SSO for Azure Virtual Desktop with AD users

I have now activated SSO for Active Directory users in my lab. I already had a configuration that allowed users to log in. The users and the session hosts are already hybrid. Now, the users can log in without entering an additional password.

To realize this, I followed the Microsoft documentation: Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication

This describes the steps that need to be taken to activate single sign-on. You should also pay attention to the note about locking the session! I have performed the implementation in the following order:

  • Create a group in Microsoft Entra ID that contains all AVD target devices
  • Configuring Microsoft Entra ID Tenant
    • Enable Microsoft Entra authentication for RDP
    • Configure the group with the target devices
  • Create a Kerberos server object
  • Check the policies for Conditional Access
  • Enable single sign-on to the host pool

Create a group in Microsoft Entra ID

First, I created a group which will then dynamically contain all computer accounts. Theoretically, you could also use different groups, but only 10 groups are possible in the configuration! I therefore decided to use a single group.

Configuring Microsoft Entra ID Tenant

I have realized the steps “Activate Microsoft Entra authentication for RDP” and “Configure the group with the target devices” in one step. I have created a script for this, which I am happy to share here. Disclaimer: The script is as it is, I do not guarantee the function of the script!

Update

Shortly after the publication of this article, a friend of mine who works at Microsoft and is also involved in the article updates informed me that an update with PowerShell modules was imminent.

In the meantime, an updated version of the script has been developed, which requires the latest PowerShell modules from MSGraph (more information on this can be found in the Microsoft article). Furthermore, scripts have been created that either reverse the configuration or simply display it.

Activating the single sign-on configuration

Removing the single sign-on configuration

Checking the single sign-on configuration

Creating a Kerberos server object

Here I have again followed the documentation from Microsoft, which can be found under the following link: Create a Kerberos Server object

I ran Example 4 on the Microsoft Entra Connect Server, as I still have a GUI there and usually log in to the lab with a domain admin.

Conditional Access

I have a Conditional Access policy that is for my AVD tests. I have configured this as follows:

The conditional access policies are prepared with these settings. I have added my user for testing. Here you should use the group used for the desktops, or according to the company’s specifications.

Please note that if SSO is also to be implemented with Microsoft Entra ID Only users and host pools, the service principals of the storage accounts configured in Microsoft Entra ID must be excluded under Cloud Apps.

Enable single sign-on to the host pool

Now it’s actually done. I use Nerdio Manager for Enterprise to deploy and manage Azure Virtual Desktop. In it, I have RDP profiles that I can then assign to the corresponding host pools. This then looks like this:

Search for enablerdsaadauth in the profile and activate it.

The profile can now be changed in the properties of the host pool under RDP Settings.

Conclusion

Once all the settings have been made, the login can be tested. However, you should first update the feed in the Azure Virtual Desktop Client so that all changes are applied.

I hope this article, and especially the PowerShell script, can help some of you, and I hope you enjoy testing it.

2 thoughts on “SSO for Azure Virtual Desktop with AD users”

Comments are closed.