Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains the process of configuring single sign-on (SSO) for Windows 365 by using Microsoft Entra authentication. When you enable SSO, you can use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Cloud PC. When enabled, this feature provides a single sign-on experience both when authenticating to the Cloud PC and inside the session when accessing Microsoft Entra ID-based apps and websites.
For information on using passwordless authentication within the session, see In-session passwordless authentication.
To get started, following the steps to Configure single sign-on for Azure Virtual Desktop with the following caveats:
- If the Kerberos Server object isn't present for Microsoft Entra hybrid joined provisioning policies, a new error appears in your Azure Network Connection (ANC) health check for single sign-on.
- If you have Conditional Access policies that apply when accessing Windows 365, review the recommendations to set Conditional Access policies for Windows 365 to make sure users have the expected experience.
- SSO can be enabled on any provisioning policies. You can find the Use Microsoft Entra single sign-on option under the Join type on the General page. This can be done when creating a new provisioning policy or when editing an existing provisioning policy, with an option to apply SSO to existing Cloud PCs.
- When provisioning Frontline Cloud PCs in shared mode, hide the consent prompt so that users don't see it with each shared device. You can use a dynamic device group based on the provisioning policy name to scope this configuration.
Next steps
- Check out In-session passwordless authentication to learn how to enable passwordless authentication.