Granting user’s access to Azure RemoteApp is done by adding them as a user to an Azure RemoteApp collection. There are 2 ways to do this, the first option is by adding single users through the Azure portal or the second option is to use the bulk user import functionality based on a csv file. Both options need to be executed from the Azure Portal. Unfortunately out-of-the-box it’s not possible to use an Active Directory group for granting access to Azure RemoteApp. There is a PowerShell solution made by Freek Berson which you will give this functionality through a PowerShell Script. You can find the link at the end of this blogpost. In this blogpost I want to focus on syncing an Azure Active-Directory group with Azure RemoteApp through Azure Automation. Since in a Hybrid scenario AD Sync is enabled you can also use an on premise AD group which will be synced to Azure Active Directory and use this group as your source. I like the idea of using Cloud technology where possible so this is why I created this solution.

The goal of this Azure Automation Runbook is that the users member of a on premise Active Directory Group are automatically synced to the Azure RemoteApp collection. The steps below describe the process to add the runbook to Azure Automation and configure all the settings needed to use this Runbook. Note that this is the first working version of the Runbook and I have some great ideas for the future releases, but for now it works and the main part (syncing users) is working. This runbook will only work on Hybrid Azure RemoteApp collections for now!

1. Download the Runbook from this location: http://1drv.ms/1HjEA9r
2. Import the Runbook in your Azure Automation Account by using the Import option:
   
3. In the Runbook I’m using a combination of AzureResourceManager and AzureServiceManagement cmdlets. So both need to be available. If you haven’t uploaded the AzureResourceManager module you have to do that. This is well described here.
4. The next step is to create to a Windows PowerShell Credential with your Azure account. It’s important that you use the following name for this Credential: ‘Azure_Subscription’.
   
5. Now we are ready to test the imported Runbook. This can be done by going to the Runbook > Author > Draft.
6. You can now click on Test which will start the test of the Runbook, the Runbook has 2 mandatory parameters which needs to be entered before the Runbook will start. The first parameter ‘AD_Group’ need to be filled with the name of your Active Directory Group and the ‘RA_Collection’ variable need to be filled with the name of your Azure RemoteApp Hybrid Collection.
   
7. When you have confirmed the working of the Runbook in your environment you can publish and schedule the Runbook. You can publish the Runbook by selection this action in the bar below.
   
8. When published you can create a schedule for this Runbook by going to ‘Schedule’ and click on ‘Link to a New Schedule’
   
9. Give the schedule a Name and Description
   
10. Configure the Schedule
11. Configure the Parameters again and click the Finish icon.
12. You will see that the schedule is saved and enabled.

The result is that you now have an automated solution for syncing your Active Directory Group with you Azure RemoteApp collection membership. Note that this version of the Runbook does not have any logging or notification about which users are added or removed. This will be the first feature which I will add in the next version.

A little warning in the end: This Runbook will add or delete users from you Azure RemoteApp collection without any warnings. So please test this Runbook first in your test environment.

If you have feedback about the Runbook or the Solution please let me know!

Link to the On-Premise PowerShell Solution:

Manage users in Azure RemoteApp based on Active Directory groups, with PowerShell!
by Freek Berson