Multi Entra ID Support

Multi Entra ID Support

This article provides step-by-step guidance for creating the necessary app registration and linking additional tenants and subscriptions within Nerdio Manager to manage AVD resources and assignments across multiple Azure tenants.

Link the Tenants

Note: If you are linking another tenant and subscription for resource purposes only, and you do not require AVD management, follow the existing guidance for adding tenants and subscriptions. See Link Azure Subscription Using App Credentials for details.

Prerequisites

Before linking the subscription, ensure the tenant is linked. Performed the app registration in the target tenant. Tenant and subscription permissions may take more than 10 minutes to propagate.

Tip: Nerdio recommends pre-creating all the required resources and permissions in the target tenant at least one hour before performing the linking process in Nerdio Manager.

App Registration Process

Perform the following steps to perform the app registration process.

To perform the app registration process:

  1. In the target tenant, create the app registration for the tenant as described in our app registration guide. See Link Azure Subscription Using App Credentials for details.

  2. Ensure you record the following information from the created app registration:

    • Tenant ID

    • Client App ID

    • Client App Secret

  3. If the tenant is intended for use with AVD resources, ensure the app registration includes the Graph permissions for Entra ID shown below. These should be configured as Application permissions.

    • User.Read.All

    • Group.Read.All

  4. Select Grant admin consent for [subscription name].

  5. Ensure you assign the following application registration permissions to existing resources:

    • Reader and Backup Reader: Application registration at the subscription level.

    • Contributor: Application registration at the VNet resource group (RG) and the in-scope resources' RG level.

    • Owner: AVD desktop application group. This permission should be assigned to each desktop application group you manage.

    Note: If the signed-in user has the needed permissions, Nerdio Manager assigns the above permissions to any newly linked resource group and VNet.

  6. Return to Nerdio Manager for the next steps.

Link the Tenant in Nerdio Manager

Tip: Tenant and subscription permissions may take more than 10 minutes to propagate. Nerdio recommends pre-creating all required resources and permissions in the target tenant at least 1 hour before performing the linking process in Nerdio Manager.

To link the tenant:

  1. In Nerdio Manager, navigate to Settings > Azure environment.

  2. In the Primary Entra ID tenant tile, in the Linked Entra ID tenants section, select Link using app credentials.

  3. Enter the following information:

    • Tenant ID: Paste the Tenant ID.

    • Select client app: From the drop-down list, select the client app.

      Note: Nerdio Manager does not validate these permissions at this step; validation occurs during the link subscription process.

  4. Once you have entered all the desired information select OK.

  5. Once successfully linked, proceed to the next step.

Link the Subscription in Nerdio Manager

Once the tenant has been linked, all in-scope subscriptions within the target tenant should also be linked. Follow the process outlined below.

Note: Contributor permissions are required as a minimum to read AVD resources. Owner permission is additionally required on any target resource groups and AVD app groups to make changes to resources. These permissions should be assigned to the Nerdio Manager Service Principal that was created as part of this process. Please refer to this article for details on the required permissions. See Link Azure Subscription Using App Credentials for details.

To link the subscription:

  1. In Nerdio Manager, navigate to Settings > Azure environment.

  2. In the Azure subscriptions tile, select Link using app credentials.

  3. Enter the following information:

    • Tenant ID: Paste the Tenant ID.

    • Subscription ID: Paste the Subscription ID.

    • Select client app: From the drop-down list, select the client app registration.

    • Azure cloud: From the drop-down list, select the Azure cloud.

    • Client app ID: Paste the client app ID.

    • Client app secret: Paste the client app secret.

    • Enable AVD resource management: Toggle this option On.

  4. Once you have entered all the desired information, select OK.

    Once the subscription is successfully linked, it is listed in the Azure subscriptions tile.

  5. In the Linked resource groups tile, locate the newly linked subscription. Link any resource groups that require management by Nerdio Manager.

    This completes the Tenant and subscription linking process.

Notes:

  • Cross-Cloud Deployment:

    • If the Nerdio Manager application is deployed in the Public cloud, it cannot be used in the Government cloud, and vice versa. Make sure your app deployment aligns with the appropriate cloud environment.

    • Only tenants of the same type are supported. You cannot mix Commercial and Government tenants.

  • Azure API Limit Booster: To overcome Azure API limits per one client app, consider using multiple client apps for the subscription via the Nerdio Azure API limit booster feature. See Azure API Limit Booster for details.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.