Azure Virtual Desktop integration with NestSCaler Citrix / Integración Azure Virtual Desktop con NestSCaler Citrix

Question

Azure Virtual Desktop integration with NestSCaler Citrix / Integración Azure Virtual Desktop con NestSCaler Citrix

Luis Enrique Garzon Penarete 20

Good afternoon,

We currently have a remote app with Citrix and want to switch to a remote app on Azure Virtual Desktop, but we have a couple of questions:

Can AVD associate the NetScaler authentication login, since the organization does not want to lose this? In other words, when working with an AVD application, can it be taken to the NetScaler front end and authenticated with the Windows user, then perform the second factor of authentication with an OTP? Once this is validated, can the user access the AVD applications?

Can an AVD application be presented in the same catalog where Citrix applications are presented? Since we are in a PoC, would this be to prevent users from opening more applications and to be able to launch the AVD application within the Citrix catalog?

Thank you very much for your help.

Buena Tarde,

Actualmente tenemos remote app con citrix y queremos pasar a remote app en azure virtual desktop, pero tenemos un par de preguntas:

¿puede avd asociar el login de autenticación de netscaler ya que la organizacion no quiere perder esto, es decir que cuando se vaya a trabajar con una aplicacion de avd, lo lleve al front de netscaler y lo autentique con su usuario de windows y luego haga su segundo factor de autenticación con un OTP, una vez sea esto validado poder ingresar a las app de AVD?
¿una aplicacion de AVD puede presentarse en el mismo catalogo donde estan presentadas las aplicaciones de citrix?, como estamos de una poc, seria para evitar que los usuarios hagan mas aperturas y que logre lanzar la aplicacion de AVD dentro del catalogo de Citrix?

Muchas gracias por la ayuda.

0 comments

2 answers

Your answer

Answer 1

Jilakara Hemalatha 12,105 Microsoft External Staff Moderator

Hello Luis,

Thank you for reaching out and for sharing the details about your proof-of-concept scenario.

Based on your questions regarding the integration between Azure Virtual Desktop and Citrix NetScaler ADC, please find the clarifications below.

Using NetScaler authentication in front of Azure Virtual Desktop

Azure Virtual Desktop uses Microsoft Entra ID as its primary authentication mechanism. During the connection process, users authenticate directly with Entra ID, and the session is validated by the Azure Virtual Desktop service before access is granted.

Due to this architecture, Azure Virtual Desktop does not support third‑party gateways such as Citrix NetScaler as an authentication front end for AVD sessions. The authentication flow cannot be redirected to NetScaler for Windows credentials and OTP validation before AVD access.

For multi‑factor authentication requirements, Microsoft recommends using Microsoft Entra ID Multi‑Factor Authentication (MFA) and Conditional Access, which natively support OTP, push notifications, and other second‑factor methods.

Publishing AVD applications within the Citrix application catalog

Azure Virtual Desktop applications are typically accessed via:

Azure Virtual Desktop Remote Desktop client
Azure Virtual Desktop web client

AVD applications are not natively published or managed inside the Citrix StoreFront / application catalog, and there is no Microsoft‑supported integration that allows AVD RemoteApps to appear as Citrix‑managed applications.

Documentation reference:

Supported identities and authentication methods

Security recommendations for Azure Virtual Desktop

How it works: Microsoft Entra multifactor authentication

Hope this helps! Please let me know if you have any queries

Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-11T00:23:39.5466667+00:00

Hello Luis,

Just checking if above provided information was helpful! Please let me know if you have any queries.
Luis Enrique Garzon Penarete 20 Reputation points

2026-03-12T16:18:59.3466667+00:00

Good afternoon,

Thank you very much for your response. Now, could you help me with something else? Given that we cannot integrate AVD with NetScaler, I have been asked what security elements can be configured in AVD.

