I am pleased to announce preview support in Citrix Cloud XenApp and XenDesktop service to provision VDAs in the Azure Germany cloud. This allows Citrix administrators to quickly deploy and manage XenApp and XenDesktop workloads in the Azure Germany cloud using the same familiar Machine Creation Services (MCS) interface currently available for various other worldwide Azure regions.

Azure Germany is a secured and isolated cloud

  1. All customer data and related systems reside in Germany
  2. It’s designed to meet strict European Union (EU) requirements
  3. Controlled by a German data trustee (T-Systems International GmbH)
  4. Available to organizations doing business in EU/EFTA and UK

As you heard Microsoft’s Brad Anderson’s mention in our recent webinar: Citrix + Microsoft: Accelerate a secure journey to the cloud, the footprint and number of such isolated instances of Azure, whether it’s Azure US Government, Azure Germany or Azure China, will only increase in the coming years due to increased data sovereignty laws and requirements, as well as security and compliance reasons.

Provisioning VDAs in Azure Germany Cloud consists of two steps:

  • First you establish a connection between Citrix Cloud XenApp and XenDesktop service and your Azure Germany subscription by creating Host Connection and defining Hosting Resources.
  • Second step is to create VDAs using the established connection and resources using Citrix Machine Creation Services (MCS).


  • Entitlement to XenApp and XenDesktop service within Citrix Cloud.
  • An Azure Germany Subscription.
  • An account which is a member of the Azure Active Directory (Azure AD) associated with your subscription, which is also a co-administrator/owner of the subscription. Please visit blog Demystifying Azure AD Authentication to learn more about Azure AD and member accounts.
  • Resource Location in Azure Germany cloud having a virtual network and subnet(s) in your preferred Azure Germany region with connectivity to an AD controller and a pair of Citrix Cloud Connector VMs joined to AD domain.

Create Connection

To create connection from Citrix Studio, navigate to Hosting option under Configuration in the left pane and select option Add Connection and Resources from the Actions pane.  Host connection creation wizard gets launched, under Create a new Connection select connection type Microsoft Azure, notice that under the Azure environment drop-down, there is new option Azure Germany – Preview, you need to select this environment type.

When Citrix started support for provisioning VDAs in Azure Resource Manager, the first environment we supported was Azure Global, but now you will notice Azure China, Azure US Government – Preview and now there is Azure Germany-Preview. So the Azure environment drop-down is a dynamic list, it will keep on updating as soon as XenDesktop starts supporting new Azure environments. That means there is pretty much no need to introduce new wizard pages, learning new concepts or processes to provision VDAs in various Azure environments – it’s exactly the same across all instances.

To provision VDAs using MCS, select option Studio tools (Machine Creation Services) and navigate to Next page. Notice that the Connection Details page and all other pages in the wizard are same as other Azure environments supported so far by XenDesktop.

Same as other supported Azure environments, you can connect to your Azure Germany subscription in two ways, either by using Create new or Use existing option. There is already an excellent blog on Connecting to Azure Resource Manager in XenApp & XenDesktop, please follow that blog to learn more about creating host connection and hosting resources. Since the steps to be followed are exactly the same, I wouldn’t like to repeat it again in this blog, but only focus on the differences and revisit the important points.

The authentication process used by XenDesktop behind the scenes is same for any supported Azure environment.  Please remember that, if you use Create new option to create host connection, the Service Principal created behind the scenes has contribute access on the entire subscription. You can either let XenDesktop create it or use Azure PowerShell to create it and then use the Use existing option to create connection and provide the details of pre-created Service Principal.

Once you establish the connection next step is to define hosting resources. Regions page in this case will show only the regions in Azure Germany environment accessible to your subscription.

Proceed with the wizard and finish the connection and resources creation process. Follow the blog mentioned above to accomplish this task.

