Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Microsoft Azure

Publishing Azure RemoteApp Programs to Selected Users


In this how-to article, I’ll show you how to publish Azure RemoteApp programs to specific users, along with steps on filtering their view and access to software, reducing the number of required app collections, and limiting your licensing obligations. Note that at the time of writing this article, this is a preview feature that you will need to request access to before proceeding.

Previous Microsoft RemoteApp Limitations

When Microsoft launched RemoteApp into general availability, it was a basic service that lacked much of the features we take for granted with on-premises Remote Desktop Services or similar server-based computing solutions. But thanks to RemoteApp being a cloud service and Microsoft’s sprint development practices, RemoteApp improves on a monthly basis, and customers are seeing rapid improvement in Azure’s managed RDS farm service.

There were a few limitations in RemoteApp that dogged some customers, such as re-introducing old problems that many had thought were gone with parachute pants into distant memory. The first of these issues was that when you create a RemoteApp collection, you had to grant a user all or nothing access to the applications within that collection. Let’s say that I was installing Office 365 Pro Plus and Project in my collection. All of my users might have licensing for Office 365, but only a subset would be licensed for Project — but in this case, I would have had to license the software to all those users that can access and use the software.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Applications published in the default “collection mode” in Azure RemoteApp (Image Credit: Aidan Finn)
Applications published in the default “collection mode” in Azure RemoteApp (Image Credit: Aidan Finn)

The solution was to create application silos — there’s a phrase that server-based computing administrators hate to hear! A RemoteApp user can only be assigned to a single app collection. So this means that now I have to:

  1. Create and maintain two images; one with Office 365 Pro Plus, and a second with Office 365 Pro Plus and Project
  2. Deploy and manage two app collections, one from each image.
  3. Assign users to the appropriate app collections.

Not only have I doubled the amount of RemoteApp administration that I have to do, but I have used the second of my three possible app collections — you can request an increase via the free billing support.

Users are assigned complete access to all apps in Azure RemoteApp “collection mode” [Image Credit: Aidan Finn]
Users are assigned complete access to all apps in Azure RemoteApp “collection mode” [Image Credit: Aidan Finn]

Application Mode

Microsoft announced in March that RemoteApp will support app collections that run in one of two modes. This feature is currently in request-only-access preview:

  • Collection mode (default): Users are assigned to a collection and have access to all applications in the collection; this is how Azure RemoteApp worked before the change.
  • Application mode: This new mode allows you to control what applications a user can access via explicit assignments.

Switching Modes

It is not possible to switch an app collection between the two modes using the management portal at this time; you will need to use PowerShell.

Note: At this time, RemoteApp can only be managed using Azure V1 (Service Management) PowerShell cmdlets and the classic management portal.

Log into Azure using add-azureaccount in a PowerShell console with a suitable administrator account, and make sure that you are working with the correct subscription. Query your RemoteApp collections with:


Note the AclLevel property which is Collection by default. You can change this to Application mode with:
Set-AzureRemoteAppCollection -CollectionName <CollectionName> -AclLevel Application

Now you are ready to manage applications. Note that applications are managed by their alias. You can query the alias values of your applications with:
Get-AzureRemoteAppProgram -CollectionName <CollectionName>

You can query who has access to an application by running:
Get-AzureRemoteAppUser -CollectionName <CollectionName> -Alias <AppAlias>

You can assign access to a user with:
Add-AzureRemoteAppUser -CollectionName <CollectionName> -UserUpn <[email protected]> -Type <OrgId|MicrosoftAccount> -Alias <AppAlias>

And you can revoke access with:
Remove-AzureRemoteAppUser -CollectionName <CollectionName> -UserUpn <[email protected]> -Type <OrgId|MicrosoftAccount> -Alias <AppAlias>

This preview feature is a great step forward for RemoteApp because it will improve the manageability of RemoteApp by allowing us to run fewer collections and probably reduce the cost of client software by controlling access. Try the feature out and remember to give Microsoft some feedback.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: