Forum Discussion
Seamless SSO According to MS Support
I am in the process of setting up a POC for AVD and followed all the instructions that I have found for enabling Seamless SSO for AVD. We are currently running in hybrid mode and I have created a server 2025 with latest patches. When I attempt to sign in via web or windows app, I signin to the web interface or the app and I am presented with the desktops. I launch a desktop and it prompts me for a user and pass (the user is pre-populated)
My understanding is that this should not happen. It should seamlessly signin (This would cause issues with our users not using passwords) I contacted Microsoft support and they state that this is by design. They stated this is how it operates in their lab.
Can someone clarify, if I sign into Windows app or the web, that my authentication should seamlessly sign me into the AVD server I have published?
Thanks
2 Replies
Microsoft’s official documentation indicates that Azure Virtual Desktop (AVD) Single Sign-On (SSO) with Microsoft Entra ID is supported; however, in hybrid environments the experience is not fully seamless. Even with SSO enabled, you may still encounter credential prompts when initiating a session host, depending on the authentication flow and whether passwordless or token-based sign-in methods are in place.
Connect to Azure Virtual Desktop | Azure Docs
I have not come across any documentation that specifically states that seamless SSO is unsupported in a hybrid environment.
In the document Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID - Azure Virtual Desktop | Microsoft Learn
It does state that;
If you enable single sign-on on Microsoft Entra hybrid joined session hosts without creating a Kerberos server object, one of the following things can happen when you try to connect to a remote session:
You receive an error message saying the specific session doesn't exist.
Single sign-on will be skipped and you see a standard authentication dialog for the session host.
To resolve these issues, create the Kerberos server object, then connect again.
So this tells me if I meet the required criteria, I can have seamless sso.
