Help Needed: Seamless SSO for Office Apps in Non-Persistent VMware Horizon VDI
Hello there, I would really appreciate your help if you have experience with Office in non-persistent VDI settings.
Situation:
We have a non-persistent VDI environment using VMware Horizon with Instant Clones, and FSLogix for the Profiles. Our goal is SSO so that users do not have to logon to the Office Apps. We have enabled SSO, but it only works fine in the browser for web applications like https://office.com
.
However, within the Office apps (e.g., Word, Excel), a warning icon persists next to the user's account, and it says, “Sign-in required – Your cached credentials have expired.”.
The Office Apps work perfectly though despite the warning.
Clicking "Sign in" resolves the warning icon temporarily, but the problem reappears after the session is restarted.
Office Version: M365 MSO Version 2308, Build 16.0.16731.20542 32 Bit
We install Teams seperately.
What we've done so far:
- We enabled SSO according to the microsoft page https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-quick-start
- SCA is enabled through GPO
- The golden image is domain-joined, as well as the non-persistent VDIs.
- We did not hybrid join the instant clones, because we don't want to have the work of removing them by script from Entra ID
Additionally, I read that the GPO "allow delegating default credentials" should also be enabled. I did that. Since that, the Office Apps now do not request a sign in pop up anymore. However, now there is a yellow warn symbol next to the logged in user (see screenshot).
Other notes:
-
dsregcmd /status
confirms the device is domain-joined, but SSO State (AzureAdPrt
) still showsNO
. -
klist
does not display a Kerberos ticket forhttps://autologon.microsoftazuread-sso.com
.