We currently have a Federated setup using ADFS 2019. We would like to begin migrating to Cloud Authentication-Password Hash sync. Password hash sync is enabled already. We use a mix of Azure AD Join devices (that are configured for SSO using Hybrid Cloud trust) and Non-persistent Citrix VDI instances that are domain joined and Azure AD registered.
The MMD devices that are Azure AD Joined function with SSO already so there is no issue there. But we would like to switch to Cloud Auth instead of Federated for better resiliency.
I have found conflicting information on how to configure Cloud Authentication for seamless single sign on when using Non-Persistent VDI. Some articles say it works if you configure correctly and other articles say it doesn't work as Device identity is problematic. This particular snip from the MS article on staged rollout is what i am referring to:
• If you have a non-persistent VDI setup with Windows 10, version 1903 or later, you must remain on a federated domain. Moving to a managed domain isn't supported on non-persistent VDI. For more information, see Device identity and desktop virtualization.
From