Configure single sign-on for Azure Virtual Desktop using Azure AD Authentication

Important

Single sign-on using Azure AD authentication is currently in public preview. This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

This article will walk you through the process of configuring single sign-on (SSO) using Azure Active Directory (Azure AD) authentication for Azure Virtual Desktop (preview). When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Azure AD to sign in to your Azure Virtual Desktop and Remote Applications. When enabled, this feature provides a single sign-on experience when authenticating to the session host and configures the session to provide single sign-on to Azure AD-based resources inside the session.

For information on using passwordless authentication within the session, see In-session passwordless authentication (preview).

Note

Azure Virtual Desktop (classic) doesn't support this feature.

Prerequisites

Single sign-on is available on session hosts using the following operating systems:

Session hosts must be Azure AD-joined or Hybrid Azure AD-Joined.

Note

Azure Virtual Desktop doesn't support this solution with VMs joined to Azure AD Domain Services or Active Directory only joined session hosts.

You must Create a Kerberos Server object when your session host is:

  • Hybrid Azure AD-joined. Azure AD Kerberos is needed to complete the authentication to the domain controller.
  • Azure AD-joined and your environment contains Active Directory Domain Controllers. Azure AD Kerberos is required in this case for users to access on-premises resources, like SMB shares, and Windows-integrated authentication to websites.

Clients currently supported:

Enable single sign-on

To enable SSO on your host pool, you must customize an RDP property. You can find the Azure AD Authentication property under the Connection information tab in the Azure portal or set the enablerdsaadauth property to 1 using PowerShell.

Important

If you enable SSO on your Hybrid Azure AD-joined VMs before you create the Kerberos server object, you won't be able to connect to the VMs, and you'll see an error message saying the specific log on session doesn't exist.

Allow remote desktop connection dialog

When enabling single sign-on, you'll currently be prompted to authenticate to Azure AD and allow the Remote Desktop connection when launching a connection to a new host. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select Yes to connect.

Disconnection when the session is locked

When SSO is enabled, you sign in to Windows using an Azure AD authentication token, which provides support for passwordless authentication to Windows. The Windows lock screen in the remote session doesn't support Azure AD authentication tokens or passwordless authentication methods like FIDO keys. The lack of support for these authentication methods means that users can't unlock their screens in a remote session. When you try to lock a remote session, either through user action or system policy, the session is instead disconnected and the service sends a message to the user explaining they've been disconnected.

Disconnecting the session also ensures that when the connection is relaunched after a period of inactivity, Azure AD reevaluates the applicable conditional access policies.

Next steps