Advanced Installation: Split Identity
This feature is only available in the Nerdio Manager Premium edition.
Traditional Nerdio Manager deployments should follow the steps and instructions provided in our Installation Guide. See Nerdio Manager Installation Guide for details. The advanced install methods outlined here should only be used for specific situations as warranted.
Warning: This is an advanced, custom, install of Nerdio Manager recommended only for special circumstances. Please use this with the advice and guidance of Nerdio Support. Please contact us with any questions at all: nme.support@getnerdio.com.
The default and most common method of installing Nerdio Manager is deploying in a single Azure tenant that contains both users and groups (the identity tenant) as well as the VMs and session hosts (the deployment tenant).
It is also possible to install Nerdio Manager to use separate Azure tenants for identity and deployment. This is what we call a "split identity" deployment.
All billable resources (Nerdio Manager supporting components, VMs, networking, storage, etc.) are provisioned into a subscription within the deployment tenant.
All user, group, and AVD resources are provisioned into a subscription within the identity tenant.
The AVD resources provisioned into the identity tenant include Workspaces, Host Pools, and App Groups. These are all non-billed resources, and exist in the identity tenant so users and groups may be assigned.
The resources in the deployment tenant are registered to the AVD components inside the identity tenant.
Split Identity Installation Prerequisites
Prerequisites and requirements:
Installation requires running PowerShell script (requires Az modules). The Cloud Shell or Automated methods do not support advanced installations.
The Azure tenant containing the user accounts (identity tenant) should contain a funded Azure subscription. This is a requirement for AVD to register the Workspaces and Host Pools.
Global Admin and subscription Owner cloud-native user account in the deployment tenant (recommended to be *onmicrosoft.com).
Global Admin and subscription Owner cloud-native user account in the identity tenant (recommended to be *onmicrosoft.com).
The deployment user should be invited to the identity tenant as a guest user and granted Global Admin and subscription Owner.
Note: This is temporary and only for the initial deployment and configuration. Once completed, the guest user from the deployment tenant should be removed and rights revoked.
The identity tenant needs an Azure subscription for the AVD resources to be registered. This is a requirement of AVD and not Nerdio Manager.
Split Identity Installation
The following procedure details how to perform a Nerdio Manager split identity installation.
To perform a split identity installation:
From the deployment tenant, deploy Nerdio Manager from Azure Marketplace into a new (empty) Resource Group. Follow the normal installation process and download Az PowerShell script for configuration.
The PowerShell script prompts for credentials and asks to confirm if you are installing in a Split Identity configuration.
For the first authentication prompt, authenticating to Azure in the deployment tenant, sign in as the deployment admin user.
For the second authentication prompt, authenticating to Entra ID in the deployment tenant, sign in as the deployment admin user.
A third authentication prompt appears, authenticating to Azure in the identity tenant. Sign in as the identity admin user.
If the script returns 'User '<identity_user_upn>' returned by service does not match user '<deployment_user_upn>' in the request, please ensure that while authenticating with the identity user account, all other users listed in the authentication dialog are selected to 'Sign out and forget' to avoid PowerShell authenticating with the wrong user. Windows may have the deployment admin account (or other users) sign in saved.
A selection window is displayed. Select the subscription that should contain the AVD components in the identity tenant.
PowerShell may automatically authenticate with stored credentials from Windows. If so, please attempt from a (temporary) newly provisioned Azure VM to avoid these issues with saved credentials.
At the fourth and final authentication prompt, authenticating to Entra ID in the identity tenant, sign in as the identity admin user.
Allow the remainder of the installation script to complete successfully. Be sure to grant the Entra ID admin consent when prompted.
Note: There may be two prompts for consent. Be sure to authenticate with the matching user accounts (deployment tenant consent should be requested first).
Split Identity Configuration
Once the installation is complete, the split identity configuration must to performed.
To configure split identity:
Once the installation script is finished, within the identity tenant AzureAD under Enterprise Applications, find and select 'nerdio-nmw-app', and then select Users and Groups.
Select Add User/Group, and then find and select the invited guest deployment admin user account, and assign the 'WVD Admin' role, and then Save.
Re-open the Nerdio Manager URL and authenticate as the deployment admin user.
Follow the wizard and link to networking and resource groups in the deployment tenant as needed.
Once the configuration wizard is complete, sign in to the Nerdio Manager URL as the identity admin user account.
Navigate to Settings > Azure Environment.
In the Linked resource groups tile, and select Link.
The list should display available resource groups within the identity tenant. Select and link the Resource Group that should contain the AVD resources inside the identity tenant (Workspaces, Host Pools, App Groups, etc).
Notes:
These are non-billed resources, and must exist within the same tenant as the users and groups that are assigned to AVD.
When creating a new Workspace (as the identity admin user), the available Resource Groups should be limited to only the linked Resource Groups in the identity subscription.
After creating a new Workspace, entitle additional admin users from the identity tenant within Nerdio Manager.
Verify Permissions and Consent
After the split identity has been configured, you must verify permissions and consent. There should be pop-up windows requesting permission consent during the application install, but please verify permissions are consented in both tenants for the Nerdio Manager application.
To verify permissions and consent:
Within the deployment tenant Entra ID, verify the API permissions are granted successfully to the application. In Entra ID, under App Registrations, All Applications, search for 'nerdio-nmw-app', and select the API Permissions menu.
Note: All permissions listed should have a green check mark listed. If any do not, select the button that says 'Grant admin consent'. All should appear with green check marks now.
Within the deployment tenant Entra ID, verify the service principle permissions are granted successfully. In Entra ID, under Enterprise Applications, search for 'nerdio-nmw-app', and select the Permissions menu.
Note: All permissions listed should display a value under "Granted by." It may say An administrator or a username. (Either is okay.)
Within the identity tenant Entra ID, verify the service principle permissions are granted successfully. In Entra ID, under Enterprise Applications, search for 'nerdio-nmw-app', and select Permissions menu.
Note: All permissions listed should display a value under "Granted by." It may say An administrator or a username. (Either is okay.)
Cleanup
Once all configuration steps have been finalized and completed, some cleanup needs to be performed.
To perform the post-installation cleanup:
The admin user accounts used for the split identity installation can be deleted or removed from GA and subscription Owner permissions.
The deployment admin user that was invited as a guest to the identity tenant should be removed as AVD Admin from within Nerdio Manager under RBAC Roles > Assignments.
The deployment admin user guest account should also be deleted from the identity tenant (in Entra ID, under Users).
Known Limitations
Split Identity installations do not support the following scenarios:
Cross-cloud environments are not supported. The target tenants must be of the same type (global-global, gov-gov).
Entra ID-joined resources are not supported. Only domain and Entra ID Domain Services are supported.
AVD Monitor Insights is not supported.
Start on Connect is not supported.
User cost attribution results may be variable. The feature is not supported.
Unified Endpoint Management Intune integration results may be variable. The feature is not supported.
Comments (0 comments)