Azure Virtual Desktop (AVD) for Small Business Berlin: Cloud Desktops with Intune and Entra ID

Azure Virtual Desktop (AVD) delivers Windows desktops and applications as a managed cloud service — users connect to a full Windows 11 session running in Azure from any device, from anywhere, using the Remote Desktop client or a web browser. For Berlin SMBs, AVD replaces on-premises terminal servers, reduces endpoint management overhead, and enables BYOD scenarios without compromising data security.

Unlike traditional VDI, AVD is a PaaS offering: Microsoft manages the control plane infrastructure, multi-session Windows licensing, and session brokering. You provision session host VMs, configure Intune or FSLogix, connect to Entra ID and your existing M365 tenant, and define user assignments. This post covers architecture, licensing, Entra ID join, FSLogix profile containers, and integration with Microsoft Intune and Conditional Access.

Architecture Overview

An AVD deployment consists of: a Host Pool (collection of session host VMs), one or more Application Groups (Desktop or RemoteApp), a Workspace (user-facing collection of app groups), and the session host VMs themselves (Azure VMs running Windows 11 Multi-Session or single-session).

The AVD control plane — gateway, broker, diagnostics, and web access — is fully managed by Microsoft with no infrastructure to deploy or maintain. Session host VMs run in your Azure subscription, in your choice of Azure region (Germany West Central is the nearest option for Berlin workloads, offering data residency within the EU).

Host Pool Types

Type	Description	Use Case
Pooled (multi-session)	Multiple users share each session host VM; sessions are load-balanced across VMs	Task workers, office productivity — most cost-efficient
Personal (dedicated)	Each user is permanently assigned to a specific VM	Developers, power users requiring persistent local state or GPU

For Berlin SMBs, pooled host pools with Windows 11 Multi-Session (Windows 11 Enterprise multi-session) provide the best economics — typically 4-8 users per 4-vCPU/16 GB VM for knowledge worker workloads, compared to one VM per user in personal pools.

Entra ID Join and Intune Integration

Session host VMs can be Entra ID joined (cloud-only, recommended for new deployments) or hybrid Entra ID joined (requires Active Directory Domain Services and Entra Connect). Entra ID join eliminates the need for a domain controller in Azure and enables full Intune management of session hosts — the same MDM policies, compliance checks, and application deployments that govern your physical endpoints.

With Entra ID-joined session hosts enrolled in Intune, you can apply: Windows security baselines, BitLocker (for personal pools), Windows Update rings, Windows Defender policy, application deployment (Win32, MSIX), and compliance policies that block non-compliant session hosts from receiving connections via Conditional Access.

Conditional Access for AVD

Conditional Access applies to AVD connections at two points: the Windows Virtual Desktop cloud app (user authentication to the AVD broker) and the Microsoft Remote Desktop cloud app (session host connection). Key policy recommendations: require MFA for AVD authentication, require compliant device (Intune compliance) or Entra ID joined device, and block connections from high-risk sign-in events using Entra ID Protection risk signals. This ensures that even if user credentials are compromised, an attacker cannot connect to an AVD session without a compliant managed device.

FSLogix Profile Containers

FSLogix Profile Containers store the entire Windows user profile in a VHD(x) file on a network share — typically Azure Files or Azure NetApp Files — and mount it dynamically when the user logs in. This enables consistent, persistent profiles in pooled (multi-session) environments where users may connect to different session host VMs each day.

For Berlin SMBs, Azure Files (Standard tier) with SMB 3.0 and Kerberos authentication (via Entra ID Kerberos for Entra-joined hosts) is the recommended FSLogix storage backend. Key sizing guidance: allocate 30-50 GB per user profile share, enable Azure Files Large File Share (up to 100 TB), and configure Azure Backup for the storage account to protect profile data.

FSLogix Configuration Checklist

Set VHDLocations registry key to the Azure Files SMB share UNC path
Enable DeleteLocalProfileWhenVHDShouldApply to prevent profile conflicts on pooled hosts
Configure SizeInMBs to 30720 (30 GB minimum; 51200 recommended for knowledge workers)
Set VolumeType to VHDX for Entra ID Kerberos environments (VHD for legacy hybrid join)
Exclude Microsoft Teams cache, browser caches, and Windows temp files from profile container (use FSLogix App Masking or Redirections.xml)
Enable Azure Files SMB Multichannel for improved throughput when session host count exceeds 20

Autoscale and Cost Optimisation

AVD Autoscale dynamically starts and stops session host VMs based on active session count and a configurable schedule. Define ramp-up hours (e.g., 07:00-09:00), peak hours (09:00-17:00), ramp-down (17:00-19:00), and off-peak (19:00-07:00). During off-peak, Autoscale drains and deallocates session hosts with no active sessions — compute charges stop for deallocated VMs while the VM disk and FSLogix storage continue to incur minimal costs.

