- XenDesktop
- XenApp
- Citrix Cloud
Objective
Contents
- Step 1: Manually creating an Azure application registration for Citrix Cloud
- Step 2: Manually assigning Resource permissions to the Azure App Registration for Citrix Cloud
- Assigning Resource Permissions
- Step 4: Add an Azure Resource Location using an existing Azure App registration
Who should use this document
This is an advanced guide intended for customers with federated configurations, Azure B2C, or multi-factor authentication requirements for their Azure Tenant. Citrix Cloud / Studio does not currently support service account creation for these cases.
Citrix Cloud / Studio supports creation of the application service account. If the Studio user has an Azure Active Directory account with sufficient permissions and does not fall into the cases above, Studio will prompt for credentials to generate the service account in the Azure Tenant Azure Active Directory. The result will be adoption of the “Citrix managed” model described later in this document.
Introduction
In order to provision machines in Azure, Citrix Cloud must be granted access to your Azure subscription via an application service account (Azure Active Directory “App registration”) that has been assigned permissions to the relevant Azure resources within your Azure Tenant account.
This approach is preferable to running the application under an Azure Active Directory user credential because:
You can assign permissions to the application identity that are different than your own permissions. Typically, these permissions are restricted to exactly what the application needs to do.
- You do not have to change the application's credentials if your responsibilities change.
This article walks you through manually creating an application registration in the Azure portal, assigning that the necessary permissions, and then creating your host connection in Citrix Cloud.
Instructions
Note: Citrix Cloud Studiocan perform all these actions automatically when using the Create new... option while adding a new Hosting Connection. Account privilege level in Azure must be Owner (not Contributor) to perform the actions listed in Step 1 and Step 4. If your Azure account role is Contributor, you might see the error 'Invalid Azure Credentials' in Citrix Cloud Studio when choosing the Use Existing... option or no error but a window prompting for credentials again when using the Create New option. Only follow the steps below once you've confirmed the current role level for your Azure account.
Step 1: Manually creating an Azure application registration for Citrix Cloud
Define the application registration
Login to your Azure Tenant
Select the Azure Active Directory blade
Select App Registrations
Select '+ New application registration'
Also select the Account type:Under Redirect URI, select Web for the type of application you want to create. Enter the URI where the access token is sent to.
Application Type: 'Web app'
'Sign-on URL: 'https://citrix.cloud.com'Select the App Registration from Step 4 to open its Settings
Grant Access to the Azure APISelect Required Permissions under API Permissions:
Create the application secret access keyFrom the Manage tab of the App registration; select “Certificates & Secrets”
Refer the below edoc from Microsoft to create a secret key.
https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Copy the value of the Key (this is the secret, similar to a password you will only see once)
Select the Properties
Copy the Application ID of the App registration (this is similar to the username)
The Key and Application ID & Directory ID are pieces of information required to create the Host connection to Azure from Citrix Cloud.
Step 2: Manually assigning Resource permissions to the Azure App Registration for Citrix Cloud
Now that the App registration account has been created and access has been granted to the Azure API it needs to be granted permissions to resources within your Azure account.
Citrix recommends that Citrix Cloud specific subscriptions be created. This reduces the risk of worker provisioning or life cycle actions from interfering with or impacting other production systems.
The following instructions utilize the built-in Azure RBAC Roles. The instructions select the most restrictive built-in Role for a particular resource, this allows Citrix Cloud to do what it needs to for worker machine provisioning and lifecycle actions.
Selecting a Citrix Worker management model
At this point, there is a decision of how much control a customer will grant to the Citrix Cloud App registration for machine provisioning.
Citrix Managed – In this model, Citrix Cloud is in full control of Resource Group(s) during the machine provisioning process. As Resource Groups are required, Citrix Cloud will simply add more as necessary to support the additional catalogs being provisioned. This streamlines the management experience by handling these details. This also makes the Citrix administrator the sole arbiter of how many virtual machines can be deployed.
Customer Managed – In this model, an Azure Admin or Co-Admin pre-creates Resource Groups that worker machines will be provisioned in to. Citrix Cloud cannot create additional Resource Groups as necessary, this will need to be performed by an Azure Subscription Admin or Co-Admin. This will require good communication between the Citrix Administrator and Azure Administrator as the number of Citrix workers in Azure is increased.
