdPrt : YES (The user has a valid cloud token).

• [ ] Verify Discovery (GCC High):

  • Scroll to Tenant Details and check the URLs:

    • MdmUrl: Must point to https://enrollment.manage.microsoft.us/enrollmentserver/discovery.svc
    • MdmTouUrl: Must point to https://portal.manage.microsoft.us/TermsofUse.aspx
    Critical Sovereign Check

    If MdmUrl points to a .com address, the AVD is attempting to enroll in Commercial. Check your Host Pool region and DNS records.

• [ ] Visual Verification (Settings):

  • Open Settings > Accounts > Access work or school.
  • You should see the Connected to Mindline (Entra ID) logo.
  • Click the connection. You should see an Info button.
    • If the Info button is missing: The device is Joined but not Enrolled. Check the MDM User Scope in Phase 2.

Phase 6: Post-Deployment Tweak (Shared PC Mode)

For 100 AVDs, you are likely using Multi-Session Windows 10/11. To manage profiles efficiently:

• [ ] Deploy Shared PC Mode (Optimized for AVD):
  • Create a Settings Catalog profile in Intune.
  • Guest Account: Not Configured (Users are Entra auth'd).
  • Account Management: Enabled.
  • Deletion Threshold: Delete at disk space threshold (e.g., 85%).
  • Local Storage: Disabled (Force use of OneDrive/FSLogix).

⚡FSLogix & Intune

If you are using FSLogix for profile containers, ensure your Intune Compliance Policies do not include checks that might conflict with VHD mounting (like BitLocker checks on non-OS drives, which can sometimes flag attached profile disks).

Transitioning from Domain/Hybrid Join to Entra Join

When migrating a machine from a Traditional Domain or Hybrid Join to a full Entra Join, the primary identity of the user changes. Windows no longer recognizes CONTOSO\user as the owner of the local data; instead, it sees user@contoso.com as a completely new owner.

Because these are distinct security identities, the user will receive a fresh profile upon their first cloud login. Standard settings such as application registry keys, local Document folders, and desktop icons will not automatically carry over. While this is a non-issue for "greenfield" (new) deployments, it creates a hurdle for existing machines being moved to 100% cloud management.

Since Microsoft does not provide an official tool for local profile migration, third-party utilities are required to "map" the old SID to the new one. Tools like ForensiT User Profile Wizard are the industry standard for this transition. This section walks through the use of ForensiT to unjoin the domain and join to Entra while preserving the user profile.

1. install ForensiT User Profile Wizard as a local admin
2. Run the ForensiT User Profile Wizard Deployment Kit
3. Step 2 of 13: create a new migration project: EntraMigration
4. Step 3 of 13: enter name of new domain: contoso.com and select Azure AD
5. p. 69: Migrate to Azure AD
6. p. 70: Generate the ForensiTAzureID.xml.
   • Set-ExecutionPolicy -Scope LocalMachine RemoteSigned
   • C:\Program Files (x86)\ForensiT\User Profile Wizard Corporate\Deployment Kit\bin\Save-AzureADUser
7. p. 72: Create a Provisioning Package (this is how User Profile Wizard joins machines to Entra).
   • Install Windows Assessment and Deployment Kit
   • Launch Start -> All -> W -> Windows Kits -> Windows Imaging and Configuration Designer
     • Project: EntraJoin
     • follow instructions to NOT change machine names
8. p. 75: Export Provisioning Package
   • C:\Users\arvind.suthar\Documents\Windows Imaging and Configuration Designer (WICD)\EntraJoin\EntraJoin.ppkg
9. p. 76: Configure User Profile Wizard to migrate profiles to Azure AD
10. Step 3 of 13:

• enter name of new domain: contoso.com
• select Azure AD
• Azure ID file path:
  • C:\Program Files (x86)\ForensiT\User Profile Wizard Corporate\Deployment Kit\bin\ForensiTAzureID.xml
• Provisioning Package:
  • C:\Users\arvind.suthar\Documents\Windows Imaging and Configuration Designer (WICD)\EntraJoin\EntraJoin.ppkg

11. Step 6 of 13:
    • existing domain: CONTOSO
    • migrating from existing Azure AD tenant: no
12. Step 8 of 13:

• p. 77: check Use lookup file to get new account names, create lookup file, and set path
  • generally AD usernames are just everything before @ in the Entra UPN
  • C:\Users\arvind.suthar\Documents\ForensiTUserLookup.csv
• clear the Skip migration if user is not found in lookup file
  • happy to take default (see line above) or popup to address manually if that is what tool does
• clear the Rename Profile Folder checkbox due to compatibility concerns

11. Step 10 of 13:

• enter local administrator account to run user profile wizard

12. Step 11 of 13:

• let the default script run to execute the migration

13. Step 12 of 13:

• no need for any other per user script to run

14. Create single deployment file:

• C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\EntraJoin\Migrate-ToEntra.exe

14. Kill all tasks with Cisco in the name.
15. Run the migration.

Architecture Validation (The Consultant's View)

Before declaring victory, use this questionnaire to validate your Cloud-Only architecture against CMMC realities. These are the "hidden" requirements that often derail audits.

1. Identity & Privilege

• "How do we handle 'Break-Glass' admin access on these VMs?"

  The CMMC Reality: You cannot use "Domain Admins" anymore. Determine if you are using PIM for Groups (JIT) or a dedicated Admin tier. (Ref: CMMC 3.1.5)

• "Do any legacy apps require Kerberos, or is everything Modern Auth?"

  The Trap: Entra Joined machines have no line-of-sight to a DC. If an app needs Kerberos, you need Azure AD Domain Services or Cloud Kerberos Trust immediately.

2. Device Security

• "Does the SSP require FIPS Mode enabled at the OS level?"

  The Risk: FIPS 140-2 compliance is strict. Enabling FIPS mode in Windows breaks many modern apps. Verify this before finalizing your Golden Image.

• "How are we enforcing the Inactivity Timeout?"

  The Check: CMMC 3.1.10 requires session termination. Ensure your Intune Configuration Profile locks the session (not just disconnects) after 15 minutes.

3. Data Protection (AVD Specific)

• "Are we restricting Clipboard and Drive Redirection?"

  The Boundary: If users can copy/paste CUI from the secure AVD to their unmanaged home PC, your boundary is broken. This is an RDP Property, not an Intune setting.

• "Where is the FSLogix storage located?"

  The Sovereign Check: Ensure your Azure Files or NetApp Files storage account is in a US Gov region to maintain data residency.

4. Sovereignty Check

• "Do global support staff have access to these VMs?"

  The Law: Even with Entra Join, a login from a non-US IP by a non-US person may violate ITAR/EAR rules. Consider a Conditional Access Policy to block non-US logins.