Azure Virtual Desktop SSO Configuration and Setup

Azure Virtual Desktop SSO Configuration and Setup is a crucial step in providing seamless access to users.

To begin, you'll need to configure Azure Active Directory (Azure AD) as the identity provider for Azure Virtual Desktop. This involves creating a new Azure AD application and registering it with Azure Virtual Desktop.

For SSO to work, you'll need to enable the "Allow IdP initiated sign-in" option in the Azure AD application settings. This allows users to sign in to Azure Virtual Desktop using their Azure AD credentials.

The next step is to configure the Azure Virtual Desktop workspace with the Azure AD application. You'll need to provide the Azure AD client ID and tenant ID to complete the setup.

To set up Azure Virtual Desktop, you first need to grant consent on behalf of your organization, which is a quick and easy step.

You'll then need to create a Windows Virtual Desktop tenant by running a command that requires your Active Directory tenant ID, Subscription ID, and other specific details. This command should be on one line and can be copied and pasted into Notepad for editing.

The command will create your tenant, and you'll see a confirmation message like the one mentioned in the example.

Before creating your VM environment, you need to wrap up a few initial steps.

You'll need to save your Active Directory tenant ID and Subscription ID from your Azure portal.

You'll also need to create your Windows Virtual Desktop tenant using a command, which requires the Active Directory tenant ID and Subscription ID.

The command should be on one line, and you can copy and paste it into NotePad to edit accordingly.

The name of your tenant should be used in the command, and you can change the value "CompanyWVDtenant" to the correct name of your tenant.

After issuing the command, you'll see a response.

Microsoft AVD with Okta Passwordless is a game-changer for seamless access to your VDI machine from anywhere. This integration simplifies the process, allowing users to access their virtual desktops passwordless.

To get started, you'll need to configure RDWEB to be added to the end-user's Okta dashboard. This can be done by following the steps in the Okta Integration with Active Directory section.

You can use any authentication type supported by Microsoft Entra ID, such as Windows Hello for Business and FIDO keys, to authenticate to the service. This includes in-session passwordless authentication using Windows Hello for Business or security devices like FIDO keys.

Here are the supported operating systems for in-session passwordless authentication:

To disable passwordless authentication on your host pool, you must customize an RDP property. You can either find the WebAuthn redirection property under the Device redirection tab in the Azure portal or set the redirectwebauthn property to 0 using PowerShell.

Single Sign-On (SSO) Configuration is a game-changer for Azure Virtual Desktop users. It allows connection to skip the session host credential prompt and automatically sign the user in to Windows through Microsoft Entra authentication.

SSO is recommended for session hosts that are Microsoft Entra joined or Microsoft Entra hybrid joined. It also provides benefits like passwordless authentication and support for third-party identity providers.

To configure SSO, you can use Microsoft Entra authentication or Active Directory Federation Services (AD FS). The choice depends on your specific setup and requirements.

For a seamless experience, it's essential to use a secure device to save credentials, as this prevents other users from accessing your resources.

Configuring True SSO is a crucial step in ensuring seamless user experience in Azure Virtual Desktop. Microsoft officially released the capability for True SSO in mid-2021, making it challenging to find reliable resources online.

The first step in configuring True SSO is to refer to Microsoft's official documentation, specifically the article on configuring ADFS SSO at https://docs.microsoft.com/en-us/azure/virtual-desktop/configure-adfs-sso.

To deploy True SSO for AVD, you'll need to follow a step-by-step video guide, which can be found online. The video will walk you through the process, and I've also included the PowerShell command lines used during the setup for your reference.

With True SSO configured, users can sign into their AVD Virtual Machines with a single user prompt for login and password.

Here are the PowerShell command lines used during the setup:

1. `New-AzureRmADServicePrincipal -DisplayName "Azure Virtual Desktop"`

2. `New-AzureRmADApplication -DisplayName "Azure Virtual Desktop"`

3. `New-AzureRmADGroup -DisplayName "Azure Virtual Desktop Users"`

These commands will help you create the necessary service principal, application, and group for True SSO to work.

