Publishing Azure RemoteApp Programs to Selected Users
In this how-to article, I’ll show you how to publish Azure RemoteApp programs to specific users, along with steps on filtering their view and access to software, reducing the number of required app collections, and limiting your licensing obligations. Note that at the time of writing this article, this is a preview feature that you will need to request access to before proceeding.
Previous Microsoft RemoteApp Limitations
When Microsoft launched RemoteApp into general availability, it was a basic service that lacked much of the features we take for granted with on-premises Remote Desktop Services or similar server-based computing solutions. But thanks to RemoteApp being a cloud service and Microsoft’s sprint development practices, RemoteApp improves on a monthly basis, and customers are seeing rapid improvement in Azure’s managed RDS farm service.
There were a few limitations in RemoteApp that dogged some customers, such as re-introducing old problems that many had thought were gone with parachute pants into distant memory. The first of these issues was that when you create a RemoteApp collection, you had to grant a user all or nothing access to the applications within that collection. Let’s say that I was installing Office 365 Pro Plus and Project in my collection. All of my users might have licensing for Office 365, but only a subset would be licensed for Project — but in this case, I would have had to license the software to all those users that can access and use the software.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
The solution was to create application silos — there’s a phrase that server-based computing administrators hate to hear! A RemoteApp user can only be assigned to a single app collection. So this means that now I have to:
- Create and maintain two images; one with Office 365 Pro Plus, and a second with Office 365 Pro Plus and Project
- Deploy and manage two app collections, one from each image.
- Assign users to the appropriate app collections.
Not only have I doubled the amount of RemoteApp administration that I have to do, but I have used the second of my three possible app collections — you can request an increase via the free billing support.
Microsoft announced in March that RemoteApp will support app collections that run in one of two modes. This feature is currently in request-only-access preview:
- Collection mode (default): Users are assigned to a collection and have access to all applications in the collection; this is how Azure RemoteApp worked before the change.
- Application mode: This new mode allows you to control what applications a user can access via explicit assignments.
It is not possible to switch an app collection between the two modes using the management portal at this time; you will need to use PowerShell.
Note: At this time, RemoteApp can only be managed using Azure V1 (Service Management) PowerShell cmdlets and the classic management portal.
Log into Azure using add-azureaccount in a PowerShell console with a suitable administrator account, and make sure that you are working with the correct subscription. Query your RemoteApp collections with:
Note the AclLevel property which is Collection by default. You can change this to Application mode with:
Set-AzureRemoteAppCollection -CollectionName <CollectionName> -AclLevel Application
Now you are ready to manage applications. Note that applications are managed by their alias. You can query the alias values of your applications with:
Get-AzureRemoteAppProgram -CollectionName <CollectionName>
You can query who has access to an application by running:
Get-AzureRemoteAppUser -CollectionName <CollectionName> -Alias <AppAlias>
You can assign access to a user with:
Add-AzureRemoteAppUser -CollectionName <CollectionName> -UserUpn <[email protected]> -Type <OrgId|MicrosoftAccount> -Alias <AppAlias>
And you can revoke access with:
Remove-AzureRemoteAppUser -CollectionName <CollectionName> -UserUpn <[email protected]> -Type <OrgId|MicrosoftAccount> -Alias <AppAlias>
This preview feature is a great step forward for RemoteApp because it will improve the manageability of RemoteApp by allowing us to run fewer collections and probably reduce the cost of client software by controlling access. Try the feature out and remember to give Microsoft some feedback.