Windows 365: Cloud PC user request process — first-party approach

Introduction

This is an addition to the Windows 365 series on my blog where I want to show a practical approach for a Cloud PC request process with Microsoft built-in products.

🎯 Challenge/goal: Windows 365/a Cloud PC needs a monthly license. You want to provide your end users with the option to request a Cloud PC. To achieve this, only Microsoft cloud products & features should be used.

🏆 Benefits:

• User self-service approach
• Save license costs by only providing Cloud PCs to users that need it
• Integrated approval process
• Review if Cloud PCs are still needed by Access Reviews
• Reduced effort for IT, by automation

Process idea

The process involves just a few steps. For the end user it should be simple and fast. The involved technology covers:

• Access Packages from Identity Governance — these are a set of resources (for our case a license enabled Entra security group) that can be requested by end users on https://myaccess.microsoft.com/
• Entra — used for the identities & groups
• Windows 365 — Cloud PC
• Intune — Managing the Windows 365 Cloud PC, including provisioning through a policy

Requirements

Before you can get started with the technical setup, make sure you meet this prerequisites:

• Entra ID Plan 2
• Windows 365 license (any that you want)
• Entra security group > assign the Windows 365 license to it
• Global Administrator role, Identity Governance Administrator role, catalog owner, or access package manager

Setup

Let’s start with the setup of the solution. It involves:

• Entra group license enabled -> where requestors are added and automatically get a Windows 365 license
• Provisioning policy -> the group from above is assigned, so every time a new member gets added, it will provision a personal Cloud PC
• Access package -> the package that the end user can request to be added to the group

Entra group license enabled

1. Create a new security group in Entra
2. Add a Windows 365 license to it

Entra license enabled group

Assign to provisioning policy

Add the previously created group to a Windows 365 Provisioning Policy. Learn how to create a Provisioning Policy

Access package

1. Go to Entra > Identity Governance > Entitlement management > Access packages and create a new Access package
2. Name the Access package and give it a description (will be shown to the end user), optionally add it to a Catalog
3. Go to Resource roles and add a “Groups and Teams” add the previously created group (make sure to enable the checkbox to see all groups)
4. Configure the role as “Member”

Create access package and link to group

5. Choose who can request access

6. Optional: set up the approval of the package, meaning that someone has to approve the request before it gets granted

7. Enable new requests, so end users can request this package from the My Access Portal

Requests & approval

8. Optional: Edit the requestor information

Requestor information

9. Choose the Lifecycle options, e.g.;

• Expiration: if you want that the access package is only temporary and expires after some time
• Access Reviews: Someone (self, or another person) must review if the access package is still needed

⚠️ Both of these settings require additional processes and configuration, please make sure you configure and align them accordingly to your organizational needs.

Lifecycle — Access reviews

10. Validate and create the Access Package, now it should be visible for end users 🚀

End user perspective

The end user can now follow these steps to get his Cloud PC:

1. Open myaccess.microsoft.com
2. Go to the available Access Packages and request it, fill out the information needed
3. Wait 🕐 approximately 60 minutes until the background processes are done (⚠️ if you set up approvals, the approval is needed before the background processes are started)

Approvers perspective

1. The approver can process approvals at myaccess.microsoft.com under Approvals.
2. There he can see all pending requests. He needs to click on “Review” and then choose whether to Approve or Deny the request. (If approved, the background processes will start)

Approval & automatic process in the background

Background processes

The background processes involves everything for the Cloud PC creation. All should happen automatically.

• Add user to the license enabled group / meaning the user is now licensed for Windows 365
• The provisioning policy creates a new Cloud PC for the user