User Profile
DavidBelanger
MicrosoftJoined 8 years ago
User Widgets
Recent Discussions
Public Preview: Faster reauthentication
We're excited to announce the public preview of faster reauthentication for Azure Virtual Desktop when single sign-on is enabled. This feature allows you to use the "Every time" sign-in frequency option in Conditional Access policies that target the Microsoft Remote Desktop and Windows Cloud Login Entra ID apps. This can help you provide a more secure environment, especially for BYOD and unmanaged devices. Getting started: The documentation to Enforce Microsoft Entra multifactor authentication will guide you through the key steps needed to enable this functionality.Re: HOW TO: Hiding the consent prompt for Single Sign-On
Florian_Paternostre / Andrew_Allston / gertjanvandekolk Thank you for the feedback. I've finished updating the public documentation with additional information, hopefully it's a bit clearer now: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID authentication | Microsoft Learn Feel free to provide additional feedback.HOW TO: Hiding the consent prompt for Single Sign-On
We've been working on the ability to hide the dialog shown to users on first connection to a new session host when Single Sign-On is enabled to allow the remote desktop connection. The steps have now been published. To get started, review the new steps to configure Single Sign-On on your Azure Virtual Desktop Host Pool: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication - Azure | Microsoft LearnRe: WIndows 365 SSO preview disconnects on lock instead of showing lock screen
Hi Carlos_Capellan, thank you for the feedback. We changed the experience in part for the reason you mentioned. The lock screen doesn't support the new Azure AD authentication. It also doesn't allow users to unlock the session with passwordless credentials like FIDO keys and some configurations of WHfB. Passwordless authentication is a key benefit of the new protocol. The disconnection also ensures the CA/MFA policies are re-evaluated when the user reconnects, providing a more secure solution that doesn't allow simply entering a username and password. With that said, the current experience on Windows is definitely sub-par as the user has to dismiss the dialog, open the client and relaunch their session. Before general availability, we're adding an easy reconnect button on the disconnect dialog. This will allow users to easily get back into the session, potentially without having to enter their credentials, unless you configure re-authentication policies. We'll of course continue to watch the feedback post-GA to see what further adjustments may be needed.Public Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop
In case you missed it, on Monday we announced the public preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys). Building on the Insider preview, the public preview adds support for Windows 10, Windows 11 and Windows Server 2022 session hosts. The preview also adds support for single sign-on using the web client. For details and getting started information, read the announcement in the Azure Virtual Desktop blog.Re: Windows Remote Desktop Client - You were disconnected because your session was locked
Hi folks, disconnecting a session when it locks is the expected behavior when enabling Azure AD authentication either in Azure Virtual Desktop with the RDP property above or in MSTSC on the Advanced tab by checking the option "Use a web account to sign to the remote computer". I will add this to the documentation, but this was done for security reasons. The user is signing in to the session host using an Azure AD token and this allows the use of passwordless authentication and ensures CA/MFA policies are applied. The lock screen in Windows does not support passwordless and doesn't enforce CA/MFA policies. So users who sign using passwordless would not be able to unlock the session and another user could unlock the session, bypassing all CA/MFA policies. With SSO enabled, users should be able to easily launch the resource again and be connected. Appreciate any feedback on this. Thank you.A better printing experience for Azure Virtual Desktop with Universal Print
Both Azure Virtual Desktop and Universal Print offer solutions that allow organizations to simplify their IT infrastructure and lower their costs. They also allow users to access their organization’s resources virtually anywhere. The upcoming Windows 11 22H2 release will offer an improved printing experience that combines the benefits of Azure Virtual Desktop and Universal Print for Windows 11 multi-session users. Experience improvements There are three improvements that streamline the printing experience on virtualized shared desktops. Printers are installed as part of the user profile Instead of printers being installed as a machine-wide resource (i.e., all installed printers are visible to all users who sign into the session host), printers are installed per user, so people see only those printers. Printers roam with user profiles When user profiles are configured to roam (e.g., using FSLogix), printers installed in one session will be automatically installed in other sessions for that person across session hosts. This behavior also works when people remove printers from their profile. Location-based printer search the local device location Instead of finding printers close to the location of the session host where the person is signed in (e.g., a VM hosted in a data center), the admin can configure location services so that printer search will find printers based on the location of the device the person is connecting from. Try it and share your feedback Try these improvements today on Windows 11 multi-session builds available through the Windows Insider Program. To deploy an Insider image from the Azure Gallery, select the Windows 11 version 22H2 Enterprise [multi-session], (Preview) image when deploying a new session host in Azure Virtual Desktop. For example: For more information, please visit https://aka.ms/AVDwithUniversalPrint You can share your feedback or ask for assistance at https://aka.ms/UniversalPrintDiscussionsInsider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop
Today we’re announcing the Insider preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys). With this preview, you can now: Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts Use passwordless authentication to sign in to the host using Azure AD Use passwordless authentication inside the session Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host Getting started This new functionality is currently available in Insider builds of Windows 11 22H2, available in the Azure Gallery when deploying new session hosts in a host pool. Want a quick overview of the new functionality? Watch this intro video on Azure Academy! To get started with single sign-on, follow the instructions to Configure single sign-on which will guide you in enabling the new authentication protocol. To start using Windows Hello and FIDO2 keys inside the session, follow the instructions for In-session passwordless authentication to use the new WebAuthn redirection functionality. Learn more about the supported authentication methods supported by Azure Virtual Desktop, including single sign-on on our Identities and authentication page. Stay tuned for news about the upcoming public preview which will add support for Windows 10 and current Windows 11 hosts.Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop
NotAnotherUserName Unfortunately not. The single sign-on experience only works when accessing machines known by Azure AD, either Azure AD-joined or Hybrid Azure AD-joined. Since machines joined to Azure AD DS are only Domain Joined with no Azure AD connection, it won't be possible to sign in to them using Azure AD.Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop
Roger1175 we are working on removing the consent prompt for connections to Azure Virtual Desktop VMs for the reasons you mentioned. We won't consider this feature generally available for pooled environments until we do so. Note that this will not yet be addressed in the upcoming Public Preview which will add support for Windows 10 and Windows 11, as we want to understand if there are other issues that need to be addressed before GA and want to get as much feedback as possible on the feature.Re: Insider Preview: Single sign-on and passwordless authentication for Azure Virtual Desktop
Hi Andrew, the feature is currently only working using the Windows client. Support for the web client should be available soon. Other clients like macOS, iOS and Android will come later but are in development.Public Preview: Intune user configuration for Windows 11 multi-session VMs
Today we’re announcing the public preview for deploying Microsoft Intune user configuration from Microsoft Endpoint Manager admin center to Azure Virtual Desktop Windows 11 multi-session virtual machines (VMs). This is in addition to the recently announced general availability of device configuration for multi-session VMs. With this preview, you can now configure: User scope policies using the Settings catalog User certificates via Templates PowerShell scripts to run in the user context Getting started This new functionality is available in the Intune 2206 release and you must install the 2206 Cumulative Update for Windows 11 (KB5014697) on your session hosts. Learn more about the recommended ways to manage your Azure Virtual Desktop session hosts on our management page. To get started, follow the instructions to use Azure Virtual Desktop multi-session with Intune which will guide you in creating new user configurations. Stay tuned for news about the upcoming support for Intune user configuration on Windows 10 multi-session VMs.Re: "Your credentials did not work" AVD Azure AD joined
PeteMitchell MFA quite possibly the culprit here. You must ensure to add "Azure Windows VM sign in" to the Exclusion list for MFA. You can start by reviewing the following info: https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-azure-ad-connections#i-cant-sign-in-even-though-im-using-the-right-credentialsPublic Preview of FSLogix profiles support for Azure AD-joined VMs for Azure Virtual Desktop
Earlier today, we announced the public preview of FSLogix profiles support for Azure AD-joined VMs for Azure Virtual Desktop. The preview allows you to create an Azure Files share to store the FSLogix profiles and configure it to support Azure AD authentication. For customers trying to reduce cost, it’s now possible to deploy a pooled environment using Azure AD-joined Windows 10/11 Enterprise multi-session VMs where the user profiles are stored on Azure Files. This combines the key benefits of Azure AD-joined VMs (no line-of-sight to a domain controller, simplified deployment, and enhanced management with Intune) with the cost reduction of using a pooled environment shared between all users. For information on the full benefits and details on the new functionality, read the announcement blog.
