AVD Federation with external identities
Spent months figuring out why federated SSO breaks for external users accessing Azure Virtual Desktop. Turns out Azure AD ignores custom federation when the user's domain is verified elsewhere—forces B2B routing, kills Windows SSO. Built a workaround using proxy domains and a federation hub. Curious—how are others solving this? Or just telling customers SSO isn't possible? I can't find any roadmap agenda.
Azure Virtual Desktop for Guest User / B2b Identity
All of our external customers have their own AAD / Entra ID and wish to not manage multiple identities. As we present our applications via AVD, it requires them to have a separate identity in our tenant currently. AVD should support guest accounts from another tenant to be able to sign in. Currently, per the documentation and per the ticket I just worked with Microsoft support: Azure Virtual Desktop doesn't support external identities, including guest accounts or business-to-business (B2B) identities. Whether you're serving internal commercial purposes or external users with Azure Virtual Desktop, you'll need to create and manage identities for those users yourself. Please continue development to allow guest accounts that have been invited into a tenant to sign in to AVD machines. Thanks!
Bug with Mac Remote Desktop 10.9.0, cannot remote in without manually logging in first
Now when I try to Remote Desktop into a vm that is on a domain, it will not let me connect because of a security error. This used to connect just fine. The only way to get around this is to manually log in. Once a user has logged into the computer, I can then remote into it like normal. Every time the vm is restarted though, I once again have to manually login to get remote access. The error I receive: We couldn't connect to the remote PC because of a security error. If this keeps happening, contact your network administrator for assistance. Error code: 0x1807Add the Networking Tab in the Host Pool Creation Wizard in the Azure Portal
Just like we have a Networking tab in the Storage Account where public access can be disabled and private endpoints enabled, there should be a similar option available during Host Pool creation in the Azure Portal. In my customer environment, which is a banking organization, a policy is enforced that does not allow any resource to be created with public access—it blocks the creation outright. az policy assignment create \ --name "DenyPublicAccess" \ --scope "/subscriptions/<subscription-id>" \ --policy "/providers/Microsoft.Authorization/policyDefinitions/<policy-definition-id>" The policy they use is named "Public network access should be disabled for PaaS services", which prevents the creation of a Host Pool unless public access is disabled. Currently, this setting cannot be configured during Host Pool creation in the Azure Portal, as the networking tab is only available after the Host Pool is created, allowing you to disable public access and enable private endpoints. For BFSI customers, requesting a policy relaxation is difficult. While this may be achieved through automation, the option should also be available in the Azure Portal. Otherwise, it creates a contradiction—there is a policy to disable public access, but no way to comply with it during the initial creation.Security issue with Mac client - client is making inappropriate connections
Hello, I use Little Snitch on MacOS to monitor for inappropriate outbound connections. The new Windows app that replaces the RDP app is doing some very shady connection attempts. As soon as I launched it, Little Snitch notified me of continuous connection attempts by the new Windows client to *ALL MY SAFARI BOOKMARKS* - I kept denying connection after connection, but based on the hostnames being accessed, I could tell it was sequentially iterating through my bookmarks toolbar, trying to ping every endpoint i have saved. I have now blocked your client from any outbound connection attempts. I do not understand why a client I am using for accessing local machines is now talking to all sorts of remote domains I did not give it permission to access. Seems like a fundamental design flaw of this new version - why is it trying to connect to my safari bookmarks automatically?
