cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

David Belanger
Microsoft

‎Aug 24 2022 03:41 PM - last edited on ‎Sep 29 2022 02:28 PM by

‎Aug 24 2022 03:41 PM - last edited on ‎Sep 29 2022 02:28 PM by

Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

Today we’re announcing the Insider preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys). With this preview, you can now:

  • Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts
  • Use passwordless authentication to sign in to the host using Azure AD
  • Use passwordless authentication inside the session
  • Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host

 

Getting started

This new functionality is currently available in Insider builds of Windows 11 22H2, available in the Azure Gallery when deploying new session hosts in a host pool.

  • Want a quick overview of the new functionality? Watch this intro video on Azure Academy!
  • To get started with single sign-on, follow the instructions to Configure single sign-on which will guide you in enabling the new authentication protocol.
  • To start using Windows Hello and FIDO2 keys inside the session, follow the instructions for In-session passwordless authentication to use the new WebAuthn redirection functionality.
  • Learn more about the supported authentication methods supported by Azure Virtual Desktop, including single sign-on on our Identities and authentication page.

 

Stay tuned for news about the upcoming public preview which will add support for Windows 10 and current Windows 11 hosts.

Labels:
24.7K Views
11 Likes
23 Replies
Reply
23 Replies
dikkekip20

‎Aug 26 2022 06:22 AM

‎Aug 26 2022 06:22 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@David Belanger 

@David Belanger 

First of all, This is great. We were awaiting this feature for some time now. 

Great to see it coming to light. We of course went right ahead and deployed it to our test pool.

- VM Login AAD only
- Azure Files AAD only
- Intune enabled
- now running 22h2 :)

We had a small issue though, we are allowing the Azure Virtual Desktop application outside of the compliant device policies. However it seems like the exemption we made for the Enterprise application "Azure Virtual Desktop" doesn't include this, the application is called. 

  • Microsoft Remote Desktop (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c), which applies when the user authenticates to the session host when single sign-on is enabled.

Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Condition...

 

Please add this to the FAQ :)


Also I seem to need to give consent my login on the VM. 
I cannot find the admin consent button for the Enterprise application.
please provide instructions on this :)

dikkekip20_0-1661520085828.png

 

1 Like
Reply
Andrew_Woo

‎Sep 16 2022 03:55 AM

‎Sep 16 2022 03:55 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

The above work only for WIndows ?
How about MAC?
Apps : a4a365df-50f1-4397-bc59-1a1564b8bb9c
The above apps is not working for MAC and web
0 Likes
Reply
dikkekip20

‎Sep 16 2022 06:02 AM

‎Sep 16 2022 06:02 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@Andrew_Woo I think this SSO feature is only working for Windows atm yeah

0 Likes
Reply
David Belanger

‎Sep 16 2022 09:48 AM

‎Sep 16 2022 09:48 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

Hi Andrew, the feature is currently only working using the Windows client. Support for the web client should be available soon. Other clients like macOS, iOS and Android will come later but are in development.
0 Likes
Reply
Roger1175

‎Sep 21 2022 03:27 PM

‎Sep 21 2022 03:27 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

I am excited about this feature but the consent prompt for each new server is certainly not ideal. Hopefully, this is something that is being addressed when it reaches Public Preview! It wouldn't be so bad if it was simply a matter of telling users to click "Yes" when it comes up but we are seeing that users also have to authenticate using their password or some other sign-in method. Is there a reason why Seamless SSO does not work for this?

In the Azure AD sign-in logs we see a sign-in failure saying "The user or administrator has not consented connecting to the target-device: '{identifier}'. Send an interactive authorization request for this user and target-machine." and the user is prompted with a message saying "Because you're accessing sensitive info, you need to verify your password." I have not found any way of getting Seamless SSO to work with this and I am wondering if others are seeing the same issue or there is something I am missing.
0 Likes
Reply
Andrew_Woo

‎Sep 21 2022 03:32 PM

‎Sep 21 2022 03:32 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

Thanks for the reply. We hope to see it in MacOS soon. Thanks
0 Likes
Reply
NotAnotherUserName

‎Sep 22 2022 07:57 AM

‎Sep 22 2022 07:57 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@David Belanger 

 

Does this support AADDS joined AVD ? Specifically where users sign in with "email address removed for privacy reasons" and the AVD are joined to AADDS "domain.onmicrosoft.com"? 

The key here being joined to AzaureAD Directory Services, with users coming in from AzureAD, no Hybrid, no syncing on on-prem users.

