I have now activated SSO for Active Directory users in my lab. I already had a configuration that allowed users to log in. The users and the session hosts are already hybrid. Now, the users can log in without entering an additional password.
To realize this, I followed the Microsoft documentation: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication
This describes the steps that need to be taken to activate single sign-on. You should also pay attention to the note about locking the session! I have performed the implementation in the following order:
- Create a group in Microsoft Entra ID that contains all AVD target devices
- Configuring Microsoft Entra ID Tenant
- Enable Microsoft Entra authentication for RDP
- Configure the group with the target devices
- Create a Kerberos server object
- Check the policies for Conditional Access
- Enable single sign-on to the host pool
Create a group in Microsoft Entra ID
First, I created a group which will then dynamically contain all computer accounts. Theoretically, you could also use different groups, but only 10 groups are possible in the configuration! I therefore decided to use a single group.
Configuring Microsoft Entra ID Tenant
I have realized the steps “Activate Microsoft Entra authentication for RDP” and “Configure the group with the target devices” in one step. I have created a script for this, which I am happy to share here. Disclaimer: The script is as it is, I do not guarantee the function of the script!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
<# .SYNOPSIS Enable Single Sign-On (SSO) in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to enable Single Sign-On (SSO) in Microsoft Entra ID Tenant. It uses the Microsoft Graph API to interact with the Microsoft Entra ID Tenant. The script starts by defining the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then sets up the target device groups. This is done by creating a hashtable with the necessary properties and converting it to JSON. The target device groups are the groups of devices that the settings will apply to. Next, the script enables Microsoft Entra authentication for Remote Desktop Protocol (RDP). This is done by creating a hashtable with the necessary properties and converting it to JSON. The script then gets a list of service principals for the applications "Microsoft Remote Desktop" and "Windows Cloud Login". A service principal is an identity that is used by a service or application to log in and access resources. For each service principal, the script updates the remote desktop security configuration and the target device groups using the Invoke-MgGraphRequest command. This command sends a request to the Microsoft Graph API. The PATCH method is used to update the remote desktop security configuration, and the POST method is used to update the target device groups. Finally, the script validates the changes by getting the current remote desktop security configuration and outputting the status of the Remote Desktop Protocol and the target device groups. .NOTES Author: Stefan Beckmann Date: September 30, 2022 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Enable-SSO.ps1 #> # Define the target device groups, values need to be added $paramsTargetDeviceGroups = @{ '@odata.type' = '#microsoft.graph.targetDeviceGroup' id = '' displayName = '' } ### DO NOT MODIFY BELOW THIS LINE ### $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All', 'Directory.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes Get-MgContext $applicationNames = @( 'Microsoft Remote Desktop', 'Windows Cloud Login' ) # Enable Microsoft Entra authentication for RDP $paramsRemoteDesktopSecurityConfiguration = @{ '@odata.type' = '#microsoft.graph.remoteDesktopSecurityConfiguration' isRemoteDesktopProtocolEnabled = $true } $paramsRemoteDesktopSecurityConfiguration = ConvertTo-Json $paramsRemoteDesktopSecurityConfiguration $paramsTargetDeviceGroups = ConvertTo-Json $paramsTargetDeviceGroups $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationName in $applicationNames) { $sp = Get-MgServicePrincipal -ConsistencyLevel eventual -Search ('"DisplayName:' + $applicationName + '"') $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) $null = Invoke-MgGraphRequest ` -Method PATCH "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration" ` -Body $paramsRemoteDesktopSecurityConfiguration $null = Invoke-MgGraphRequest ` -Method POST "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration/targetDeviceGroups" ` -Body $paramsTargetDeviceGroups $validate = Invoke-MgGraphRequest ` -Method GET "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration" Write-Output ("Remote Desktop Protocol Enabled: " + $validate.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validate.targetDeviceGroups | Out-String)) } |
Update
Shortly after the publication of this article, a friend of mine who works at Microsoft and is also involved in the article updates informed me that an update with PowerShell modules was imminent.
In the meantime, an updated version of the script has been developed, which requires the latest PowerShell modules from MSGraph (more information on this can be found in the Microsoft article). Furthermore, scripts have been created that either reverse the configuration or simply display it.
