Create a dedicated Microsoft Entra ID directory with WorkSpaces Personal - Amazon WorkSpaces
OverviewRequirements and limitationsStep 1: Enable IAM Identity Center and synchronize with Microsoft Entra IDStep 2: Register a Microsoft Entra ID application to grant permissions for Windows AutopilotStep 3: Configure Windows Autopilot user-driven modeStep 4: Create an AWS Secrets Manager secretStep 5: Create a dedicated Microsoft Entra ID WorkSpaces directoryConfigure the IAM Identity Center application for a WorkSpaces directory (optional)

Create a dedicated Microsoft Entra ID directory with WorkSpaces Personal

In this tutorial, we create Bring Your Own License (BYOL) Windows 10 and 11 personal WorkSpaces that are Microsoft Entra ID joined and enrolled to Microsoft Intune. Before creating such WorkSpaces, you need to first create a dedicated WorkSpaces Personal directory for Entra ID-joined WorkSpaces.

Note

Microsoft Entra joined personal WorkSpaces are available in all AWS regions where Amazon WorkSpaces is offered except for Africa (Cape Town), Israel (Tel Aviv), and China (Ningxia).

Overview

A Microsoft Entra ID personal WorkSpaces directory contains all the information needed to launch Microsoft Entra ID-joined WorkSpaces that are assigned to your users managed with Microsoft Entra ID. User information is made available to WorkSpaces through AWS IAM Identity Center, which acts as an identity broker to bring your workforce identity from Entra ID to AWS. Microsoft Windows Autopilot user-driven mode is used to accomplish WorkSpaces Intune enrollment and Entra join. The following diagram illustrates the Autopilot process.

Diagram showing WorkSpaces client, service, and agent interacting with AWS and Azure components for authentication and device management.

Requirements and limitations

  • Microsoft Entra ID P1 plan or higher.

  • Microsoft Entra ID and Intune is enabled and have role assignments.

  • Intune administrator - Required for managing Autopilot deployment profiles.

  • Global administrator - Required for granting admin consent for the API permissions assigned to the application created in step 3. The application can be created without this permission. However, a Global Administrator would need to provide admin consent on the application permissions.

  • Assign VDA E3/E5 user subscription licenses to users so their Windows 10 or 11 WorkSpaces can be joined to Entra ID.

  • Entra ID directories only support Windows 10 or 11 Bring Your Own License personal WorkSpaces. The following are supported versions.

    • Windows 10 Version 21H2 (December 2021 Update)

    • Windows 10 Version 22H2 (November 2022 Update)

    • Windows 11 Enterprise 23H2 (October 2023 release)

    • Windows 11 Enterprise 22H2 (October 2022 release)

  • Bring Your Own License (BYOL) is enabled for your AWS account and you have a valid Windows 10 or 11 BYOL image imported in your account. For more information, see Bring Your Own Windows desktop licenses in WorkSpaces.

  • Microsoft Entra ID directories only support Windows 10 or 11 BYOL personal WorkSpaces.

  • Microsoft Entra ID directories support only DCV protocol.

Step 1: Enable IAM Identity Center and synchronize with Microsoft Entra ID

To create Microsoft Entra ID-joined personal WorkSpaces and assign them to your Entra ID users, you have to make the user information available to AWS through IAM Identity Center. IAM Identity Center is the recommended AWS service for managing user access to AWS resources. For more information, see What is IAM Identity Center?. This is a one-time setup.

Note

A WorkSpaces Personal directory and its associated IAM Identity Center instance must be in the same AWS region.

  1. Enable IAM Identity Center with your AWS Organizations, especially if you are using a multi-account environment. You can also create an account instance of IAM Identity Center. To learn more, see Enabling AWS IAM Identity Center. Each WorkSpaces directory can be associated with one IAM Identity Center instance, organization or account.

    If you are using an organization instance and trying to create a WorkSpaces directory in one of the member accounts, make sure you have the following IAM Identity Center permissions.

    • "sso:DescribeInstance"

    • "sso:CreateApplication"

    • "sso:PutApplicationGrant"

    • "sso:PutApplicationAuthenticationMethod"

    • "sso:DeleteApplication"

    • "sso:DescribeApplication"

    • "sso:getApplicationGrant"

    For more information, see Overview of managing access permissions to your IAM Identity Center resources. Also, ensure that no Service Control Policies (SCPs) are blocking these permissions. To learn more about SCPs, see Service control policies (SCPs).

  2. Configure IAM Identity Center and Microsoft Entra ID to automatically synchronize selected or all users from your Entra ID tenant to your IAM Identity Center instance. For more information, see Configure SAML and SCIM with Microsoft Entra ID and IAM Identity Center and Tutorial: Configure AWS IAM Identity Center for automatic user provisioning.

