XenApp on Azure Resource Manager: Demystifying Azure AD authentication

Recently, Citrix announced the release of XenApp 7.11. One of the cool features in it is support for Azure Resource Manager, which allows you to extend your existing XenApp deploymeinto Microsoft Azure right from Citrix Studio (this feature was introduced “Cloud first” in the XenApp and XenDesktop service a few months ago).

This means you can now take advantage of Azure’s massive global footprint to deploy virtual apps and desktops from any of hundreds of Azure data centers spread across 140+ countries worldwide, closest to where your users are so they get the best interactivity and performance (lowest latency).

This sounds great, but this greatness means that, as a Citrix admin, you now need some basic knowledge of how Azure accounts, subscriptions, Azure Resource Manager and Azure Active Directory are linked together. This can seem quite daunting at first but if you have a basic idea of some fundamentals, things becomes much easier. In this blog post, I will describe the fundamentals of these concepts and a few simple steps to get started.

The basics

  1. There are two types of accounts you can login to access Microsoft services
    • Microsoft accounts (also called personal accounts). For example, I have a few such accounts that I created myself –
      • prasannap@citrix.com
      • ppadmana@hotmail.com,
      • ppadmana@gmail.com
    • Azure Active Directory accounts (also called Work or School accounts – I know Microsoft didn’t make this easy :-)).  These are usually of the form user@org.onmicrosoft.com. For example, I have two Azure AD accounts.
      • prasannap@prasannapadmanabhancitrix.onmicrosoft.com
      • prasannap@citrix.onmicrosoft.com
  1. Azure AD is a massive multi-tenant directory system. I (specifically, prasannap@prasannapadmanabhancitrix.onmicrosoft.com) am the administrator of an Azure AD tenant directory named prasannapadmanabhancitrix.onmicrosoft.com. This tenant contains about 30 or so users which are a combination of Microsoft accounts (like ppadmana@hotmail.com) considered “Guests” and Azure AD accounts (like alex.stoddard@prasannapadmanabhancitrix.onmicrosoft) which are “Members”.
  1. Azure subscriptions are linked to one and only one Azure AD tenant. What I mean by “linked” is that the subscription trusts the authentication provided by that Azure AD tenant for resources contained within that subscription (like VMs, storage accounts, virtual networks etc.).
  1. Azure Resource Manager uses Azure AD for authentication. So, say you want to provision machines into your Azure subscription. You first need to successfully authenticate against the Azure AD tenant that the subscription is linked to.

Getting your Azure AD account set up

With these fundamentals in place, let’s tie all this together. You need an Azure AD account (Microsoft accounts won’t work) and an Azure subscription before you create a host connection in Citrix Studio. The key requirement for the account is that it be a member of the Azure AD associated with your subscription.

To meet this requirement, let’s take an example. Alex Stoddard, on my team, wants to provision XenApp on Azure. Prasanna Padmanabhan (me, as his manager) is the Azure account owner. Here’s what Alex needs to do.

  1. Identify the subscription’s directory: Alex logs in to the new Azure portal as alex.stoddard@citrix.com, it’s a Microsoft account not an Azure AD account. Alex will see his subscription’s directory at the top right: prasannapadmanabhancitrix.onmicrosoft.com
  2. Ask your Azure AD admin to create an Azure AD account for you: Alex requests Prasanna, the Azure AD admin for prasannapadmanabhancitrix.onmicrosoft.com to create an Azure AD account for him. To do this, Prasanna has to login to the old Azure portal as the admin (prasannap@prasannapadmanabhancitrix.onmicrosoft.com) and create an Azure AD user for Alex (alex.stoddard@prasannapadmanabhancitrix.onmicrosoft.com) as described here.
  3. Ask your Azure AD admin to make you a subscription admin: After adding Alex to the directory, Prasanna grants them access to the target subscription (in this example, 63dd1841-d38d-4ed6-9c5e-50fbea1e297f) that Alex wishes to use to provision XenApp on Azure (as described in a Microsoft article).

Once you have this in place, you are good to go (as shown in the illustration below).

Azure AD authentication to your Azure subscription

If you have questions or comments, use the comments section below to discuss.

Call For Topics Banner Blog Post