This chapter covers Azure Virtual Desktop (AVD), a key desktop and app virtualization service in Microsoft 365. AVD is a frequent topic on the MS-900 exam, appearing in roughly 5-10% of questions, especially around licensing, deployment models, and integration with Microsoft 365. You'll learn what AVD is, how it works, its components, and how it compares to other virtualization solutions. By the end, you'll be prepared for exam questions on AVD's architecture, licensing requirements, and use cases.
Jump to a section
Azure Virtual Desktop is like a high-end buffet restaurant. The restaurant (Azure) has a huge kitchen (virtual machine pools) with many chefs (session hosts) preparing meals (desktops and apps). Customers (users) don't cook; they just walk in, pick a table (session), and order from a menu (Azure Virtual Desktop feed). The maître d' (Azure AD and Conditional Access) checks their membership (authentication and authorization) before seating. Once seated, a waiter (Azure Virtual Desktop gateway) brings the meal from the kitchen over a service cart (reverse connect transport) — the waiter never lets the customer into the kitchen. The restaurant can expand by adding more chefs during rush hour (autoscaling), and it can offer a special menu for VIPs (personal desktops). The customer never sees the kitchen's chaos (underlying VMs, load balancing, updates) — they just enjoy the meal. This analogy breaks down because AVD's 'reverse connect' means all communication initiates from the VM to the client, not the other way, like a waiter who only brings food when the kitchen calls out an order, not when the customer asks.
What is Azure Virtual Desktop?
Azure Virtual Desktop (AVD) is a desktop and app virtualization service that runs on Microsoft Azure. It enables users to access full Windows desktops or individual RemoteApp applications from anywhere, on any device, using a supported client. AVD is the evolution of Windows Virtual Desktop (WVD), rebranded in 2021. It is a Platform-as-a-Service (PaaS) offering that abstracts the underlying infrastructure, allowing organizations to deploy multi-session Windows 10/11 or Windows Server desktops without managing RD Session Host roles.
Why AVD Exists
Traditional Remote Desktop Services (RDS) required significant on-premises infrastructure: RD Connection Broker, RD Gateway, RD Web Access, RD Licensing, and Session Hosts. AVD eliminates most of this by moving the broker, gateway, and web access to Azure as managed services. Key drivers: - Multi-session Windows 10/11: Only AVD supports multiple concurrent users on a single Windows 10/11 VM, drastically reducing cost compared to single-user VDI. - Optimized for Microsoft 365: AVD integrates with Azure AD, Intune, Microsoft 365 Apps, and OneDrive for seamless productivity. - Security: No inbound connections to the corporate network — all communication is outbound from the VM to the client via reverse connect. - Scalability: Scale session hosts up/down based on demand using Azure autoscale.
How AVD Works Internally
AVD uses a reverse connect technology. When a user launches a remote desktop or app, the client contacts the AVD web service, which returns a list of available resources. The client then connects to the AVD gateway service, which brokers a connection to a session host. The session host initiates an outbound connection to the gateway, and the gateway relays data between client and host. The client never directly connects to the session host — all traffic flows through the gateway, which is a managed service in Azure.
Key Components
Host pools: Collection of VMs (session hosts) that share the same configuration. Two types: pooled (multi-session) and personal (single-user).
Workspaces: Logical grouping of application groups that users see in their client.
Application groups: Control which RemoteApps or desktops are available to users. Two types: Desktop (full desktop) and RemoteApp (individual apps).
Session hosts: VMs running Windows 10/11 Enterprise multi-session or Windows Server. Must be domain-joined (Azure AD DS, AD DS, or Azure AD).
AVD gateway: Manages the reverse connect tunnel.
AVD broker: Manages user sessions and resource assignment.
AVD diagnostics: Azure Monitor-based logging for session host health and user connections.
Licensing Requirements
Windows 10/11 Enterprise: Users need Microsoft 365 E3/E5, or Windows E3/E5 per user, or a separate Windows VDA license.
Windows Server: Users need RDS CALs (if using per-user licensing) or Azure hybrid benefit.
External users: Must have per-user access licensing (typically through Microsoft 365 or Windows VDA).
No additional Azure license: The AVD service itself is free; you pay only for the underlying Azure resources (VMs, storage, networking).
Configuration and Verification
Deploying AVD involves: 1. Create a host pool in the Azure portal. 2. Add session hosts (VMs) to the pool. 3. Create an application group and assign users. 4. Publish the application group to a workspace. 5. Users access via the Remote Desktop client (Windows, macOS, iOS, Android, web).
