Azure RemoteApp: Publish applications to individual users or a group of users

Standard

Last week the Azure RemoteApp team introduced the ‘most-voted’ feature in Azure RemoteApp: ‘Publish applications to individual users’. This functionality is now in private preview and can be requested by filling in this survey: http://www.instant.ly/s/AY83p/nav. When it’s enabled for your subscription you can publish applications to individual users. In this blogpost I want to explore this new functionality and look into how it can be activated and configured. I’m also looking into combining this new functionality with publishing applications based on group membership. If you want to try it yourself you can find the documentation here: https://azure.microsoft.com/en-us/documentation/articles/remoteapp-perapp/

Let’s start with showing my current Azure RemoteApp environment as a normal user:


And the same collection in PowerShell:


The first step is to check the collection mode (AclLevel). Azure RemoteApp supports now 2 collection modes:

  1. Collection: When the collection is in this mode all users will get all the applications. This is the default mode of the (new) created collections.
  2. Application: When the collection is in this mode users only see applications that have been explicitly assigned to them. The user assignment cannot be done from the portal. This can only be done through PowerShell.

So the first step is to change the collection mode to ‘Application’. This can be done by executing the following command:


Now the collection mode is changed let’s check the assignments with the following PowerShell cmdlet:

Please note that you need to enter the Application Alias instead of the Application name. You can get the Application Alias by using the above cmdlet. So now we see the users which are currently assigned to the application. With the cmdlet Add-AzureRemoteAppUser we can add users to an application and with the cmdlet Remove-AzureRemoteAppUser we can remove users from the application. Granting applications to single users is nice, but how about using this functionality to grant access to a group of users. With the following PowerShell script you can use your Azure AD Groups to grant permissions to your Azure RemoteApp programs. Let’s start with the script:

param ( 
        # Mandatory parameter for the name of the Azure RemoteApp program
        [parameter(Mandatory=$true)] 
        [string]$ApplicationName, 
 
        # Mandatory parameter for the name of AzureAD Application Group
        [parameter(Mandatory=$true)] 
        [string]$ApplicationGroup,

        # Mandatory parameter for the name of Azure RemoteApp Collection
        [parameter(Mandatory=$true)] 
        [string]$CollectionName
)

Login-AzureRmAccount
Add-AzureAccount

#Get the Alias of the Application
$AppAlias        = Get-AzureRemoteAppProgram -CollectionName $CollectionName -RemoteAppProgram $ApplicationName | Select Alias
 
$id              = Get-AzureRmADGroup -SearchString $ApplicationGroup | Select-Object Id
$ad_users        = Get-AzureRmADGroupMember -GroupObjectId $id.Id

$remoteapp_users = Get-AzureRemoteAppUser -CollectionName $CollectionName -Alias $AppAlias.Alias | Select-Object Name

foreach ($ad_user in $ad_users) {   
    $check = $remoteapp_users.Name -contains $ad_user.UserPrincipalName
    
    if( $check -eq $False) {
        #User needs to be added to the Azure RemoteApp Application
        Add-AzureRemoteAppUser -CollectionName $CollectionName -UserUpn $ad_user.UserPrincipalName -Type OrgId -Alias $AppAlias.Alias

        if($? -eq $True) {
            $user = $ad_user.UserPrincipalName
            Write-Verbose "$user is added to Application $ApplicationName "
        }
    }   
}
            
foreach ($remoteapp_user in $remoteapp_users) {
    $check = $ad_users.UserPrincipalName -contains $remoteapp_user.Name
    
    if( $check -eq $False) {
        #User needs to be removed from the Azure RemoteApp Application
        Remove-AzureRemoteAppUser -CollectionName $CollectionName -UserUpn $remoteapp_user.Name -Type OrgId -Alias $AppAlias.Alias

        if($? -eq $True) {
            $user = $remoteapp_user.Name
            Write-Verbose "$user is removed to Application $ApplicationName"
        }
    }
}

This scripts needs the following parameters:

  • ApplicationName: Name of the Application in Azure RemoteApp
  • ApplicationGroup: Name of the Azure AD Group with the users for this Application
  • CollectionName: Name of the Azure RemoteApp collection

Based on the ApplicationName variable the AppAlias will be queried. Then based on the members of the ApplicationGroup the users will be added to the application. See below an example execution in my lab environment:



So with above script you can use your existing application groups to grant permissions to your Azure RemoteApp programs!

If you have any questions please let me know! If you want to test this feature in your own Azure RemoteApp environment, please fill in this survey: http://www.instant.ly/s/AY83p/nav.

One thought on “Azure RemoteApp: Publish applications to individual users or a group of users

  1. Pingback: Using Azure AD Self-Service to deploy Azure RemoteApp Applications - The Microsoft Workplace Blog

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.