Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can require authentication using Microsoft Entra ID for Remote Desktop Protocol (RDP) connections. If single sign-on is configured for connections through the service, connections made from the Windows App will use the single sign-on using Microsoft Entra ID. This configuration enforces that authentication using Microsoft Entra ID is used, regardless of client.
Prerequisites
Before you can configure the setting to require single sign-on using Microsoft Entra ID, you need to meet the following prerequisites:
Target devices providing the remote session to your users:
- For Azure Virtual Desktop, these are the session hosts.
- For Windows 365, these are the Cloud PCs.
You have configured single sign-on using Microsoft Entra ID and tested that user connections are successful:
- For Azure Virtual Desktop, see configure single sign-on for Azure Virtual Desktop.
- For Windows 365, see configure single sign-on for Windows 365.
Important
If you don't confirm that single sign-on using Microsoft Entra ID connections are successful, your users could be prevented from signing in.
Your target devices must be running one of the following operating systems with the relevant cumulative update installed:
- Windows 11 single or multi-session with the 2026-05 Cumulative Updates for Windows 11 (KB5089573) or later installed.
To configure Group Policy, you need:
- A domain account that has permission to create or edit Group Policy objects.
- A security group or organizational unit (OU) containing the devices you want to configure.
Configure the setting to require single sign-on using Microsoft Entra ID
Open the Group Policy Management console on the device you use to manage the Active Directory domain.
Create or edit a policy that's assigned to your target devices providing the remote session to your users that you want to configure.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
Double click the Enable Microsoft Entra ID Authentication Enforcement policy setting.
Set the policy to Enabled, and then select OK.
Ensure the policy is applied to your target devices, then restart them for the settings to take effect.
You can test the behavior by initiating a connection that doesn't use single sign-on using Microsoft Entra ID, which should result in a connection error titled
ENTRA_AUTH_REQUIRED_BY_SERVER.