National Gas has completed a sweeping digital transformation, building an entirely new Azure-based IT environment from scratch following its separation from National Grid in 2023. The UK gas transmission operator partnered with Capgemini to deploy a greenfield Microsoft Azure ecosystem anchored by Azure Virtual Desktop (AVD) in a single-session configuration, a move designed to provide developers, data scientists, and third-party vendors with secure, automated virtual desktop infrastructure (VDI).
When a business divests from a larger parent, it’s not just a legal separation—it’s an IT rebuild. Shared services, identity systems, security policies, and hundreds of applications must be rearchitected from the ground up. For National Gas, which now owns and operates the 7,660-kilometer high-pressure gas transmission network across Great Britain, the need for a clean, scalable, and secure digital foundation was immediate.
The Divestiture Challenge
National Gas’s prior IT landscape was deeply intertwined with National Grid’s, from Active Directory forests to network hardware. Post-divestiture, the company faced a zero-day scenario: stand up a completely independent IT operation that could support over 1,500 employees, hundreds of external partners, and critical operational technology (OT) systems. The risk of data leakage, service outages, and compliance gaps was acute.
Capgemini, a Global Elite Microsoft partner, was brought in to design and deliver the new environment. The decision to go greenfield on Azure, rather than lift-and-shift or build an on-premises data center, reflected both urgency and a strategic bet on cloud agility. Azure Virtual Desktop emerged as the cornerstone for end-user computing, enabling a modern, centrally managed VDI solution that could be spun up in weeks, not months.
Why Single-Session AVD?
While multi-session Windows 10/11 is a common AVD deployment for office workers, National Gas chose single-session VMs for its power users. Developers and data scientists require dedicated compute resources, administrative access, and the freedom to install specialized tooling without impacting others. Single-session AVD provides each user with a full, isolated Windows 11 virtual machine, delivering the performance and flexibility of a physical workstation with the security and management benefits of the cloud.
“They needed a true personal desktop experience in the cloud,” explained a Capgemini solutions architect close to the project. “Single-session VDI gives them that, while still allowing the IT team to apply policy, patch, and protect at scale.” The use case also extends to vendors and external contractors who need temporary, tightly controlled access to internal systems. With single-session VMs, National Gas can grant just-in-time access, enforce conditional use policies, and retire VMs immediately when engagements end.
Automated Provisioning and Identity with Entra ID and Intune
The environment was designed for zero-touch provisioning. Using Azure Resource Manager (ARM) templates, Azure DevOps pipelines, and custom PowerShell scripts, the team automated VM creation, OS customization, application installation, and Entra ID join. New AVD session hosts are automatically enrolled into Microsoft Intune, applying security baselines, configuration profiles, and compliance policies before users ever log on.
National Gas adopted a cloud-first identity model with Microsoft Entra ID (formerly Azure AD) as the single identity provider. No on-premises domain controllers were deployed, eliminating legacy dependencies. All users—employees, partners, and vendors—are managed through Entra ID, with role-based access control (RBAC), conditional access, and multi-factor authentication (MFA) enforced universally. This “identity-as-the-perimeter” approach is critical for a company that must simultaneously support internal knowledge workers and external third parties without exposing its core network.
“The synchronization of users from Workday into Entra ID, the automatic provisioning of an AVD VM, and the assignment of the desktop icon to their Remote Desktop client is fully automated,” noted a National Gas IT leader in a project retrospective. “A new starter’s desktop is ready before they walk in the door—or, more accurately, before they open their laptop.”
Securing Vendor Access Without a VPN
One of the most compelling scenarios for single-session AVD at National Gas is vendor access. Traditionally, granting a contractor access to internal systems meant VPN clients, firewall rules, and domain-joined laptops—a security nightmare. With AVD, National Gas publishes desktops to Entra-managed external identities. Vendors connect via the Remote Desktop client or the HTML5 web client, with no need for a VPN connection into the corporate LAN.
