Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

This post has already been read 13093 times!

Wow!  What a mouthful of a post title !

So, the purpose of this is to walk you through the process of adding a connection to your Azure Resource Manager Datacenter from Citrix Studio manually.

Following my previous posts about ADFS and MFA I have a on-premises ADFS instance linked to Microsoft Azure Multi Factor Authentication.  I want to use this method to authenticate to an Azure AD hosted in the cloud and add a hosting connection to Citrix Studio.  Essentially I want the microsoft login to hand off authentication back to my ADFS instance to authenticate the user and deal with MFA.

For context my internal domain name is bretty.local – my external owned domain is – my ADFS URL is both internally and externally.

So, lets get started.

Active Directory Domain Suffix

The first thing I need to do is add as an additional UPN suffix for my domain.  This is so that I can authenticate externally and internally using my owned domain.

Open up Active Director Domains and Trusts, right click the top level and click properties


Add your external domain as an available domain suffix


Azure Active Directory

Next we need to set up an Azure Active Directory and link it to our on-premises domain.  There are a number of options and ways that you can configure this however in this post I am going to use directory sync to sync my AD to Azure and link back to my ADFS service for user authentication.

Open up the OLD Azure Admin Console by going here:

Navigate to Active Directory


Select Directory at the top


Click Add to create a new directory


Fill out the details for your new Active Directory, give it a domain name and select the location


Click ok to create the new directory


Next you will need to add and verify the external domain name that you own (in my case

Click to add a domain.  Add your external Domain name and DONT put a tick in the “I plan to configure this domain for SSO”


Click Add then next

This screen will ask you to verify that you own the domain.  You will need to add a TXT DNS record to your domain as specified by the screen and verify the domain.  This may take some time to achieve because of DNS replication but make sure you verify your domain before you try to install Directory Sync.


Unverified Domain


All Verified!


AD Connect

Next you need to set-up Azure AD Connect on one of your domain controllers.  Head over to the following site:

download and install the AD Connect Software.


I am not going to run you through the options around AD Connect as there are many different ways in which you can deploy this.  In this instance I opted to use ADFS and pointed the Azure AD Connect to my existing ADFS service I have built in previous posts.  The wizard to set this up is very straight forward – you will just need service accounts and details of you on premises ADFS Service.

Once installed open up Azure AD Connect


click on current settings and you will see your current AD Connect Settings


What’s being synchronised


Finally your ADFS Sync details


Switch back to your Azure Portal and you will see the integration with Active Directory is all up and running


If you switch to your users tab you will see the Admin user you originally set up


as well as your synchronized local Active Directory user accounts


Whilst in the Azure portal you will need to add your local admin account to the Azure Subscription as an co-admin

Head over to settings


Click on Users/Access and add your local domain account to the subscription as an administrator


Test Azure AD and Local ADFS Setup

Next you will need to enable ADFS to use forms authentication locally on the intranet to allow Citrix Studio to add the hosting location

Open up the ADFS Management Console


If you check under Relying Parties you will see that the AD Connec t Wizard has added a relying party for Microsoft Online


Lets test logging into Office 365 as a local domain user.  Open up the Office 365 Login page and log in as a local domain user ( in my case)


Note that I have been redirected to my local ADFS Service for authentication


Once Logged in Azure MFA is prompting for credentials as I am logging in from an external machine


All done – authentication is working as expected


Back in the ADFS Management Console – open up authentication methods and enable Forms Authentication for the Intranet Location


That’s it for ADFS – you now need to set up the Azure Service Principal ready to connect to from Citrix Studio.

Microsoft Azure Service Principal

NOTE: All commands will be listed in this format

Open up a powershell command as an administrator from a machine on your local network

To install the Azure RM powershell commands

install-module AzureRM


Log into your Azure Account



When prompted log in with your Subscription Admin details


All logged in!


List all your available subscriptions in Azure



Select your subscription you want to connect to from Citrix Studio

select-azurermsubscription -subscriptionid YOURSUBIDGUID


Set up your 4 variables you will need for the Service Principal

$SubscriptionId = "YOUR-SUB-ID"
$ApplicationName = "XenDesktopConnect<--CAN BE ANY NAME WITHOUT SPACES"
$ApplicationPassword = "MAKE-UP-A-SECURE-PASSWORD"


Create your Azure AD Application

$AzureADApplication = New-AzureRmADApplication -DisplayName $ApplicationName -HomePage "https://localhost/$ApplicationName" -IdentifierUris "https://$ApplicationName" -Password $ApplicationPassword


Create your Service Principal

New-AzureRmADServicePrincipal -ApplicationId $AzureADApplication.ApplicationId


Assign the role to the SP

New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $AzureADApplication.ApplicationId –scope /subscriptions/$SubscriptionId


So, lets jump over to Citrix Studio and seer what’s required to add a new hosting connection to Azure RM


Type to list your subscriptions – make a note of the subscription ID



Type the following to get your application ID



Switch back to your domain controller and open up Azure AD Connect


Click on View Current Configuration


You will see your Azure Directory ID listed there


Add Connection in Citrix Studio

So, its finally time to add the hosting connection in Citrix Studio and start to create some resources

Open up Citrix Studio and select hosting – click to create a new hosting connection.

Put in your subscription ID you got earlier and give your subscription a description then click on use existing


Your Subscription ID will be filled out automatically


Enter all the other details your got in the prior steps


Select the region you want the machines to be hosted (you will have to have set up networking and storage in this region


Select the network you want the provisioned machines to use


Click Finish


Build a Machine Catalog

To build a machine catalog you will need a VM build in Azure with teh VDA installed and it has to be powered off


Select to create a new machine catalog and select the Server or Desktop OS as appropriate.  When prompted select your new hosting connection


Browse to the resource group, storage location, vhd and select the image you created to use as a tempplate


Finish the wizard and let Azure Create the catalog for you


You can see in the details at the bottom that it is an Azure hosted MCS Catalog


That’s it, all you need to know to set up and configure an Azure RM hosting Connection in Studio manually,




One thought on “Adding a XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

  1. Pingback: Adding a Citrix XenDesktop Azure Resource Manager Hosting Connection Manually with ADFS and NetScaler

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.