Windows 365: Cloud PC user request process — first-party approach

4 min readFeb 20, 2024

Introduction

This is an addition to the Windows 365 series on my blog where I want to show a practical approach for a Cloud PC request process with Microsoft built-in products.

🎯 Challenge/goal: Windows 365/a Cloud PC needs a monthly license. You want to provide your end users with the option to request a Cloud PC. To achieve this, only Microsoft cloud products & features should be used.

🏆 Benefits:

User self-service approach
Save license costs by only providing Cloud PCs to users that need it
Integrated approval process
Review if Cloud PCs are still needed by Access Reviews
Reduced effort for IT, by automation

Process idea

The process involves just a few steps. For the end user it should be simple and fast. The involved technology covers:

Access Packages from Identity Governance — these are a set of resources (for our case a license enabled Entra security group) that can be requested by end users on https://myaccess.microsoft.com/
Entra — used for the identities & groups
Windows 365 — Cloud PC
Intune — Managing the Windows 365 Cloud PC, including provisioning through a policy

Requirements

Before you can get started with the technical setup, make sure you meet this prerequisites:

Entra ID Plan 2
Windows 365 license (any that you want)
Entra security group > assign the Windows 365 license to it
Global Administrator role, Identity Governance Administrator role, catalog owner, or access package manager

Setup

Let’s start with the setup of the solution. It involves:

Entra group license enabled -> where requestors are added and automatically get a Windows 365 license
Provisioning policy -> the group from above is assigned, so every time a new member gets added, it will provision a personal Cloud PC
Access package -> the package that the end user can request to be added to the group

Entra group license enabled

Create a new security group in Entra
Add a Windows 365 license to it

Assign to provisioning policy

Add the previously created group to a Windows 365 Provisioning Policy. Learn how to create a Provisioning Policy

Access package

Go to Entra > Identity Governance > Entitlement management > Access packages and create a new Access package
Name the Access package and give it a description (will be shown to the end user), optionally add it to a Catalog
Go to Resource roles and add a “Groups and Teams” add the previously created group (make sure to enable the checkbox to see all groups)
Configure the role as “Member”

5. Choose who can request access

6. Optional: set up the approval of the package, meaning that someone has to approve the request before it gets granted

7. Enable new requests, so end users can request this package from the My Access Portal

8. Optional: Edit the requestor information

9. Choose the Lifecycle options, e.g.;

Expiration: if you want that the access package is only temporary and expires after some time
Access Reviews: Someone (self, or another person) must review if the access package is still needed

⚠️ Both of these settings require additional processes and configuration, please make sure you configure and align them accordingly to your organizational needs.

10. Validate and create the Access Package, now it should be visible for end users 🚀

End user perspective

The end user can now follow these steps to get his Cloud PC:

Open myaccess.microsoft.com
Go to the available Access Packages and request it, fill out the information needed
Wait 🕐 approximately 60 minutes until the background processes are done (⚠️ if you set up approvals, the approval is needed before the background processes are started)

Approvers perspective

The approver can process approvals at myaccess.microsoft.com under Approvals.
There he can see all pending requests. He needs to click on “Review” and then choose whether to Approve or Deny the request. (If approved, the background processes will start)