Verification commands (PowerShell / Azure CLI):
Get-AzWvdHostPool -ResourceGroupName <RG>
Get-AzWvdSessionHost -HostPoolName <HP>
Get-AzWvdUserSession -HostPoolName <HP> -SessionHostName <SH>az desktopvirtualization hostpool list --resource-group <RG>
az desktopvirtualization sessionhost list --host-pool-name <HP> --resource-group <RG>Interaction with Related Technologies
Azure AD: For user authentication and Conditional Access policies (e.g., MFA, device compliance).
Intune: For managing session hosts (e.g., update policies, app deployment).
OneDrive: Known Folder Move redirects user folders to OneDrive for persistent data.
FSLogix: Profile container technology mandatory for AVD to provide roaming user profiles. FSLogix stores user profiles in Azure Files or NetApp files.
Azure Files: Recommended storage for FSLogix profiles. Supports SMB 3.0 with multichannel for performance.
Azure NetApp Files: Alternative for high-performance profile storage.
Azure Monitor: For AVD diagnostics — connection failures, performance metrics.
Azure Bastion: For secure RDP/SSH access to session hosts without public IPs.
Default Values and Timers
Drain mode: When enabled, existing sessions continue but new connections are blocked. Useful for maintenance.
Session host capacity: Default 999 sessions per host pool (can be increased).
Broker timeout: 60 seconds for idle connections.
Gateway heartbeat: 30 seconds between session host and gateway.
Autoscale: Can schedule scaling based on time or CPU/memory thresholds. Default cooldown period 5 minutes between scale operations.
Trap Patterns on the Exam
Licensing: Many candidates confuse AVD licensing with RDS licensing. AVD does NOT require RDS CALs for Windows 10/11 — it requires Windows Enterprise per-user licensing. For Windows Server, you need RDS CALs or Azure hybrid benefit.
Multi-session: Only Windows 10/11 Enterprise multi-session is supported for multi-user VMs. Windows 10 Pro does not support multi-session.
Reverse connect: AVD does NOT require inbound RDP ports (3389) open to the internet. The session host initiates outbound HTTPS (443) to the gateway.
FSLogix: FSLogix is required for profile management in pooled host pools. Without it, user settings are lost on logoff.
Personal vs. Pooled: Personal desktops are for single users who need persistent desktops (e.g., developers). Pooled are for multi-session, non-persistent desktops (e.g., task workers).
User Authenticates via Client
The user opens the Remote Desktop client (Windows, macOS, etc.) and signs in with their Azure AD credentials. The client sends an authentication request to Azure AD. Azure AD validates the user's identity and applies any Conditional Access policies (e.g., MFA, device compliance). If authentication succeeds, Azure AD returns an access token to the client. This token is used for subsequent requests to AVD services. The client then calls the AVD web service (https://rdweb.wvd.microsoft.com) to enumerate available resources.
Client Retrieves Resource Feed
Using the access token, the client queries the AVD feed service. The feed service looks up the user's assigned application groups and workspaces. It returns an XML feed containing the list of available desktops and RemoteApps. This feed includes connection details like workspace name, resource IDs, and gateway URLs. The client displays these resources to the user in the Remote Desktop client interface. The user selects a desktop or app to launch.
Client Connects to Gateway
The client initiates an HTTPS connection to the AVD gateway service (e.g., wvd-gateway.azure.com). The gateway validates the client's access token. Once validated, the gateway sends a connection request to the AVD broker, asking for a session host assignment. The broker selects an available session host from the host pool based on load balancing (breadth-first or depth-first). It then informs the gateway of the chosen session host's details (internal IP, port).
Session Host Initiates Reverse Connect
The session host (VM) has a persistent outbound connection to the gateway (established at boot time). The gateway sends the connection details to the session host, instructing it to create a new session for the user. The session host opens an outbound HTTPS connection to the gateway for the session. This is the reverse connect tunnel: all traffic flows from the session host to the gateway, not from the client to the session host. The gateway then bridges the client's connection and the session host's tunnel.
User Interacts with Remote Session
Once the tunnel is established, the client and session host exchange Remote Desktop Protocol (RDP) data through the gateway. The gateway relays input (keyboard, mouse) from client to host and output (screen, audio) from host to client. The session host applies any Group Policy or Intune configurations (e.g., drive redirection, clipboard). FSLogix mounts the user's profile from Azure Files. When the user logs off, the session ends, and the reverse connect tunnel is torn down.