Data scientists working on gas flow models and predictive analytics can run heavy workloads on GPU-backed Azure NV-series VMs, securely accessed from any device. All data stays within the Azure boundary; nothing is cached on the endpoint. Intelligent security monitoring feeds activity logs into Microsoft Sentinel, alerting on anomalous patterns like data exfiltration attempts or unusual off-hours logins.
This architecture also simplifies compliance with the UK’s Network and Information Systems (NIS) Regulations, which impose strict cybersecurity requirements on critical infrastructure operators. By keeping the desktop and data together in Azure’s UK South region, National Gas maintains full data residency and auditability.
Performance and User Experience
A common critique of VDI is that “virtual” feels sluggish. For National Gas, Capgemini engineered a performance-first approach. Session hosts are right-sized for targeted workloads—D-series VMs for developers, memory-optimized E-series for data scientists, and GPU-enabled NVv4 instances for visualization tasks. FSLogix profile containers ensure fast logon times and persistent user settings across reboots.
To optimize latency, especially for users in remote gas terminals across the UK, the deployment leverages Azure’s global network backbone and RDP Shortpath for managed networks. Early feedback from users highlights desktop responsiveness that rivals on-premises workstations, even for demanding CAD and GIS applications used in pipeline management.
“The team spent a lot of cycles on image engineering,” the Capgemini architect said. “They built modular, layered images using Azure Image Builder, which allows base OS images to be patched weekly, application layers quarterly, and a separate layer for per-user tooling. It’s a CI/CD pipeline for desktops.”
Business Continuity and Scalability
Beyond daily productivity, single-session AVD gives National Gas a powerful business continuity capability. If a gas terminal floods or loses connectivity, on-site staff can switch to AVD from a smartphone and remain operational. The cloud footprint can also scale elastically during winter demand peaks, when more analysts and engineers are monitoring pipeline integrity. Session hosts can be pre-provisioned and deallocated via auto-scaling rules, keeping costs predictable while ensuring capacity.
Financially, the move to a greenfield Azure VDI aligns with CapEx-to-OpEx transformation goals. Instead of buying hundreds of high-end workstations with a 4-year refresh cycle, National Gas pays monthly for what it uses, with the flexibility to downsize or switch VM families as compute needs evolve.
Lessons from the Trenches
Any greenfield project of this scale comes with lessons. For National Gas, the biggest learning was around change management. Shifting employees from a familiar physical desktop paradigm to a cloud-native one required robust communication, early champion programs, and continuous feedback loops. The IT team ran weekly “Ask Me Anything” sessions and published step-by-step guides that turned skeptics into advocates.
On the technical side, strict network security groups (NSGs) and Azure Firewall rules initially blocked necessary RDP ports, causing connectivity issues during pilot phases. Once fine-tuned, the architecture proved stable and secure. The team also discovered that some legacy OT applications required specific .NET Framework versions or registry tweaks, which were baked into the golden image via PowerShell Desired State Configuration (DSC).
Capgemini’s deep knowledge of Azure landing zones—pre-configured blueprints for governance, security, and operations—accelerated the deployment. National Gas adopted the Enterprise-Scale landing zone architecture, ensuring consistent resource organization, policy enforcement, and cost management from day one.
The Road Ahead
National Gas continues to refine its AVD estate, exploring Windows 365 Cloud PCs for more standard knowledge worker roles to complement the single-session VDI. The IT team is also evaluating Azure Virtual Desktop for Azure Stack HCI to support disconnected edge scenarios—where pipeline monitoring stations have intermittent connectivity but still need local desktop access.
As the UK’s energy sector evolves, National Gas’s digital foundation positions it to adapt quickly. New partners can be onboarded within hours, not days, and new applications can be delivered to users through automated pipelines that stitch together Azure DevOps, AVD image updates, and Intune application deployment.
The project stands as a blueprint for other divested critical infrastructure operators: start with identity, automate relentlessly, and treat desktops as ephemeral, policy-driven cloud resources. For National Gas, the divorce from National Grid wasn’t just a legal split—it was the catalyst for a digital rebirth.