  3. Verify that the users you configured on Microsoft Entra ID are synchronized correctly to AWS IAM Identity Center instance. If you see an error message in Microsoft Entra ID, it indicates that the user in Entra ID is configured in a way that IAM Identity Center doesn’t support. The error message will identify this issue. For example, if the user object in Entra ID lacks a first name, a last name, and/or a display name, you’ll receive an error message similar to "2 validation errors detected: Value at 'name.givenName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+; Value at 'name.givenName' failed to satisfy constraint: Member must have length greater than or equal to 1". For more information, see Specific users fail to synchronize into IAM Identity Center from an external SCIM provider.

Note

WorkSpaces uses Entra ID UserPrincipalName (UPN) attribute to identify individual users and the following are its limitations:

  • UPNs cannot exceed 63 characters in length.

  • If you change the UPN after assigning a WorkSpace to a user, the user won't be able to connect to their WorkSpace unless you change the UPN back to what it was before.

Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot

WorkSpaces Personal uses Microsoft Windows Autopilot user-driven mode to enroll WorkSpaces to Microsoft Intune and join them to Microsoft Entra ID.

To allow Amazon WorkSpaces to register WorkSpaces Personal into Autopilot, you must register a Microsoft Entra ID application that grants necessary Microsoft Graph API permissions. For more information about registering an Entra ID application, see Quickstart: Register an application with the Microsoft identity platform.

We recommend providing the following API permissions in your Entra ID application.

  • To create a new personal WorkSpace that needs to be joined to Entra ID, following API permission is required.

    • DeviceManagementServiceConfig.ReadWrite.All

  • When you terminate a personal WorkSpace or rebuild it, the following permissions are used.

    Note

    If you don’t provide these permissions, WorkSpace will be terminated but it will not be removed from your Intune and Entra ID tenants and you will have to remove them separately.

    • DeviceManagementServiceConfig.ReadWrite.All

    • Device.ReadWrite.All

    • DeviceManagementManagedDevices.ReadWrite.All

  • These permissions require admin consent. For more information, see Grant tenant-wide admin consent to an application .

Next, you must add a client secret for the Entra ID application. For more information, see Add credentials. Make sure you remember the client secret string as you will need it when creating the AWS Secrets Manager secret in Step 4.

Step 3: Configure Windows Autopilot user-driven mode

Ensure you are familiar with the Step by step tutorial for Windows Autopilot user-driven Microsoft Entra join in Intune.

To configure your Microsoft Intune for Autopilot

  1. Sign into the Microsoft Intune admin center

  2. Create a new Autopilot device group for personal WorkSpaces. For more information, see Create device groups for Windows Autopilot.

    1. Choose Groups, New group

    2. For Group type, choose Security.

    3. For Membership type, choose Dynamic Device.

    4. Choose Edit dynamic query to create a dynamic membership rule. The rule should be in the following format:

      (device.devicePhysicalIds -any (_ -eq "[OrderID]:WorkSpacesDirectoryName"))
      Important

      WorkSpacesDirectoryName should match the directory name of the Entra ID WorkSpaces Personal directory you create in step 5. This is because the directory name string is used as group tag when WorkSpaces registers virtual desktops into Autopilot. Additionally, group tag maps to the OrderID attribute on Microsoft Entra devices.

  3. Choose Devices, Windows, Enrollment. For Enrollment Options, choose Automatic Enrollment. For MDM user scope select All.

  4. Create an Autopilot deployment profile. For more information, see Create an Autopilot deployment profile.

    1. For Windows Autopilot, choose Deployment profiles, Create profile.

    2. In the Windows Autopilot deployment profiles screen, select the Create Profile drop down menu and then select Windows PC.

    3. In the Create profile screen, on On the Out-of-box experience (OOBE) page. For Deployment mode, select User-driven. For Join to Microsoft Entra ID, select Microsoft Entra joined. You can customize the computer names for your Entra ID-joined personal WorkSpaces by selecting Yes for Apply device name template, to create a template to use when naming a device during enrollment.

    4. On the Assignments page, for Assign to, choose Selected groups. Choose Select groups to include, and select the Autopilot device group you’ve just created in 2.

Step 4: Create an AWS Secrets Manager secret

You must create a secret in AWS Secrets Manager to securely store the information, including the application ID and client secret, for the Entra ID application you created in Step 2: Register a Microsoft Entra ID application to grant permissions for Windows Autopilot. This is a one-time setup.

To create an AWS Secrets Manager secret

  1. Create a customer managed key on AWS Key Management Service. The key will later be used to encrypt the AWS Secrets Manager secret. Don't use the default key to encrypt your secret as the default key cannot be accessed by the WorkSpaces service. Follow the steps below to create the key.

    1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

    2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

    3. Choose Create key.

    4. On the Configure key page, for Key type choose Symmetric. For Key usage, choose Encrypt and decrypt.

    5. On the Review page, in the Key policy editor, ensure you allow the WorkSpaces service's principal workspaces.amazonaws.com access to the key by including following permissions in the key policy.

      {
    "Effect": "Allow",
    "Principal": {
        "Service": [
            "workspaces.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "*"
 }

  2. Create the secret on AWS Secrets Manager, using the AWS KMS key created in previous step.

    1. Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

    2. Choose Store a new secret.

    3. On the Choose secret type page, for Secret type, select Other type of secret.

    4. For Key/value pairs, in the key box, enter “application_id” into the key box, then copy the Entra ID application ID from Step 2 and paste it into the value box.

