When creating a template for cloning VMs in Microsoft Azure, you need to select an Azure resource group where VM clones will be created. Note that this must be a group to which you granted permissions to the Microsoft Entra ID application. You also need to select a VM size and disk type to be used for cloned VMs. These settings are specified on the Advanced page of the Create Template Wizard.
Both Virtual Desktop and RD Session Host templates can be created with Microsoft Azure as a Provider. When VMs are cloned, you will see them appear in the RAS Console. At the same time, you can also see them in the Microsoft Azure portal.
Note: If there are multiple RAS installations using the same subscription, then the workaround is to change the Provider Agent application read access from subscription level to resource group level or a set of resource groups. This is necessary to avoid a situation when a given Provider Agent intersects with the set of resource groups of another Provider Agent application.
For complete information about creating and using templates, including Microsoft Azure specifics, please see the Templates section.
Organizations using or interested in using Microsoft Azure can provision, scale, and manage VDI and RD Session Host workloads directly from the Parallels RAS console and deploy on to Microsoft Azure using Azure Resource Manager (ARM). Parallels RAS uses a service principal with required permissions on relevant Azure resources (subscription and resource groups) to authenticate, provision and manage the resources.
To use Microsoft Azure as a Provider, you need the following:
An existing Microsoft Azure account and subscription.
The necessary Microsoft Azure providers must be enabled, including Microsoft.ResourceGraph, Microsoft.Resources, Microsoft.Compute, Microsoft.Network.
An ARM virtual network and subnet in your preferred region with connectivity to AD services. Microsoft Entra ID with Active Directory Domain Services (AADDS), Domain Controller in Azure IAAS or hybrid with connectivity to on-premises domain can be used.
Site-to-site VPN or ExpressRoute is required if hybrid RAS deployment is used.
A configured VM to be used for VDI or RD Session Host as a template.
Adding Microsoft Azure as a Provider is a two-step process:
First, you need to create an application in Microsoft Azure to access the resources in your subscription. This step is described in the section.
Once the application is created and registered, you can add Microsoft Azure as a Provider in the Parallels RAS Console. This step is described in .
Read on to learn how to perform the steps above.
To complete the steps below, you must have a Microsoft Azure subscription and account. If you don't have a subscription, you need to purchase one first.
An Microsoft Entra ID application is used with the role-based access control. You need to create an Microsoft Entra ID application to access resources in your subscription from Parallels RAS.
To create an Microsoft Entra ID application:
Log in to the Microsoft Azure portal.
Open the portal menu and select Microsoft Entra ID.
In the left pane, select App registrations.
Click New registration (at the top of the right pane).
The Register an application blade opens.
In the Name field, type a name you want to use for the application.
In the Redirect URI (optional) section, make sure that Web is selected in the drop-down list. Leave the URI field empty.
Click Register (at the bottom left).
The new Microsoft Entra ID app is created and its blade is displayed in the portal.
Note the following app properties, which are displayed at the top of the right pane:
Display name
Application (client) ID*
Directory (tenant) ID*
Object ID*
* Copy and save these properties. You will need to specify them later when adding Azure as a Provider in the RAS Console.
A client secret is a string that the application uses to prove its identity when requesting a token. It essentially acts as an application password. You will need to specify this string in the RAS Console when adding Azure as a Provider.
To create a client secret:
If you are not on the application page anymore, navigate to it from the Home page by selecting Microsoft Entra ID > App registration and then clicking the app in the right pane.
In the left pane, click Certificates & secrets.
In the right pane, click New client secret.
Type a client name and select a desired expiration option.
Click Add. The new client secret appears in the Client secrets list.
IMPORTANT: Copy and save the client secret (the Value column). If you leave this page without copying the secret, it will be hidden and you will not be able to retrieve it later.
The Microsoft Entra ID app that you created must have read and write access to Azure resources. The following instructions demonstrate how to give the application read and write access to a resource group. You can also give access to a specific resource or to your entire Azure subscription. For more information, please see the Microsoft Azure documentation.
To give the app write access to the resource group where new VMs will reside:
In the Azure portal menu, select Resource groups.
