WVD Azure AD DS Office 365 auto login

%3CLINGO-SUB%20id%3D%22lingo-sub-1158399%22%20slang%3D%22en-US%22%3EWVD%20Azure%20AD%20DS%20Office%20365%20auto%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158399%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20supported%20scenario%20to%20get%20users%20auto-signed%20in%20to%20Office%20365%20applications%20when%20logging%20into%20WVD%3F%20We%20have%20a%20Win10%20multi-user%20deployment%20with%20Azure%20AD%20DS%20joined%20WVD's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1167134%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Azure%20AD%20DS%20Office%20365%20auto%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1167134%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F466115%22%20target%3D%22_blank%22%3E%40Perisak1630%3C%2FA%3E%26nbsp%3B%3A%20Unfortunately%2C%20the%20quick%20answer%20is%20no.%20You%20can%20get%20that%20%22auto-signed%20in%22%20functionality%20from%20a%20Windows%20machine%20(physical%20or%20virtual)%20to%20Office%20when%20you%20have%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-sso%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20AD%20Seamless%20Sign-On%3C%2FA%3E%20enabled.%20However%2C%20you%20can%20only%20do%20this%20if%20you%20have%20a%20managed%20domain%20(Active%20Directory%20with%20Azure%20AD%20Connect)%20or%20a%20federated%20domain%20(Active%20Directory%20with%20ADFS).%20This%20does%20not%20work%20and%20is%20not%20supported%20when%20using%20Azure%20AD%20DS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1225802%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Azure%20AD%20DS%20Office%20365%20auto%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1225802%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20any%20documentation%20on%20how%20to%20configure%20this%2C%20we%20have%20Seamless%20SSO%20enabled%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252060%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Azure%20AD%20DS%20Office%20365%20auto%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252060%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20also%20be%20interested%20to%20learn%20more%20about%20how%20to%20get%20this%20working.%26nbsp%3B%20We%20have%20an%20in-progress%20deployment%20for%20a%20customer%20and%20we're%20unable%20to%20get%20the%20Office%20Apps%2C%20Chromium%20Edge%20or%20OneDrive%20to%20automatically%20sign%20in%20on%20the%20Windows%2010%20WVD%20session%20hosts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20customer%20has%20Azure%20AD%20Connect%20without%20ADFS%2C%20and%20we've%20followed%20all%20the%20documentation%20steps%20to%20configure%20SSO.%26nbsp%3B%20The%20session%20hosts%20are%20showing%20as%20Hybrid%20Azure%20AD%20Joined%20in%20the%20azure%20portal%20and%20I'm%20quite%20sure%20we%20have%20on%20premises%20devices%20working%20correctly%20before%20hand%20(unable%20to%20test%20right%20now).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1253707%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Azure%20AD%20DS%20Office%20365%20auto%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1253707%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20also%20be%20interested%20to%20learn%20more%20about%20how%20to%20get%20this%20working.%26nbsp%3B%20We%20have%20an%20in-progress%20deployment%20for%20a%20customer%20and%20we're%20unable%20to%20get%20the%20Office%20Apps%2C%20Chromium%20Edge%20or%20OneDrive%20to%20automatically%20sign%20in%20on%20the%20Windows%2010%20WVD%20session%20hosts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20customer%20has%20Azure%20AD%20Connect%20without%20ADFS%2C%20and%20we've%20followed%20all%20the%20documentation%20steps%20to%20configure%20SSO.%26nbsp%3B%20The%20session%20hosts%20are%20showing%20as%20Hybrid%20Azure%20AD%20Joined%20in%20the%20azure%20portal%20and%20I'm%20quite%20sure%20we%20have%20on%20premises%20devices%20working%20correctly%20before%20hand%20(unable%20to%20test%20right%20now).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1339903%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Azure%20AD%20DS%20Office%20365%20auto%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339903%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F43537%22%20target%3D%22_blank%22%3E%40Ben%20White%3C%2FA%3E%26nbsp%3BAre%20you%20using%20Conditional%20Access%2C%20and%20requiring%20MFA%20for%20all%20users%3F%20%26nbsp%3BIf%20so%20this%20could%20be%20your%20issue.%20%26nbsp%3BI%20found%20that%20removing%20the%20requirements%20for%20MFA%20allowed%20single%20sign-on%20to%20function.%20%26nbsp%3BWhat%20I%20actually%20did%20here%20was%20to%20add%20Azure%20Firewall%20to%20the%20VNET%20where%20the%20host%20pool%20nodes%20are%20deployed%2C%20and%20routed%20all%20traffic%20through%20that.%20%26nbsp%3BI%20then%20Added%20a%20trusted%20location%20in%20CA%20for%20the%20public%20IP%20of%20the%20Azure%20Firewall%2C%20and%20created%20a%20new%20policy%20to%20require%20Hybrid%20Joined%20computers%20as%20an%20access%20condition%20in%20CA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHTH%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1619622%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20Azure%20AD%20DS%20Office%20365%20auto%20login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1619622%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F638063%22%20target%3D%22_blank%22%3E%40shaunlaughton%3C%2FA%3E%26nbsp%3Bis%20it%20possible%20to%20provide%20more%20detail%20on%20your%20firewall%20setup%20on%20this%3F%26nbsp%3B%20I%20am%20interested%20in%20replicating%20your%20setup%20and%20testing%2C%20as%20we%20are%20still%20struggling%20with%20this%20issue%20both%20on%20WVD%20and%20Citrix%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

Is there a supported scenario to get users auto-signed in to Office 365 applications when logging into WVD? We have a Win10 multi-user deployment with Azure AD DS joined WVD's.

 

 

5 Replies
Highlighted

@Perisak1630 : Unfortunately, the quick answer is no. You can get that "auto-signed in" functionality from a Windows machine (physical or virtual) to Office when you have Azure AD Seamless Sign-On enabled. However, you can only do this if you have a managed domain (Active Directory with Azure AD Connect) or a federated domain (Active Directory with ADFS). This does not work and is not supported when using Azure AD DS.

Highlighted

Is there any documentation on how to configure this, we have Seamless SSO enabled?

Highlighted

@christianmontoya 

 

I'd also be interested to learn more about how to get this working.  We have an in-progress deployment for a customer and we're unable to get the Office Apps, Chromium Edge or OneDrive to automatically sign in on the Windows 10 WVD session hosts.

 

The customer has Azure AD Connect without ADFS, and we've followed all the documentation steps to configure SSO.  The session hosts are showing as Hybrid Azure AD Joined in the azure portal and I'm quite sure we have on premises devices working correctly before hand (unable to test right now).

Highlighted

@Ben White Are you using Conditional Access, and requiring MFA for all users?  If so this could be your issue.  I found that removing the requirements for MFA allowed single sign-on to function.  What I actually did here was to add Azure Firewall to the VNET where the host pool nodes are deployed, and routed all traffic through that.  I then Added a trusted location in CA for the public IP of the Azure Firewall, and created a new policy to require Hybrid Joined computers as an access condition in CA.

 

HTH

Highlighted

@shaunlaughton is it possible to provide more detail on your firewall setup on this?  I am interested in replicating your setup and testing, as we are still struggling with this issue both on WVD and Citrix