    5. Choose Add row, in the key box, enter “application_password”, then copy the Entra ID application client secret from Step 2 and paste it into the value box.

    6. Choose the AWS KMS key that you created in the previous step from the Encryption key drop-down list.

    7. Choose Next.

    8. On the Configure secret page, enter a Secret name and Description.

    9. In the Resource permissions section, choose Edit permissions.

    10. Make sure you allow the WorkSpaces service's principal workspaces.amazonaws.com access to the secret by including following resource policy in the resource permissions.

      {
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "Service" : [ "workspaces.amazonaws.com"]
    },
    "Action" : "secretsmanager:GetSecretValue",
    "Resource" : "*"
  } ]
}

Step 5: Create a dedicated Microsoft Entra ID WorkSpaces directory

Create a dedicated WorkSpaces directory that stores information for your Microsoft Entra ID-joined WorkSpaces and Entra ID users.

To create an Entra ID WorkSpaces directory

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. On the Create directory page, for WorkSpaces type choose Personal. For WorkSpace device management, choose Microsoft Entra ID.

  4. For Microsoft Entra tenant ID, enter your Microsoft Entra ID tenant ID that you want your directory's WorkSpace to join to. You won't be able to change the tenant ID after the directory is created.

  5. For Entra ID Application ID and password, select the AWS Secrets Manager secret that you created in Step 4 from the drop down list. You won't be able to change the secret associated with the directory after the directory is created. However, you can always update the content of the secret, including the Entra ID Application ID and its password through the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/.

  6. For User identity source, select the IAM Identity Center instance that you configured in Step 1from the drop down list. You won't be able to change the IAM Identity Center instance associated with the directory after the directory is created.

  7. For Directory name, enter a unique name for the directory (For example, WorkSpacesDirectoryName).

    Important

    The directory name should match the OrderID used to construct the dynamic query for the Autopilot device group that you created with Microsoft Intune in Step 3. The directory name string is used as the group tag when registering personal WorkSpaces into Windows Autopilot. The group tag maps to the OrderID attribute on Microsoft Entra devices.

  8. (Optional) For Description, enter a description for the directory.

  9. For VPC, select the VPC that you used to launch your WorkSpaces. For more information, see Configure a VPC for WorkSpaces Personal.

  10. For Subnets, select two subnets of your VPC that are not from the same Availability Zone. These subnets will be used to launch your personal WorkSpaces. For more information, see Availability Zones for WorkSpaces Personal.

    Important

    Make sure the WorkSpaces launched in the subnets have internet access, which is needed when users login to the Windows desktops. For more information, see Provide internet access for WorkSpaces Personal.

  11. For Configuration, select Enable dedicated WorkSpace. You must enable it to create a dedicated WorkSpaces Personal directory to launch Bring Your Own License (BYOL) Windows 10 or 11 personal WorkSpaces.

    Note

    If you don't see the Enable dedicated WorkSpace option under Configuration, your account hasn't been enabled for BYOL. To enable BYOL for your account, see Bring Your Own Windows desktop licenses in WorkSpaces.

  12. (Optional) For Tags, specify the key pair value that you want to use for personal WorkSpaces in the directory.

  13. Review the directory summary and choose Create directory. It takes several minutes for your directory to be connected. The initial status of the directory is Creating. When directory creation is complete, the status is Active.

An IAM Identity Center application is also automatically created on your behalf once the directory is created. To find the application’s ARN go to the directory's summary page.

You can now use the directory to launch Windows 10 or 11 personal WorkSpaces that are enrolled to Microsoft Intune and joined to Microsoft Entra ID. For more information, see Create a WorkSpace in WorkSpaces Personal.

After you've created a WorkSpaces Personal directory, you can create a personal WorkSpace. For more information, see Create a WorkSpace in WorkSpaces Personal

Configure the IAM Identity Center application for a WorkSpaces directory (optional)

A corresponding IAM Identity Center application is automatically created once a directory is created. You can find the application’s ARN in the Summary section on the directory detail page. By default, all users in the Identity Center instance can access their assigned WorkSpaces without configuring the corresponding Identity Center application. However, you can manage user access to WorkSpaces in a directory by configuring the user assignment for the IAM Identity Center application.

To configure the user assignment for the IAM Identity Center application

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. On the AWS managed applications tab, choose the application for the WorkSpaces directory. The application names are in the following format: WorkSpaces.wsd-xxxxx, where wsd-xxxxx is the WorkSpaces directory ID.

  3. Choose Actions, Edit details.

  4. Change the User and group assignment method from Do not require assignments to Require assignments.

  5. Choose Save changes.

After you make this change, users in the Identity Center instance will lose access their assign WorkSpaces unless they are assigned to the application. To assign your users to the application, use the AWS CLI command create-application-assignment to assign users or groups to an application. For more information, see the AWS CLI Command Reference.