This is a feature many have been waiting for! What is it all about? Consider the following scenario. You have created an Azure RemoteApp collection housing several applications. You provide access to this Azure RemoteApp collection to your users. These users could be working in several departments, and based on their role or persona require different sets of applications. An important caveat to realize is that currently all users who have been granted access to an Azure RemoteApp collection will see all application published in that collection! And of course this does not mean that you cannot prevent users from actually opening that application. Using technologies like i.e. AppLocker you would be able to prevent users from starting an application. However, users will still see all the applications in their Azure RemoteApp client and, all of the applications will be placed in the users local Start Menu (for Windows clients). Not an easy task to explain this to your end users.
Microsoft has listened to this feedback, functionality is in private preview now to publish specific RemoteApp application to specific users within a single Azure RemoteApp collection!
How does it work?
Currently the feature can only be configured using PowerShell, the functionality is not available in the Azure Portal yet. I'm guessing we'll see this after Azure RemoteApp will become available in the new Azure Portal.
Open Azure PowerShell and connect to you Azure subscription. If you have not performed this before, check out this guide.Use Windows PowerShell cmdlets with Azure RemoteApp
Run the following command Get-AzureRemoteAppCollection <collectioname>. This command outputs the current configuration of your collection. The Aclevel parameter shows the current mode of the Azure RemoteApp collection.
A collection can be set into one of two modes:
- The mode “collection mode”, is the mode where all users in a collection can see all published applications. This is the default setting
- The mode “application mode”, ”, is the mode where users only see applications that have been explicitly assigned to them. This is the new mode that is blog post is about.
Switching modes to application mode is easy. Run the command
Set-AzureRemoteAppCollection -CollectionName <collection> -AclLevel Application
After running this command, initially all users will see all of the original published apps. Let's now start to assign a specific application to specific users. The first step is to get the currently published applications. This can be achieved by running the command
Get-AzureRemoteAppProgram -CollectionName <collection> | ft alias,name
Now, to remove a specific application for a specific user we run the command Remove-AzureRemoteAppUser -CollectionName <collection> -UserUpn <UPN> -Type OrgId -Alias <App Alias>
That's it! In this example we now have removed Outlook 2016 for the user rdstest. This happens instantly. If the user refreshed the Azure RemoteApp client, the changes are reflected immediately.
Before the command
After running the command:
And of course, if we check out the Azure Portal we'll still see Outlook 2016, it will still be visible for all other users.
To check what other users still do have access to this application, use the command
Get-AzureRemoteAppUser -CollectionName <collection> -Alias <App Alias>
Again, do realize that is not in any way a security mechanism. It does not prevent users to start the application in another way. To accomplish this use technologies like i.e. Microsoft AppLocker.
The approach of these PowerShell commands, removing users from seeing a certain application, is of course slightly different to a more common approach where you assign specific users (or a specific group) to an application in stead of assigning the application to all users and remove access for specific users. For the end user the result is the same of course, and, with some PowerShell scripting you should be able to configure assignments based on group membership. These new PowerShell commands however are a great first step!
This new functionality also opens doors for vendors like Unidesk and FSLogix that provide application layering. If you combine this new functionality with Application Layering you can remove certain applications from Azure RemoteApp and also completely prevent users from launching that application using other ways.
Being able to show users only the application they need is a heavily requested feature. The feature is currently available as a “private preview” to selected customers who have opted in. If you are interested in trying it out early, please let Microsoft know via this survey.