Examine Windows 365 identity and authentication
Note
The following information doesn't apply to Windows 365 Business edition.
A Cloud PC user's identity defines which access management services manage that user and Cloud PC. This identity defines:
- The types of Cloud PCs the user has access to.
- The types of non-Cloud PC resources the user has access to.
A device can also have an identity determined by its join type to Microsoft Entra ID. For a device, the join type defines:
- If the device requires line of sight to a domain controller.
- How the device is managed.
- How users authenticate to the device.
Identity types
Windows 365 supports only the following identity types:
- Hybrid identity: Users or devices that are created in on-premises Windows Server Active Directory, then synchronized to Microsoft Entra ID.
- Cloud-only identity: Users or devices that are created and only exist in Microsoft Entra ID.
Device join types
There are two join types that you can select from when provisioning a Cloud PC:
- Microsoft Entra Hybrid Join: If you choose this join type, Windows 365 joins your Cloud PC to the Windows Server Active Directory domain you provide. Then, if your organization is properly configured for Microsoft Entra hybrid join, the device is synchronized to Microsoft Entra ID.
- Microsoft Entra Join: If you choose this join type, Windows 365 joins your Cloud PC directly to Microsoft Entra ID.
The following table shows key capabilities or requirements based on the selected join type:
| Capability or requirement | Microsoft Entra hybrid join | Microsoft Entra join |
|---|---|---|
| Azure subscription | Required | Optional |
| Azure virtual network with line of sight to the domain controller | Required | Optional |
| User identity type supported for login | Hybrid users only | Hybrid users or cloud-only users |
| Policy management | Group Policy Objects (GPO) or Intune | Intune only |
| Windows Hello for Business sign-in supported | Yes | Yes |
Authentication
To successfully access a Cloud PC, a user must authenticate with both:
- The Windows 365 service.
- The Cloud PC.
Windows 365 offers single sign-on, to authenticate both the Windows 365 service and Cloud PCs.
Windows 365 service authentication
Users must authenticate with the Windows 365 service when:
- They access windows365.microsoft.com.
- They navigate to the URL that maps directly to their Cloud PC.
- They use a Remote Desktop client to list their Cloud PCs.
Cloud PC authentication
Users must authenticate to their Cloud PC when:
- They navigate to the URL that maps directly to their Cloud PC.
- They use a Remote Desktop client to connect to their Cloud PC.
Microsoft Entra ID processes this authentication request for Microsoft Entra joined Cloud PCs and on-premises Active Directory for Microsoft Entra hybrid joined Cloud PCs.
Note
If a user navigates to the URL that maps directly to their Cloud PC, they will encounter the Windows 365 service authentication first, then encounter the Cloud PC authentication.
For more information, see: Windows 365 identity and authentication.