Enterprise Scenario 1: Remote Task Workers
A large retail company with 5,000 remote call center agents uses AVD with pooled Windows 10 multi-session hosts. Each host runs on a D4s_v3 VM (4 vCPU, 16 GB RAM) supporting 10 users per host. Profiles are stored on Azure Files Premium shares. The company uses autoscale to power off VMs outside business hours, saving 60% on compute costs. Key challenge: ensuring consistent audio quality for VoIP calls. They solved this by enabling RDP multimedia redirection and using Azure NetApp Files for low-latency profile access.
Enterprise Scenario 2: Personal Desktops for Developers
A software company provides each developer with a personal AVD desktop running Windows 10 Enterprise (single-session). Developers need persistent desktops with custom software installations. They use personal host pools with dedicated VMs (NV6s_v3 for GPU acceleration). FSLogix is configured to use Office Container for Outlook data, while developer tools are installed locally on each VM. Challenge: managing updates for 200 VMs. They use Azure Update Management and snapshot-based rollback for critical updates.
Enterprise Scenario 3: Seasonal Workforce
A tax preparation firm scales from 50 to 500 users during tax season. They deploy AVD with pooled hosts and autoscale based on scheduled ramp-up and ramp-down times. Session hosts are Windows 10 multi-session on B2s VMs (2 vCPU, 4 GB RAM) for cost efficiency. Profiles are stored on Azure Files Standard with a 100-TB share. They use FSLogix profile containers with Office Container to handle Outlook OST files. Misconfiguration: initially they forgot to enable FSLogix, causing user profile loss on logoff. After enabling FSLogix, they also had to increase Azure Files IOPS to handle 500 concurrent profile loads.
Common Misconfigurations
Not enabling FSLogix: Users lose all settings and data on logoff.
Incorrect load balancing: Depth-first can cause uneven user distribution.
Insufficient storage performance: Azure Files Standard may throttle under high I/O; use Premium for production.
Public IP on session hosts: Exposes RDP port to internet — unnecessary due to reverse connect.
Licensing gaps: Using Windows 10 Pro instead of Enterprise multi-session leads to license violation.
MS-900 Objective 2.5: Describe Azure Virtual Desktop
This objective covers understanding AVD's purpose, licensing, deployment models, and integration with Microsoft 365. Expect 2-3 questions on the exam.
Common Wrong Answers and Why
"AVD requires RDS CALs for all users." Wrong: Windows 10/11 multi-session does not require RDS CALs; it requires Windows Enterprise per-user licensing (via Microsoft 365 E3/E5 or Windows E3/E5). RDS CALs are only needed for Windows Server session hosts.
"AVD uses inbound RDP connections from the client to the VM." Wrong: AVD uses reverse connect — the session host initiates outbound HTTPS to the gateway. No inbound ports are needed.
"AVD is only for Windows 10 Enterprise multi-session." Wrong: AVD supports Windows 10/11 Enterprise multi-session, Windows 10/11 Enterprise single-session, Windows Server 2019/2022, and Windows 7 (with ESU).
"FSLogix is optional." Wrong: FSLogix is required for pooled host pools to provide persistent user profiles. Without it, user data is lost on logoff.
Specific Numbers and Terms on the Exam
Multi-session: Only Windows 10/11 Enterprise multi-session supports multiple concurrent users.
Reverse connect: The key architectural term — remember that traffic flows from VM to gateway, not client to VM.
Host pool types: Pooled (multi-session, non-persistent) and Personal (single-user, persistent).
Load balancing: Breadth-first (new sessions go to host with fewest sessions) and depth-first (new sessions fill one host before moving to next).
Licensing: Microsoft 365 E3/E5 or Windows E3/E5 per user. No additional AVD service cost.
FSLogix: Profile Container and Office Container are the two components.
Edge Cases
Windows Server session hosts: Require RDS CALs or Azure hybrid benefit.
Azure AD joined only: AVD supports Azure AD-joined VMs without domain controllers, but FSLogix profiles require Azure Files with AD authentication (Azure AD DS or AD DS).
GPU workloads: Use NV-series VMs with GPU partitioning for graphics-intensive apps.
How to Eliminate Wrong Answers
If a question asks about licensing, eliminate options mentioning RDS CALs for Windows 10/11 users. If a question asks about connectivity, eliminate options with inbound RDP. If a question asks about user profiles, look for FSLogix as a requirement.
AVD is a PaaS desktop virtualization service that supports Windows 10/11 multi-session and Windows Server.
Reverse connect means session hosts initiate outbound HTTPS to the AVD gateway; no inbound ports needed.
