Windows 365 identity and authentication

A Cloud PC user's identity defines which access management services manage that user and Cloud PC. This identity defines:

  • The types of Cloud PCs the user has access to.
  • The types of non-Cloud PC resources the user has access to.

A device can also have an identity that is determined by its join type to Azure Active Directory (Azure AD). For a device, the join type defines:

  • If the device requires line of sight to a domain controller.
  • How the device is managed.
  • How users authenticate to the device.

Identity types

There are three identity types:

  • Hybrid identity: Users or devices that are created in on-premises Windows Server Active Directory, then synchronized to Azure AD.
  • Cloud-only identity: Users or devices that are created and only exist in Azure AD.
  • External identity: Users who are created and managed outside of your Azure AD tenant but are invited in to your Azure AD tenant to access your organization's resources.

Note

Windows 365 does not support external identities.

Device join types

There are two join types that you can select from when provisioning a Cloud PC:

  • Hybrid Azure AD Join: If you choose this join type, Windows 365 will join your Cloud PC to the Windows Server Active Directory domain you provide. Then, if your organization is properly configured for Hybrid Azure AD Join, the device will be synchronized to Azure AD.
  • Azure AD Join: If you choose this join type, Windows 365 will join your Cloud PC directly to Azure AD.

Below is a table showing key capabilities or requirements based on the selected join type:

Capability or requirement Hybrid Azure AD Join Azure AD Join
Azure subscription Required Optional
Azure virtual network with line of sight to the domain controller Required Optional
User identity type supported for login Hybrid users only Hybrid users or cloud-only users
Policy management Group Policy Objects (GPO) or Intune MDM Intune MDM only
Windows Hello for Business sign-in supported Yes, and the connecting device must have line of sight to the domain controller through the direct network or a VPN Yes

Authentication

To successfully access a Cloud PC, a user must authenticate, in turn, with both:

  • The Windows 365 service.
  • The Cloud PC.

Windows 365 offers single sign-on (defined as a single authentication prompt that can satisfy both the Windows 365 service authentication and Cloud PC authentication) as part of the service. See single sign-on for more information.

Important

In order for authentication to work properly, the user's local machine must also be able to access the URLs in the Remote Desktop clients section of the Azure Virtual Desktop required URL list.

Windows 365 service authentication

Users must authenticate with the Windows 365 service when:

This authentication triggers an Azure Active Directory prompt, allowing any credential type that is supported by both Azure Active Directory and your OS.

Passwordless authentication

You can use any authentication type supported by Azure AD, such as Windows Hello for Business and other passwordless authentication options (for example, FIDO keys), to authenticate to the service.

Smart card authentication

To use a smart card to authenticate to Azure AD, you must first configure AD FS for user certificate authentication or configure Azure AD certificate-based authentication.

Cloud PC authentication

Users must authenticate to their Cloud PC when:

  • They navigate to the URL that maps directly to their Cloud PC.
  • They use a Remote Desktop client to connect to their Cloud PC.

This authentication request is processed by Azure AD for Azure AD Joined Cloud PCs and on-premises Active Directory for Hybrid Azure AD Joined Cloud PCs.

Note

If a user launches the web browser URL that maps directly to their Cloud PC, they will encounter the Windows 365 service authentication first, then encounter the Cloud PC authentication.

The following credential types are supported for Cloud PC authentication:

Note

Smartcard and Windows Hello authentication require the Windows desktop client to be able to perform Kerberos authentication when used with Hybrid AADJ. This requires the physical client to have line of sight to a domain controller.

  • Windows store client
    • Username and password
  • Web client
  • Android
    • Username and password
  • iOS
    • Username and password
  • macOS
    • Username and password

Single sign-on (SSO)

Important

Single sign-on is in public preview for Azure AD joined Cloud PCs.

Single sign-on is not supported for Hybrid Azure AD joined Cloud PCs.

Single sign-on (SSO) allows the connection to skip the Cloud PC VM credential prompt and automatically sign the user in to Windows through Azure AD authentication. Azure AD authentication provides other benefits including passwordless authentication and support for third-party identity providers. Single sign-on is available on Cloud PCs (either gallery images or custom images) using the following operating systems:

Without SSO, the client will prompt users for their session host credentials for every connection. The only way to avoid being prompted is to save the credentials in the client. We recommend you only save credentials on secure devices to prevent other users from accessing your resources.

Note

To maintain single sign-on to Kerberos-based apps and resources in the Cloud PC environment, you must properly configure your environment to trust the Azure AD Kerberos service.

In-session authentication

Once you're connected to your Cloud PC, you may be prompted for authentication inside the session. This section explains how to use credentials other than username and password in this scenario.

In-session passwordless authentication (preview)

Important

In-session passwordless authentication is currently in public preview.

Windows 365 supports in-session passwordless authentication (preview](/windows-365/public-preview)) using Windows Hello for Business or security devices like FIDO keys when using the Windows Desktop client. Passwordless authentication is enabled automatically when the Cloud PC and local PC are using the following operating systems:

When enabled, all WebAuthn requests in the session are redirected to the local PC. You can use Windows Hello for Business or locally attached security devices to complete the authentication process.

To access Azure AD resources with Windows Hello for Business or security devices, you must enable the FIDO2 Security Key as an authentication method for your users. To enable this method, follow the steps in Enable FIDO2 security key method.

In-session smart card authentication

To use a smart card in your session, make sure you've installed the smart card drivers on the Cloud PC and allow smart card redirection as part of managing RDP device redirections for Cloud PCs. Review the client comparison chart to make sure your client supports smart card redirection.

Next steps

Learn about the Cloud PC lifecycle.