2.5 Azure Virtual Desktop
Key Takeaways
- Azure Virtual Desktop (AVD), formerly Windows Virtual Desktop, is a cloud-hosted desktop and application virtualization service running on Azure VMs.
- Windows 11 and Windows 10 Enterprise multi-session is UNIQUE to AVD — multiple users share one VM, a capability not licensed for on-premises Hyper-V.
- AVD supports full pooled or personal (persistent) desktops and RemoteApp publishing of individual applications, accessible from any device with the AVD client or a browser.
- Security comes from Microsoft Entra ID authentication, MFA, Conditional Access, RBAC, and reverse connect — no inbound ports are opened and only screen pixels reach the device.
- AVD cuts cost through multi-session density (fewer VMs per user) and is the managed answer for remote/hybrid work, BYOD, and contractor access.
Quick Answer: Azure Virtual Desktop (AVD) is a managed Virtual Desktop Infrastructure (VDI) service. It streams full Windows desktops or individual apps from Azure VMs to any device. Its signature feature is Windows 11/10 Enterprise multi-session, letting many users share one VM — a capability available only on Azure.
What Is Azure Virtual Desktop?
Azure Virtual Desktop (AVD) — formerly Windows Virtual Desktop (WVD) — is a desktop and application virtualization service running entirely in Azure. Instead of giving each employee a physical PC, the desktop runs on Azure VMs and the user connects from a laptop, tablet, thin client, Mac, or web browser using the AVD client.
AVD is a form of Virtual Desktop Infrastructure (VDI): the operating system, applications, and data live in the cloud, and the endpoint device only displays the session. Because Microsoft manages the brokering, gateway, and web-access components, AVD is a managed VDI — you supply and size the session-host VMs, and Azure runs the control plane around them.
Core Architecture (high level)
| Component | Role |
|---|---|
| Host pool | A collection of identical session-host VMs that users connect to |
| Session host | An Azure VM running Windows multi-session or single-session that hosts user sessions |
| Application group | What is published to users — a full Desktop group or a RemoteApp group of individual apps |
| Workspace | A logical container that groups application groups for users to discover |
| Control plane | Microsoft-managed gateway, connection broker, and diagnostics |
Key Capabilities
| Feature | Description |
|---|---|
| Multi-session Windows | Run Windows 11 or Windows 10 Enterprise multi-session so many users share one VM — unique to Azure |
| Full desktop | Deliver a complete Windows desktop experience |
| RemoteApp | Publish individual applications (e.g., one line-of-business app) instead of a whole desktop |
| Microsoft 365 integration | Optimized delivery of Microsoft 365 Apps including Word, Excel, and Teams |
| Pooled or personal | Pooled (users share session hosts) for density, or personal/persistent (one dedicated VM per user) |
On the Exam: Windows 11/10 Enterprise multi-session is the headline differentiator. Standard Windows client licensing allows only one interactive session; multi-session lets several users log in to a single VM, and it is offered only through Azure Virtual Desktop.
Why Organizations Choose AVD
- Work from anywhere — the desktop follows the user to any internet-connected device, supporting remote and hybrid work.
- Bring Your Own Device (BYOD) — contractors and staff use personal hardware without corporate data ever landing on it.
- Centralized management — IT images, patches, and governs every desktop from the Azure portal instead of touring physical machines.
- Fast onboarding/offboarding — spin up a new user's desktop in minutes; revoke access instantly when they leave.
- Cost optimization — multi-session density packs many users onto fewer VMs, and host pools can scale down or power off outside business hours.
- FSLogix profile containers — user profiles roam between session hosts in a pooled pool, so a user keeps their settings even when assigned a different VM each login.
Security Model
AVD's security is a frequent exam theme because the design keeps data off endpoints.
| Control | What it does |
|---|---|
| Microsoft Entra ID | Authenticates users (formerly Azure Active Directory) |
| Multi-factor authentication (MFA) | Adds a second verification factor |
| Conditional Access | Enforces sign-in rules by device, location, or risk |
| Role-based access control (RBAC) | Limits who can manage host pools and resources |
| Reverse connect | Session hosts open no inbound ports to the internet; the host reaches out to the AVD gateway |
| Pixel-only streaming | Only screen images, keystrokes, and mouse moves traverse the wire; files stay in Azure |
Because of reverse connect, you never expose Remote Desktop Protocol (RDP) ports such as 3389 to the public internet, eliminating a huge attack surface that traditional RDP servers carry.
Worked Scenario
A consulting firm hires 50 seasonal analysts who use their own laptops. The firm needs them to run a sensitive financial app for three months without that data ever residing on personal devices. AVD with a pooled host pool and RemoteApp publishes just the financial app; reverse connect avoids open ports, Conditional Access plus MFA gates sign-in, and at contract end IT removes the users — no data was ever copied to a laptop because only pixels were streamed.
Common Traps
- AVD does not virtualize Linux desktops; it delivers Windows desktops and apps.
- Multi-session is the only feature truly unique to Azure — remote desktop, app virtualization, and full desktops also exist elsewhere, so a question asking what is unique should be answered with multi-session.
- Pooled (shared, non-persistent) saves the most money; personal/persistent gives each user a dedicated VM but costs more — match the choice to whether users need to keep their own customizations.
On the Exam: Tie AVD to managed VDI for remote/BYOD work, remember reverse connect = no inbound ports, and recall that data stays in Azure while only pixels stream to the device. These three points cover most AVD questions on AZ-900.
Which capability is unique to Azure Virtual Desktop and not licensed for on-premises Windows?
How does Azure Virtual Desktop's reverse connect feature improve security?
A company wants to minimize VM cost by letting many users share the same session-host VMs rather than giving each user a dedicated machine. Which host pool type fits?