AVD requires Windows Enterprise per-user licensing (Microsoft 365 E3/E5) for Windows 10/11; Windows Server hosts require RDS CALs.
Host pools can be pooled (multi-session, non-persistent) or personal (single-user, persistent).
FSLogix is mandatory for pooled host pools to provide persistent user profiles.
AVD integrates with Azure AD for authentication and Conditional Access, Intune for management, and OneDrive for data.
Autoscale can schedule power on/off of session hosts based on time or performance metrics.
Load balancing options: breadth-first (spread users) and depth-first (fill one host first).
AVD diagnostics uses Azure Monitor for connection and performance logging.
AVD is free; you pay only for Azure VMs, storage, and networking.
These come up on the exam all the time. Here's how to tell them apart.
Azure Virtual Desktop (AVD)
PaaS — Microsoft manages broker, gateway, web access
Supports Windows 10/11 multi-session (up to 10 users per VM)
No inbound ports required (reverse connect)
Built-in integration with Azure AD, Intune, Microsoft 365 Apps
Pay only for Azure compute and storage; no AVD service fee
Traditional Remote Desktop Services (RDS)
IaaS — you manage all RD roles (broker, gateway, web, licensing)
Only Windows Server multi-session (RDS CALs required per user/device)
Requires inbound RDP (3389) and other ports
Limited integration with cloud identity; requires AD DS
Licensing costs: RDS CALs plus Windows Server licenses
Mistake
AVD requires inbound port 3389 to be open on session hosts.
Correct
AVD uses reverse connect; session hosts only make outbound HTTPS connections to the AVD gateway. No inbound ports are needed. The client never directly connects to the session host.
Mistake
AVD is the same as traditional RDS but in the cloud.
Correct
AVD is a PaaS service that abstracts the broker, gateway, and web access. Traditional RDS requires managing RD Connection Broker, RD Gateway, RD Web Access, and RD Licensing servers. AVD eliminates these roles.
Mistake
FSLogix is optional and only for profile management.
Correct
FSLogix is mandatory for pooled host pools to provide persistent user profiles. Without it, user settings and data are lost when the user logs off. FSLogix Profile Container and Office Container are key components.
Mistake
AVD only supports Windows 10 Enterprise multi-session.
Correct
AVD supports Windows 10/11 Enterprise multi-session, Windows 10/11 Enterprise single-session, Windows Server 2019/2022, and Windows 7 with ESU. Multi-session is just one option.
Mistake
You need an RDS CAL for every user accessing AVD.
Correct
RDS CALs are only required for Windows Server session hosts. For Windows 10/11 session hosts, users need Windows Enterprise per-user licensing (Microsoft 365 E3/E5 or Windows E3/E5).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
For Windows 10/11 session hosts, each user needs Microsoft 365 E3/E5, Windows E3/E5, or Windows VDA per-user license. No RDS CALs are needed. For Windows Server session hosts, you need RDS CALs (per user or per device) and Windows Server licenses (or use Azure hybrid benefit). The AVD service itself has no additional license fee.
No. AVD works over the public internet using reverse connect. The session host connects outbound to the AVD gateway over HTTPS. You can optionally use ExpressRoute for better performance if your session hosts and storage are in Azure, but it's not required.
FSLogix is a profile management solution that stores user profiles in a VHDX file on a network share (e.g., Azure Files). It is required for pooled host pools because without it, user settings and data are lost when the user logs off. FSLogix mounts the VHDX at logon and unmounts at logoff, preserving the profile.
Yes. AVD supports session hosts that are Azure AD joined (no on-premises AD). However, for FSLogix profiles, you need a file share that supports Kerberos authentication, such as Azure Files with Azure AD DS or AD DS. Azure AD-only joined VMs cannot authenticate to Azure Files with Azure AD alone (requires Azure AD DS or AD DS).
Pooled host pools assign multiple users to the same VMs (multi-session). Users get a non-persistent desktop — changes are lost unless FSLogix is used. Personal host pools assign each user a dedicated VM (single-session) that persists between sessions. Personal is for users who need to install software or customize the OS.
Users authenticate via the Remote Desktop client using Azure AD credentials. Azure AD validates the user and applies Conditional Access policies (e.g., MFA). The client receives an access token used to enumerate resources and connect to the gateway. The session host does not need direct internet access for authentication.
Reverse connect is the architecture where the session host initiates an outbound connection to the AVD gateway, and the client connects to the gateway. The gateway relays traffic between them. This eliminates the need for inbound ports on the session host and reduces the attack surface.
You've just covered Azure Virtual Desktop (AVD) — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?