1 Like
Reply
NotAnotherUserName

‎Sep 22 2022 07:58 AM

‎Sep 22 2022 07:58 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

the email removed was just a sample of name at domain.com vs the domain.onmicrosoft.com for the AVD joined domain
0 Likes
Reply
David Belanger

‎Sep 22 2022 03:55 PM

‎Sep 22 2022 03:55 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@Roger1175 we are working on removing the consent prompt for connections to Azure Virtual Desktop VMs for the reasons you mentioned. We won't consider this feature generally available for pooled environments until we do so. Note that this will not yet be addressed in the upcoming Public Preview which will add support for Windows 10 and Windows 11, as we want to understand if there are other issues that need to be addressed before GA and want to get as much feedback as possible on the feature.
0 Likes
Reply
David Belanger

‎Sep 22 2022 03:58 PM

‎Sep 22 2022 03:58 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@NotAnotherUserName Unfortunately not. The single sign-on experience only works when accessing machines known by Azure AD, either Azure AD-joined or Hybrid Azure AD-joined. Since machines joined to Azure AD DS are only Domain Joined with no Azure AD connection, it won't be possible to sign in to them using Azure AD.
0 Likes
Reply
dikkekip20

‎Sep 23 2022 12:59 AM

‎Sep 23 2022 12:59 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@David Belanger Hi, I got some feedback on the feature regarding the SSO feature for Azure AD joined devices. 
How SSO to on-premises resources works on Azure AD joined devices - Microsoft Entra | Microsoft Lear...

Since the authentication protocol has changed. We do not receive a Kerberos ticket from the onPrem DCs anymore. breaking some fileservers and other resources that are needed for the end users. 

Are you guys aware of this change? and is it going to be a supported scenario when this will go into GA?

0 Likes
Reply
David Belanger

‎Sep 23 2022 04:16 PM

‎Sep 23 2022 04:16 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@dikkekip20 Was the Kerberos Server Object created to provide access to on-prem resources?

Configure single sign-on for Azure Virtual Desktop - Azure | Microsoft Learn

 

David

0 Likes
Reply
Marius Sandbu

‎Nov 24 2022 05:21 AM

‎Nov 24 2022 05:21 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

When I've configured this it works for some users that are sitting on Windows Azure AD only machines. However end-users with machines that are part of Active Directory are not able to logon using SSO, is there a limitation with seamless SSO that can affect the authentication process?
0 Likes
Reply
Eric_Keown

‎Dec 13 2022 10:40 AM

‎Dec 13 2022 10:40 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@David Belanger I am getting the same error as Roger1175 but a little different issue, signing in to the AVD for a personal pool works without any issues. However when we do a failover to another region we are getting the "The user or administrator has not consented connecting to the target-device: '{identifier}'. Send an interactive authorization request for this user and target-machine." message when we try to sign in to it even though it is showing up active and available after the failover.

I am wondering if this is because we have allowed the RDP access in the main region and in the new it is trying to ask for it again. Do you have any thoughts? When I look at the log for the attempt I see the below text under the authintication details, but can find no documentation on what a "Results Detail" of other is
Date Authentication method Authentication method detail Succeeded Result detail Requirement
12/9/2022 Password Password in the cloud false Other
12/9/2022 Mobile app notification true MFA completed in Azure AD

So again any thoughts?
0 Likes
Reply
Eric_Keown

‎Dec 15 2022 09:08 AM

‎Dec 15 2022 09:08 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

@Roger1175 I am seeing your issue but only on VM's that we have failed over as part of D/R testing.

I put a comment in as well to David B asking if there is a missing config to address the D/R AVD once a failover has been triggered for AVD have not see a response yet.

0 Likes
Reply
deanbox

‎Jan 27 2023 08:32 AM - edited ‎Jan 30 2023 02:46 AM

‎Jan 27 2023 08:32 AM - edited ‎Jan 30 2023 02:46 AM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

Regarding reply from: @dikkekip20 Any updates regarding consent login on the VM? We are getting the same prompt which is new.

Can we give admin consent to this client_id=a85cf173-4192-42f8-81fa-777a763e6e2c so that users won't be bothered with this?

We already consented server & client app with Welcome Admin - RDWeb (microsoft.com)

deanbox_0-1675075374760.png

 

0 Likes
Reply

‎Feb 12 2023 11:57 PM

‎Feb 12 2023 11:57 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

Any updates on this issue? This behavior currently completely destroy SSO experience for the and user when connecting to larger host pools or after a host pool refresh
1 Like
Reply
Roger1175

‎May 23 2023 07:22 PM

‎May 23 2023 07:22 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

Hoping to hear some good news out of MS Build that this is ready to go generally available!
1 Like
Reply

‎May 23 2023 11:44 PM

‎May 23 2023 11:44 PM

Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop

Let's hope so..
0 Likes
Reply