Seamless SSO and non-persistent VDI is it possible?

Reid, Russell 1 Reputation point
2023-01-10T16:51:37.16+00:00

We currently have a Federated setup using ADFS 2019. We would like to begin migrating to Cloud Authentication-Password Hash sync. Password hash sync is enabled already. We use a mix of Azure AD Join devices (that are configured for SSO using Hybrid Cloud trust) and Non-persistent Citrix VDI instances that are domain joined and Azure AD registered. The MMD devices that are Azure AD Joined function with SSO already so there is no issue there. But we would like to switch to Cloud Auth instead of Federated for better resiliency.
I have found conflicting information on how to configure Cloud Authentication for seamless single sign on when using Non-Persistent VDI. Some articles say it works if you configure correctly and other articles say it doesn't work as Device identity is problematic. This particular snip from the MS article on staged rollout is what i am referring to:

• If you have a non-persistent VDI setup with Windows 10, version 1903 or later, you must remain on a federated domain. Moving to a managed domain isn't supported on non-persistent VDI. For more information, see Device identity and desktop virtualization.

From

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,640 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 41,921 Reputation points
    2023-01-28T13:55:54.0633333+00:00

    Hi,

    Can you provide the source of that article, as the text suggests managed domain and you are using Password Sync and Cloud Auth mix the article suggests you should not move to Azure Managed Domain that is Azure AD Domain Services managed service for VDI.

    However check this old article might help https://www.oryszczyn.com/azure-active-directory-hybrid-join-and-persistent-vdi/

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Reid, Russell 1 Reputation point
    2023-01-30T13:47:15.7033333+00:00

    This is the article that has that passage in it: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout#unsupported-scenarios

    But then there is this set of recommendations: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-device-identity-virtual-desktop-infrastructure#non-persistent-vdi

    And i also found this article: https://azureera.com/configure-hybrid-azure-ad-joined-with-non-persistent-vdi/

    So i am trying to figure out what the actual answer is. i am working with our VDI team to better understand our configuration and how it may be affected. Just was trying to resolve the inconsistencies that i see in all of the information that is out there.