Configure single sign-on for Windows 365 using Microsoft Entra authentication

This article explains the process of configuring single sign-on (SSO) for Windows 365 by using Microsoft Entra authentication. When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Cloud PC. When enabled, this feature provides a single sign-on experience both when authenticating to the Cloud PC and inside the session when accessing Microsoft Entra ID-based apps and websites.

For information on using passwordless authentication within the session, see In-session passwordless authentication.

To get started, following the steps to Configure single sign-on for Azure Virtual Desktop with the following caveats:

  • If the Kerberos Server object isn't present for Microsoft Entra hybrid joined provisioning policies, a new error appears in your Azure Network Connection (ANC) health check for single sign-on.
  • If you have conditional access policies that apply when accessing Windows 365, review the recommendations to set conditional access policies for Windows 365 to make sure users have the expected experience.
  • SSO can be enabled on any provisioning policies. You can find the Use Microsoft Entra single sign-on option under the Join type on the General page. This can be done when creating a new provisioning policy or when editing an existing provisioning policy, with an option to apply SSO to existing Cloud PCs.

Next steps