Additional cost controls: use Azure Reserved VM Instances for base capacity (1-3 year commitment, up to 72% discount over pay-as-you-go), use Spot Instances for burst capacity during ramp-up periods, and choose Germany West Central region to avoid inter-region data transfer costs if other workloads are in the same region.

Microsoft 365 Apps and Teams Optimisation

Microsoft 365 Apps (Word, Excel, Outlook, Teams) deploy to session hosts via Intune or a standard installer run from the AVD golden image. Microsoft Teams requires the AVD-specific Media Optimisation for Teams — a client-side plugin that redirects audio and video processing to the local endpoint device rather than the session host VM. Without Teams Optimisation, all media traffic is processed server-side, significantly increasing CPU load on session hosts and introducing latency for calls.

Verify Teams Optimisation is active by checking the AVD Info panel in the Teams client (About → Version → AVD Media Optimised = True). Teams Optimisation requires the Windows Desktop client version 1.2.3401 or later and the Remote Desktop WebRTC Redirector Service on the session host.

Security Hardening

AVD session hosts are internet-accessible compute targets and must be hardened accordingly. Apply Microsoft security baselines via Intune, enable Microsoft Defender for Endpoint (MDE) on all session hosts (AVD is a supported platform), configure Windows Defender Application Control (WDAC) for application allow-listing in high-security pooled environments, and enable Azure Bastion in the hub VNet for administrative access to session hosts — eliminating the need for public RDP ports on session host subnets.

Network Security Groups on the session host subnet should deny all inbound traffic except from the AVD service tag (WindowsVirtualDesktop) — AVD gateway traffic uses this service tag for reverse-connection architecture, meaning session hosts initiate outbound connections to the AVD control plane rather than accepting inbound connections directly from users.

Licensing

AVD is included at no additional licensing cost for users with eligible Microsoft 365 or Windows licences: Microsoft 365 Business Premium, Microsoft 365 E3/E5, Windows 10/11 Enterprise E3/E5 per user. You pay only for the Azure compute, storage, and networking consumed by session host VMs. For Berlin SMBs on Microsoft 365 Business Premium (already recommended for MFA, Defender, and Intune), AVD is effectively a cloud desktop option with no incremental licensing cost beyond Azure infrastructure.

IT Experts Berlin designs and deploys Azure Virtual Desktop environments for Berlin-based SMBs — including Entra ID-joined session hosts, FSLogix on Azure Files, Intune policy configuration, Autoscale, and Microsoft Teams Optimisation. Contact us for a free architecture consultation.

Windows 365 Cloud PC: Compare Azure Virtual Desktop and Windows 365 for your use case — AVD provides pooled session hosts and granular Azure billing, Windows 365 provides dedicated persistent Cloud PCs at a fixed monthly per-user cost with simpler administration through the Microsoft 365 admin center

Azure Virtual Desktop (AVD) for Small Business Berlin: Cloud Desktops with Intune and Entra ID

Architecture Overview

Host Pool Types

Entra ID Join and Intune Integration

Conditional Access for AVD

FSLogix Profile Containers

FSLogix Configuration Checklist

Autoscale and Cost Optimisation

Microsoft 365 Apps and Teams Optimisation

Security Hardening

Licensing

Microsoft Defender for Identity for Small Businesses in Berlin

Microsoft Copilot for Security: KI-gestützte Sicherheitsanalyse für kleine Unternehmen in Berlin

Microsoft Purview Insider Risk Management: Detecting Data Theft by Departing Employees

Intune App Protection Policies for Small Businesses in Berlin

Microsoft Entra ID Protection – Risikobasierter Conditional Access für kleine Unternehmen in Berlin

FortiGate vs Meraki for Berlin SMBs: Which Firewall Is Right for You?

Architecture Overview

Host Pool Types

Entra ID Join and Intune Integration

Conditional Access for AVD

FSLogix Profile Containers

FSLogix Configuration Checklist

Autoscale and Cost Optimisation

Microsoft 365 Apps and Teams Optimisation

Security Hardening

Licensing

Similar Posts