I look forward to hearing from you.
Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-12T21:03:50.68+00:00
Thank you for follow-up question

Below are some of the key security elements that can be configured in Azure Virtual Desktop:

Multi-Factor Authentication (MFA) Azure Virtual Desktop integrates with Microsoft Entra ID for authentication. Organizations can enforce strong authentication using Microsoft Entra Multi-Factor Authentication, which supports methods such as one-time passwords (OTP), authenticator app notifications, and FIDO2 security keys.

Reference: Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access

Conditional Access Policies Using Conditional Access in Microsoft Entra ID, administrators can define policies to control how users access AVD resources. Examples include requiring MFA, restricting access based on location or IP address, and allowing access only from compliant or managed devices.

Reference: https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa?tabs=avd#:~:text=multifactor%20authentication.-,Create%20a%20Conditional%20Access%20policy,-Here%27s%20how%20to

Network Security and Private Connectivity Session hosts used by Azure Virtual Desktop can be deployed within an Azure Virtual Network and protected using services such as Azure Firewall or private access configurations. This helps ensure that virtual machines are not directly exposed to the public internet.

Reference: https://learn.microsoft.com/en-us/azure/virtual-desktop/network-connectivity

Role-Based Access Control (RBAC) Administrative access to Azure Virtual Desktop resources can be managed through Azure Role-Based Access Control, allowing organizations to follow the principle of least privilege and assign only the required permissions to administrators.

Reference: Built-in Azure RBAC roles for Azure Virtual Desktop

5.Security monitoring and operational insights can be implemented using services such as Azure Monitor and Log Analytics to track user sessions, connection diagnostics, and potential security events.

Reference: https://learn.microsoft.com/en-us/azure/virtual-desktop/diagnostics-log-analytics
Jilakara Hemalatha 12,105 Reputation points Microsoft External Staff Moderator

2026-03-18T01:20:00.4533333+00:00

Hello Luis

Just checking if above provided information was helpful! Could you please accept the answer and upvote it.

Please let me know if you have any queries in comments

Answer 2

Azure Virtual Desktop (AVD) and Citrix NetScaler / Citrix DaaS are separate platforms with different identity and access models. The provided information only covers:

AVD using Microsoft Entra ID (formerly Azure AD) for authentication and SSO.
Citrix identity options when running Citrix workloads on Azure.

From this information, only the following can be stated:

AVD authentication and SSO

AVD uses Microsoft Entra ID for cloud service authentication and can use Microsoft Entra–based SSO into the session hosts, including MFA and passwordless options such as Windows Hello for Business and FIDO keys.
AVD single sign-on for RDP is enabled by configuring Microsoft Entra authentication for Windows via the Windows Cloud Login service principal and the remoteDesktopSecurityConfiguration object (setting isRemoteDesktopProtocolEnabled to true).
Authentication flows and MFA are therefore designed around Microsoft Entra ID and Conditional Access, not NetScaler.

Citrix identity and AVD

Citrix on Azure can use different identity backends: Microsoft Entra ID, Microsoft Entra Domain Services, or Active Directory Domain Services. All of these support “Authentication to resources” in Citrix, but this is for Citrix workloads, not AVD.
Microsoft Entra join support is explicitly available for Azure Virtual Desktop and Citrix (via the documented Citrix hybrid/Entra scenarios), but the documentation treats them as separate solutions rather than a single unified catalog or shared front end.

The context does not describe:

Any supported method to front AVD with NetScaler authentication (for example, redirecting AVD users to a NetScaler portal for primary + OTP MFA and then brokering into AVD).
Any supported way to publish AVD applications directly inside the Citrix application catalog or Workspace UI as if they were native Citrix apps.

Because those integration patterns are not documented in the provided material, no statement can be made that they are supported or how to configure them.

What is documented and supported in the context is:

Use Microsoft Entra ID and its MFA/passwordless options for AVD authentication and SSO.
Use Citrix identity options (Microsoft Entra ID, Microsoft Entra Domain Services, or AD DS) for Citrix DaaS workloads on Azure, as described in the Citrix-on-Azure guidance.

References:

Share via

Azure Virtual Desktop integration with NestSCaler Citrix / Integración Azure Virtual Desktop con NestSCaler Citrix

2 answers

Your answer