Forum Discussion
MicrosoftInsider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop
Today we’re announcing the Insider preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys). With this preview, you can now:
- Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts
- Use passwordless authentication to sign in to the host using Azure AD
- Use passwordless authentication inside the session
- Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host
Getting started
This new functionality is currently available in Insider builds of Windows 11 22H2, available in the Azure Gallery when deploying new session hosts in a host pool.
- Want a quick overview of the new functionality? Watch this intro video on Azure Academy!
- To get started with single sign-on, follow the instructions to Configure single sign-on which will guide you in enabling the new authentication protocol.
- To start using Windows Hello and FIDO2 keys inside the session, follow the instructions for In-session passwordless authentication to use the new WebAuthn redirection functionality.
- Learn more about the supported authentication methods supported by Azure Virtual Desktop, including single sign-on on our Identities and authentication page.
Stay tuned for news about the upcoming public preview which will add support for Windows 10 and current Windows 11 hosts.
23 Replies
Does this support AADDS joined AVD ? Specifically where users sign in with "email address removed for privacy reasons" and the AVD are joined to AADDS "domain.onmicrosoft.com"?
The key here being joined to AzaureAD Directory Services, with users coming in from AzureAD, no Hybrid, no syncing on on-prem users.
- DavidBelangerNotAnotherUserName Unfortunately not. The single sign-on experience only works when accessing machines known by Azure AD, either Azure AD-joined or Hybrid Azure AD-joined. Since machines joined to Azure AD DS are only Domain Joined with no Azure AD connection, it won't be possible to sign in to them using Azure AD.
- the email removed was just a sample of name at domain.com vs the domain.onmicrosoft.com for the AVD joined domain
- I am excited about this feature but the consent prompt for each new server is certainly not ideal. Hopefully, this is something that is being addressed when it reaches Public Preview! It wouldn't be so bad if it was simply a matter of telling users to click "Yes" when it comes up but we are seeing that users also have to authenticate using their password or some other sign-in method. Is there a reason why Seamless SSO does not work for this?
In the Azure AD sign-in logs we see a sign-in failure saying "The user or administrator has not consented connecting to the target-device: '{identifier}'. Send an interactive authorization request for this user and target-machine." and the user is prompted with a message saying "Because you're accessing sensitive info, you need to verify your password." I have not found any way of getting Seamless SSO to work with this and I am wondering if others are seeing the same issue or there is something I am missing.Roger1175 I am seeing your issue but only on VM's that we have failed over as part of D/R testing.
I put a comment in as well to David B asking if there is a missing config to address the D/R AVD once a failover has been triggered for AVD have not see a response yet.- DavidBelangerRoger1175 we are working on removing the consent prompt for connections to Azure Virtual Desktop VMs for the reasons you mentioned. We won't consider this feature generally available for pooled environments until we do so. Note that this will not yet be addressed in the upcoming Public Preview which will add support for Windows 10 and Windows 11, as we want to understand if there are other issues that need to be addressed before GA and want to get as much feedback as possible on the feature.
- Hoping to hear some good news out of MS Build that this is ready to go generally available!
DavidBelanger
First of all, This is great. We were awaiting this feature for some time now.
Great to see it coming to light. We of course went right ahead and deployed it to our test pool.
- VM Login AAD only
- Azure Files AAD only
- Intune enabled
- now running 22h2 🙂
We had a small issue though, we are allowing the Azure Virtual Desktop application outside of the compliant device policies. However it seems like the exemption we made for the Enterprise application "Azure Virtual Desktop" doesn't include this, the application is called.- Microsoft Remote Desktop (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c), which applies when the user authenticates to the session host when https://docs.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on is enabled.
https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa
Please add this to the FAQ 🙂
Also I seem to need to give consent my login on the VM.
I cannot find the admin consent button for the Enterprise application.
please provide instructions on this 🙂Regarding reply from: dikkekip20 Any updates regarding consent login on the VM? We are getting the same prompt which is new.
Can we give admin consent to this client_id=a85cf173-4192-42f8-81fa-777a763e6e2c so that users won't be bothered with this?
We already consented server & client app with https://rdweb.wvd.microsoft.com/
- The above work only for WIndows ?
How about MAC?
Apps : a4a365df-50f1-4397-bc59-1a1564b8bb9c
The above apps is not working for MAC and web- DavidBelangerHi Andrew, the feature is currently only working using the Windows client. Support for the web client should be available soon. Other clients like macOS, iOS and Android will come later but are in development.
