Configure single sign-on for Azure Virtual Desktop
This article will walk you through the process of configuring single sign-on (SSO) using Azure AD authentication for Azure Virtual Desktop (preview). When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Azure AD to sign in to your resources.
Azure Virtual Desktop (classic) doesn't support this feature.
Single sign-on is available on session hosts using the following operating systems:
- Windows 11 Enterprise single or multi-session with the 2022-09 Cumulative Updates for Windows 11 Preview (KB5017383) or later installed.
- Windows 10 Enterprise single or multi-session, versions 20H2 or later with the 2022-09 Cumulative Updates for Windows 10 Preview (KB5017380) or later installed.
- Windows Server 2022 with the 2022-09 Cumulative Update for Microsoft server operating system preview (KB5017381) or later installed.
You can enable SSO for connections to Azure Active Directory (AD)-joined VMs. You can also use SSO to access Hybrid Azure AD-joined VMs, but only after creating a Kerberos Server object. Azure Virtual Desktop doesn't support this solution with VMs joined to Azure AD Domain Services.
You can use the Windows Desktop client on local PCs running Windows 10 or later. There's no requirement for the local PC to be joined to a domain or Azure AD. You can also have a single sign-on experience when using the web client.
SSO is currently supported in the Azure Public cloud.
Enable single sign-on
If your host pool contains Hybrid Azure AD-joined session hosts, you must first enable Azure AD Kerberos in your environment by creating a Kerberos Server object. Azure AD Kerberos enables the authentication needed with the domain controller. We recommended you also enable Azure AD Kerberos for Azure AD-joined session hosts if you have a Domain Controller (DC). Azure AD Kerberos provides a single sign-on experience when accessing legacy Kerberos-based applications or network shares. To enable Azure AD Kerberos in your environment, follow the steps to Create a Kerberos Server object on your DC.
To enable SSO on your host pool, you must customize an RDP property. You can find the Azure AD Authentication property under the Connection information tab in the Azure portal or set the enablerdsaadauth property to 1 using PowerShell.
If you enable SSO on your Hybrid Azure AD-joined VMs before you create the Kerberos server object, you won't be able to connect to the VMs, and you'll see an error message saying the specific log on session doesn't exist.
Allow remote desktop connection dialog
When enabling single sign-on, you'll currently be prompted to authenticate to Azure AD and allow the Remote Desktop connection when launching a connection to a new host. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select Yes to connect.
- Check out In-session passwordless authentication (preview) to learn how to enable passwordless authentication.
- If you're accessing Azure Virtual Desktop from our Windows Desktop client, see Connect with the Windows Desktop client.
- If you're accessing Azure Virtual Desktop from our web client, see Connect with the web client.
- If you encounter any issues, go to Troubleshoot connections to Azure AD-joined VMs.
Submit and view feedback for