Please note that only the host connection UI for Azure Germany is in preview mode but, once you establish the connection, it will not be affected by the changes we will be making to go from preview to fully supported feature. That means once you create the host connection, you can use it to deploy MCS catalogs in Azure Germany and you can use those catalogs as production workloads. There is no need for you to wait for this feature to become fully supported in order to use the production workloads.

Create Connection using an existing Application/Service Principal

If you are familiar with ARM, Azure AD, Azure PowerShell, you may already be using Application and Service Principals. XenDesktop allows you to define Service Principals outside of Studio and provide details of existing Service Principals to establish connection. Let’s look at the Use existing studio wizard page.

Azure Global
Azure Germany

Notice the difference between the Authentication URL, Management URL and Storage suffix for Azure Global and Azure Germany. These endpoints are unique for each Azure environment. We need to use these unique endpoints to establish the connection to those specific environments.

You may also want to use the Use existing option when you don’t want to use the Service Principal that has contribute access on the entire subscription. If your organization’s security policies don’t allow the use of subscription scope Service Principals, you can use PowerShell to define a Service Principal that has access only on the minimum required resources and provide details of that Service Principal in the Use existing option. Please visit the blog Azure Role Based Access Control in XenApp & XenDesktop to learn more about creating narrow scope Service Principals.

PowerShell Scripting Support

You can choose to automate the creation of a connection rather than using Studio’s interactive authentication option. Please find below the sample script to define connection, it uses Azure PowerShell commands and Citrix snap-ins. This same script can be used to create connection to any supported Azure environment, but you need to modify the “EnvironmentName “, “AuthenticationAuthority”, “ManagementEndPoint” and “StorageSuffix” custom properties in the script below to appropriate values based on the environment of your choice.


Add-PsSnapin Citrix*

$customProperties = @"
<CustomProperties xmlns="http://schemas.citrix.com/2014/xd/machinecreation" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Property xsi:type=`"StringProperty`" Name=`"EnvironmentName`" Value="AzureGermanCloud"/>
<Property xsi:type="StringProperty" Name="AuthenticationAuthority" Value="https://login.microsoftonline.de/"/>
<Property xsi:type="StringProperty" Name="ManagementEndpoint" Value="https://management.microsoftazure.de/"/>
<Property xsi:type="StringProperty" Name="StorageSuffix" Value="core.cloudapi.de"/>
<Property xsi:type="StringProperty" Name="TenantId" Value="$tenantId"/>
<Property xsi:type="StringProperty" Name="SubscriptionId" Value="$subscriptionId"/>

$connection = New-Item -ConnectionType "Custom" -CustomProperties $customProperties -HypervisorAddress @("https://management.microsoftazure.de/") `
-Path @("XDHyp:\Connections\$connectionName") -Persist -PluginId "AzureRmFactory" -Scope @() `
-SecurePassword (ConvertTo-SecureString -AsPlainText -Force $applicationPassword) -UserName $applicationId -ZoneUid "$zoneUId"

New-BrokerHypervisorConnection -HypHypervisorConnectionUid $connection.HypervisorConnectionUid 

Once this script is executed, host connection gets created and can be seen in Citrix Studio, you can then use either Studio or PowerShell to create hosting resources.

Create and Manage MCS Catalog

Once you create host connection and hosting resources, creating MCS catalog in Azure Germany cloud is same as other Azure environments. Please refer to existing blog Using XenApp & XenDesktop in Azure Resource Manager to learn more about creating MCS catalogs in Azure.

Once you have MCS catalog created in Azure Germany, you may want to do image updates for the catalogs in use for various reasons. Please refer to existing blog Update and Rollback XenDesktop Azure Resource Manager Catalog for doing image updates.

If you are using narrow scope Service Principal for your host connection then you will have to create custom pre-defined resource groups in Azure. We have recently added support in Citrix studio so that you can select existing empty resource groups for creating catalogs. Please visit the blog to learn more about it.

We have recently released a new feature on-demand provisioning which brings in a number of performance enhancements and storage cost savings. Please visit blog Provisioning XenDesktop on Azure Just Got a Lot Faster to learn more about it.