Forum Discussion
Windows Virtual Desktop Announcements at Microsoft Ignite
Ondrej_KrkoskaMicrosoft
Hi Quentin.
I recommend to follow Christian's news and events. https://www.christiaanbrinkhoff.com/ Support for AAD was mentioned in one of the previous events and should come in 2021. There are no committed dates, but it should come during the year.Quentin Gerlach it is extremely easy to Deploy and integrate AADDS for your session hosts and Azure Files enrolment. Additional cost, yes $100/month for the smallest SKU that will work for a several hundred users environment. SSO option with AD-connect was around for a few months now, also really easy to implement, have a look.
- Again, ease isn’t the problem. The problem is that one is in essence going backwards - going to the cloud only, and now embracing legacy methods of domain authentication. And as others have pointed out, this comes with some large caveats.
As for SSO for WVD, as far as I’m aware, this is only supported for AD-FS environments - https://docs.microsoft.com/en-us/answers/questions/35827/single-sign-on-with-windows-virtual-desktop-for-of.html If you have a MS doc link or something describing setup of SSO for WVD via PTA/PHS, please share - that would be a great help.- Completely agree, the option of AAD as the only Identity source should be available for WVD.
As per the end-to-end SingleSO it is not supported: https://docs.microsoft.com/en-us/azure/virtual-desktop/authentication#single-sign-on-sso
SameSO functionality with both PTA/PHS and saving credentials on the client provides the most friction-free functionality. Some colleagues resort to ADFS just to ensure on-prem DC's authenticate users and my point was that for SameSO Pass-Through is often a better option.
- Problem starts arising when you have multiple regions to deploy in as AADDS is single region and you can only have one per tenant. That means that you will have single point for failure even if you have WWD in multiple regions.
Besides that, it just feels odd to build new in the cloud and then have to rely on on-prem technology. Currently we do AD to AAD to AADDS to WWD which doesn't feel right... :S- CloudCasper AADDS multi-region (replica sets) were around for some time now: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/concepts-replica-sets
As per the AD to AAD to AADDS, how much time have you spend on AADDS management (genuine question)? In my experience right operational approach with scoped sync makes it pretty much "set and forget".
BTW, I fully agree that option with AAD as the only Identity source for WVD should be available and will make a lot of difference for small deployments in particular.
- This!
- You can use AADDS if you want that full cloud true serverless model.
- True, but you can only have one per tenant and it's single region. Really not fit for Fortune 500 who operate globally with multiple brands
- CloudCasper I believe sound assumption from Microsoft friends is that Fortune 500 have reliance on AD and have it in Azure already. One AADDS per Azure AD - yes, single region - no, replica sets are available for multi-region.
- How would you do that?
Isn't ADDS needed for session host domain join?Anders Jensen Nah, Azure ADDS works too -- the issue is that essentially, this is just an lite version of an on-prem AD environment. There's still servers behind the scenes, and there's quite a bit of expected functionality that doesn't work -- things like OU structure, etc.
So again, organizations that have bought into cloud-only infrastructure, essentially have to spin up some kind of on-prem infrastructure, whether it's AD using Azure IaaS servers, or using Azure ADDS. This really defeats the purpose -- I should be able to use Azure AD only to handle WVD VMs. Just like any other user device can straight join Azure AD.
- Try using intune autoenroll with that. True cloud only is needed with intune.