Activating the single sign-on configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
<# .SYNOPSIS Enable Single Sign-On (SSO) in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to enable Single Sign-On (SSO) in Microsoft Entra ID Tenant. It uses the Microsoft Graph API to interact with the Microsoft Entra ID Tenant. The script starts by defining the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then sets up the target device groups. This is done by creating a hashtable with the necessary properties and converting it to JSON. The target device groups are the groups of devices that the settings will apply to. Next, the script enables Microsoft Entra authentication for Remote Desktop Protocol (RDP). This is done by creating a hashtable with the necessary properties and converting it to JSON. The script then gets a list of service principals for the applications "Microsoft Remote Desktop" and "Windows Cloud Login". A service principal is an identity that is used by a service or application to log in and access resources. For each service principal, the script updates the remote desktop security configuration and the target device groups using the Invoke-MgGraphRequest command. This command sends a request to the Microsoft Graph API. The PATCH method is used to update the remote desktop security configuration, and the POST method is used to update the target device groups. Finally, the script validates the changes by getting the current remote desktop security configuration and outputting the status of the Remote Desktop Protocol and the target device groups. .NOTES Author: Stefan Beckmann Date: September 30, 2022 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Enable-SSO.ps1 #> # Define the target device groups, values need to be added $paramsTargetDeviceGroups = @{ '@odata.type' = '#microsoft.graph.targetDeviceGroup' id = '' displayName = '' } ### DO NOT MODIFY BELOW THIS LINE ### $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All', 'Directory.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes Get-MgContext $applicationNames = @( 'Microsoft Remote Desktop', 'Windows Cloud Login' ) # Enable Microsoft Entra authentication for RDP $paramsRemoteDesktopSecurityConfiguration = @{ '@odata.type' = '#microsoft.graph.remoteDesktopSecurityConfiguration' isRemoteDesktopProtocolEnabled = $true } $paramsRemoteDesktopSecurityConfiguration = ConvertTo-Json $paramsRemoteDesktopSecurityConfiguration $paramsTargetDeviceGroups = ConvertTo-Json $paramsTargetDeviceGroups $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationName in $applicationNames) { $sp = Get-MgServicePrincipal -ConsistencyLevel eventual -Search ('"DisplayName:' + $applicationName + '"') $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) $null = Invoke-MgGraphRequest ` -Method PATCH "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration" ` -Body $paramsRemoteDesktopSecurityConfiguration $null = Invoke-MgGraphRequest ` -Method POST "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration/targetDeviceGroups" ` -Body $paramsTargetDeviceGroups $validate = Invoke-MgGraphRequest ` -Method GET "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration" Write-Output ("Remote Desktop Protocol Enabled: " + $validate.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validate.targetDeviceGroups | Out-String)) } |
Removing the single sign-on configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
<# .SYNOPSIS Remove AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to remove AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. It uses the Microsoft Graph Module to interact with the Microsoft Entra ID Tenant. The script will remove the configuration for the following: - Microsoft Remote Desktop - Windows Cloud Login The script will output the following: - Service Principal Name - Remote Desktop Protocol Enabled The script begins by defining the ID of the device group that you want to remove from the RDP configuration. This ID is stored in the $groupId variable. Next, the script imports the necessary modules: Microsoft.Graph.Authentication and Microsoft.Graph.Applications. These modules provide the cmdlets that the script uses to interact with the Microsoft Graph API. The script then defines the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then defines a list of application names. These are the names of the applications that the script will modify the SSO settings for. The script creates an empty ArrayList to store the service principals for these applications. The script then loops over the application names. For each application name, it uses the Get-MgServicePrincipal command to get the service principal for the application. The service principal is then added to the ArrayList. Next, the script loops over the service principals in the ArrayList. For each service principal, it gets the ID and outputs the display name. It then checks if the Remote Desktop Protocol is enabled for the service principal. If it is, it uses the Update-MgServicePrincipalRemoteDesktopSecurityConfiguration command to disable it. The script then uses the Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup command to remove the target device group from the service principal's RDP configuration. Finally, the script validates the changes by getting the current remote desktop security configuration and the target device groups for the service principal. It outputs the status of the Remote Desktop Protocol and the display names of the target device groups. .NOTES Author: Stefan Beckmann Date: January 09, 2024 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Remove-AvdSSO.ps1 #> # Define the device group id, that you want to remove from the RDP configuration, values need to be added $groupId = '' ### DO NOT MODIFY BELOW THIS LINE ### Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Applications $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes $applicationIds = @( 'a4a365df-50f1-4397-bc59-1a1564b8bb9c', # Microsoft Remote Desktop '270efc09-cd0d-444b-a71f-39af4910ec45' # Windows Cloud Login ) $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationId in $applicationIds) { $sp = Get-MgServicePrincipal -Filter "AppId eq `'$applicationId`'" $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId) -ne $false) { $null = Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId -IsRemoteDesktopProtocolEnabled:$false } $null = Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId -TargetDeviceGroupId $groupId $validateConfiguration = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId $validateDeviceGroup = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId Write-Output ("Remote Desktop Protocol Enabled: " + $validateConfiguration.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validateDeviceGroup.DisplayName | Out-String)) } |
Checking the single sign-on configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
<# .SYNOPSIS Get AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to get Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. It uses the Microsoft Graph Modules to interact with the Microsoft Entra ID Tenant. The script will check for the following: - Microsoft Remote Desktop - Windows Cloud Login The script will output the following: - Service Principal Name - Remote Desktop Protocol Enabled - Target Device Groups The script begins by importing the necessary modules: Microsoft.Graph.Authentication and Microsoft.Graph.Applications. These modules provide the cmdlets that the script uses to interact with the Microsoft Graph API. Next, the script defines the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then defines a list of application names. These are the names of the applications that the script will retrieve the SSO settings for. The script creates an empty ArrayList to store the service principals for these applications. The script then loops over the application names. For each application name, it uses the Get-MgServicePrincipal command to get the service principal for the application. The service principal is then added to the ArrayList. Next, the script loops over the service principals in the ArrayList. For each service principal, it gets the ID and outputs the display name. The script then retrieves the current remote desktop security configuration and the target device groups for the service principal using the Get-MgServicePrincipalRemoteDesktopSecurityConfiguration and Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup commands respectively. Finally, it outputs the status of the Remote Desktop Protocol and the display names of the target device groups. This information can be used to verify the current SSO settings for the applications. .NOTES Author: Stefan Beckmann Date: January 09, 2024 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Get-AvdSSO.ps1 #> ### DO NOT MODIFY BELOW THIS LINE ### Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Applications $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes $applicationIds = @( 'a4a365df-50f1-4397-bc59-1a1564b8bb9c', # Microsoft Remote Desktop '270efc09-cd0d-444b-a71f-39af4910ec45' # Windows Cloud Login ) $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationId in $applicationIds) { $sp = Get-MgServicePrincipal -Filter "AppId eq `'$applicationId`'" $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) $validateConfiguration = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId $validateDeviceGroup = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId Write-Output ("Remote Desktop Protocol Enabled: " + $validateConfiguration.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validateDeviceGroup.DisplayName | Out-String)) } |
Creating a Kerberos server object
Here I have again followed the documentation from Microsoft, which can be found under the following link: Create a Kerberos Server object
I ran Example 4 on the Microsoft Entra Connect Server, as I still have a GUI there and usually log in to the lab with a domain admin.
Conditional Access
I have a Conditional Access policy that is for my AVD tests. I have configured this as follows:
The conditional access policies are prepared with these settings. I have added my user for testing. Here you should use the group used for the desktops, or according to the company’s specifications.
Please note that if SSO is also to be implemented with Microsoft Entra ID Only users and host pools, the service principals of the storage accounts configured in Microsoft Entra ID must be excluded under Cloud Apps.
Enable single sign-on to the host pool
Now it’s actually done. I use Nerdio Manager for Enterprise to deploy and manage Azure Virtual Desktop. In it, I have RDP profiles that I can then assign to the corresponding host pools. This then looks like this:
Search for enablerdsaadauth in the profile and activate it.
The profile can now be changed in the properties of the host pool under RDP Settings.
Conclusion
Once all the settings have been made, the login can be tested. However, you should first update the feed in the Azure Virtual Desktop Client so that all changes are applied.
I hope this article, and especially the PowerShell script, can help some of you, and I hope you enjoy testing it.
2 thoughts on “SSO for Azure Virtual Desktop with AD users”
Comments are closed.