It's worth noting that True SSO requires a valid Azure subscription, and you can find your AAD Tenant GUID or name by visiting the Windows Virtual Desktop Consent Page at https://rdweb.wvd.microsoft.com/.

To create the RDWEB application, start by providing a name for it, such as RDWEB, and the official Microsoft RDWEB URL is “https://rdweb.wvd.microsoft.com/arm/webclient/index.html”. You can also upload an App logo of your choice for a better user experience.

The next step is to set up the credential, where you'll select Admin sets username and user the password. This will allow the Secure Web Application process to push the username, so the office 365 integration can take over and eliminate the need for passwords.

To assign the app to your AVD groups or users, click on the RDWEB app and then select Sign On. Scroll down to find Sign On Policy, where you'll see that the available Authenticator is Password by default.

Azure Virtual Desktop supports hybrid identities through Microsoft Entra ID, including those federated using AD FS. This allows you to manage user identities in AD DS and sync them to Microsoft Entra ID using Microsoft Entra Connect.

You can also use Microsoft Entra ID to manage these identities and sync them to Microsoft Entra Domain Services. Azure Virtual Desktop only supports this type of configuration if either the UPN or SID for both your AD and Microsoft Entra ID accounts match.

For cloud-only identities, Azure Virtual Desktop supports Microsoft Entra joined VMs, where users are created and managed directly in Microsoft Entra ID. This is a great option for organizations that don't have an on-premises AD environment.

You can also use third-party identity providers as long as they federate with Microsoft Entra ID, giving you flexibility in how you manage user identities and access to Azure Virtual Desktop resources.

Hybrid identity allows you to manage user identities in AD DS and sync them to Microsoft Entra ID using Microsoft Entra Connect.

Azure Virtual Desktop supports this type of configuration, but only if the UPN or SID for both your AD and Microsoft Entra ID accounts match.

For example, if the AD account [email protected] corresponds to [email protected] in Microsoft Entra ID, Azure Virtual Desktop will only work if the UPN or SID matches.

You can use Microsoft Entra ID to manage these identities and sync them to Microsoft Entra Domain Services.

Azure Virtual Desktop only supports this type of configuration if either the UPN or SID for both your AD and Microsoft Entra ID accounts match.

SID refers to the user object property "ObjectSID" in AD and "OnPremisesSecurityIdentifier" in Microsoft Entra ID.

You can use third-party identity providers as long as they federate with Microsoft Entra ID, but this is not specifically related to hybrid identity configurations.

Azure Virtual Desktop supports cloud-only identities when using Microsoft Entra joined VMs. These users are created and managed directly in Microsoft Entra ID.

You can create users in Microsoft Entra ID, and they'll be able to access Azure Virtual Desktop resources.

Cloud-only identities are a great option for organizations that don't need to manage on-premises identities.

Azure Virtual Desktop also supports assigning hybrid identities to application groups that host session hosts of join type Microsoft Entra joined.

To assign Enterprise Application Administrators, you need to give at least one of your accounts permission to create the Windows Virtual Desktop tenant.

You can do this by opening Azure Active Directory and clicking on Enterprise Applications, or by visiting the blade in your Azure Portal at https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/.

Passwordless authentication is a game-changer for Azure Virtual Desktop users. Microsoft Entra ID supports various authentication types, including Windows Hello for Business and FIDO keys, allowing users to authenticate to the service without a password.

You can use Windows Hello for Business or locally attached security devices to complete the authentication process when WebAuthn requests are redirected to the local PC. This is enabled automatically on certain operating systems, such as Windows 11 single or multi-session with the 2022-10 Cumulative Updates for Windows 11 installed.

To access Microsoft Entra resources with Windows Hello for Business or security devices, you must enable the FIDO2 Security Key as an authentication method for your users. This involves following the steps in Enable FIDO2 security key method.

Here are the operating systems that support in-session passwordless authentication:

If you want to disable passwordless authentication on your host pool, you can customize an RDP property by setting the redirectwebauthn property to 0 using PowerShell.