Click a resource group where the new VMs will reside.
In the left pane, select Access control (IAM).
In the right pane, locate the Grant access to this resource box and click Add role assignment.
On the Role tab of the Add role assignment page, select Privileged administrator roles, then the Contributor role.
Click Next.
On the Members tab, select the User, group, or service principal option.
Click on the Select members link and enter the name of the previously created application in the Select field. Select the application in the drop-down list and click Select.
Click Next.
On the Review + assign tab, confirm that the configuration is correct and click Review + assign.
To give the app read access to the resource group:
Repeat steps 1-4 from the list above.
On the Role tab of the Add role assignment page, select Job function roles, then the Reader role.
Repeat steps 6-10 from the list above.
Note: If you would like to give the application read access to your entire subscription (not just a specific resource groups), select All services in the Azure portal menu, then navigate to Categories > All > Subscriptions and select your subscription. Select Access control (IAM) in the middle pane and click Add in the Add a role assignment box. Repeat steps 2-4 from the list above.
When you'll be adding Microsoft Azure as a Provider in the RAS Console, you will need to specify your Azure subscription ID. If you don't remember it, here's how to find it in the Microsoft Azure portal:
In the portal menu, choose All services.
In the Categories list, click All.
In the right pane, click Subscriptions.
Click a subscription and then copy and save the value from the Subscription ID field.
When you complete all of the above steps, you should have the following values saved and ready to be used to add Microsoft Azure as a Provider in the RAS Console:
App (client) ID: Application ID.
Directory (tenant) ID: Tenant ID.
Client secret: Client secret (application key).
Subscription ID: Your Microsoft Azure subscription ID.
Read on to learn how to add Microsoft Azure as a Provider in the RAS Console.
To add Microsoft Azure as a Provider:
In the RAS Console, navigate to Farm > Site > Providers.
On the Providers tab, click Tasks > Add > Microsoft Azure.
The Add Cloud Computing wizard opens.
In the wizard, specify the following:
Name: Name of the provider.
Description: Description of the provider.
Manage credentials: the administrative accounts that will be used to deploy Parallels Agents.
Authentication URL: Prepopulated with the Microsoft authentication site URL. Unless otherwise required or indicated, keep the default value provided.
Management URL: Prepopulated with the Microsoft Azure management site URL. Unless otherwise required or indicated, keep the default value provided.
Resource URI: Prepopulated with the Microsoft Azure resource URI. Unless otherwise required or indicated, keep the default value provided.
Tenant ID: The "Directory (tenant) ID" value of the Microsoft Entra ID app that you created earlier.
Subscription ID: Your Microsoft subscription ID.
Application ID: The "App (client) ID" value of the Microsoft Entra ID app that you created earlier.
Application key: The "Client secret" value of the Microsoft Entra ID app that you created earlier.
Click the Advanced Settings link to open a dialog where you can configure the following optional settings:
Use dedicated Provider Agent: When this option is cleared (default), the built-in RAS Provider Agent will be used. If you want to use a dedicated RAS Provider Agent, select this option and specify the host FQDN or IP address.
Agent address: This option becomes enabled if you select the option above it. Specify the FQDN or IP address of the host where the RAS Provider Agent is (or will be) installed. This can be either a physical box or virtual machine.
Preferred Connection Broker: Select a RAS Connection Broker to be the preferred agent for this Provider. For more info, see Enabling high availability for VDI.
Click Next. The wizard will display the new Provider information and will indicate the RAS Provider Agent status. If everything is OK, click Finish to exit the wizard. If something is not as expected, click Back and correct any mistakes if necessary.
The new Provider will now appear on the Providers tab in the RAS Console. Complete the Provider addition as follows:
Click Apply to apply the changes.
Verify the value of the Status column. If it's anything other than OK, right-click the Provider and choose Troubleshooting > Check agent. Verify the agent status and install it if necessary, then click OK. The Status column on the Providers tab should now say OK.
To view and modify the Provider configuration, right-click it and choose Properties. In the dialog that opens, view and modify the Provider properties.