Note: The Customer Managed option is currently supported in the Citrix Cloud and in XenApp and XenDesktop 7.16 or later via the Studio GUI.
The primary difference between the two is the level of control that the application service principal has to the Azure Subscription and resources. These two models are detailed below.
Citrix Cloud Cost Per User
Assigning Resource Permissions
The following outlines the permission settings required for the resource that is being secured with the built-in Azure RBAC role that provides the minimum settings necessary for the model.
Most of the settings will be the same for both models, except the settings on the Subscription where Citrix workers will be provisioned and the Resource Groups within it.
For more information about assigning permissions see: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
For more information about built-in Azure RBAC roles see: https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Subscription
The Subscription where Citrix workers (XenApp and/or XenDesktop will be provisioned) will reside.
Management Model | Citrix Managed | Customer Managed |
Azure RBAC Role | Contributor | None Azure Admin / Co-Admin must create Resource Groups manually |
To grant the App Registration Contributor permission to a Subscription:
- Select the Billing blade
- Select the desired Subscription
- Select “Access control (IAM)”
- Select “+ Add”
- Select Contributor from the Role drop down menu
- Click in the Select search box and type the full name of the App registration
- Select the App registration
- Select Save
Resource Group(s)
The Resource Groups within the Subscription where Citrix workers will be provisioned.
Management Model | Citrix Managed | Customer Managed |
Azure RBAC Role | Contributor Inherited from Subscription | Virtual Machine Contributor Storage Account Contributor |
To grant the App Registration Contributor permission to a Resource Group
Citrix Managed – Do nothing, the permissions will be inherited.
Customer Managed – Complete the following:
- Select the Resource Group Blade
- Create the Resource Group(s)
- Select “+ Add”
- Enter:
- Resource Group Name
- Subscription
- Region
- Select Create
- Refresh the Resource Group list
- Select the Resource Group that was created
- Select “Access control (IAM)”
- Select “+ Add”
- Select Contributor from the Role drop down menu
- Click in the Select search box and type the full name of the App registration
- Select the App registration
- Select Save
- Repeat for each Resource Group
Virtual Network
The Azure Virtual Network that Citrix worker machines will be joined to.
Management Model | Citrix Managed | Customer Managed |
Azure RBAC Role | Contributor Inherited from Subscription | Virtual Machine Contributor |
Complete this for both scenarios.
Master Image Storage Account
Citrix Workspace Cost
The Resource Group within the Subscription where Citrix worker master images are maintained. Citrix and / or Desktop administrators should have full access, but the App registration does not need to modify the image.
Management Model | Citrix Managed | Customer Managed |
Azure RBAC Role | Contributor Inherited from Subscription | Virtual Machine Contributor |
Complete this for both scenarios.
Step 3: Deploy Cloud Connectors to the Azure Subscription
Citrix Documentation - Citrix Cloud Connector
Step 4: Add an Azure Resource Location using an existing Azure App registration
If you have worked through the process of manually creating an App registration in Azure and properly assigning the permissions, this new App registration now needs to be added to Citrix Cloud as a Resource Location for capacity.
Within the Citrix Cloud management portal / Citrix Studio;
Select Hosting
Select “Add Connection and Resources”
Select “Create a new Connection”
Select the Azure hosting environment
Select Next
Select “Use existing”
Copy and paste;
Azure Subscription ID (where Citrix workers will be provisioned by Citrix Cloud)
Active Directory ID (the Directory ID of the Azure Active Directory in which the App registration was defined)
Application ID (of the App registration)
Application secret (the Key)
Enter a “Connection name”
Select Next
Select the Azure Region where Citrix workers will be provisioned
Select Next
Enter a Citrix Cloud name for this Azure Subscription and Region
Select the Azure Virtual Network that Citrix Worker machines will be joined to
Select the Azure Virtual Network Subnet that Citrix Worker machines will retrieve IP addresses from
Select Next
Select Finish
Citrix Cloud Cost Calculator
Select the Half Circle connection menu in the top center of the browser
Select the Clipboard
Copy your Azure Subscription ID to the Clipboard
Either; right click and paste or use CTRL + v to paste the clipboard contents to the remote clipboard
Select the X to close the Session clipboard
Select the field to paste the data to
Either; right click and paste or use CTRL + v to paste the clipboard contents to the field