In meinem Lab habe ich nun für Active Directory User SSO aktiviert. Ich hatte bereits eine Konfiguration, welche es Benutzern ermöglichte, sich anzumelden. Die Benutzer und die Session Hosts sind bereits Hybrid. Nun können sich die Benutzer sich ohne zusätzliche Eingabe von Passwort anmelden.
Um das zu realisieren habe ich mich an die Dokumentation von Microsoft gehalten:
Konfigurieren von einmaligem Anmelden für Azure Virtual Desktop mit Microsoft Entra-Authentifizierung
Darin werden die Schritte beschrieben, die durchgeführt werden müssen, um einmaliges Anmelden zu aktivieren. Beachten sollte man auch den Hinweis wegen dem Sperren der Sitzung! Die Realisation habe ich in folgender Reihenfolge durchgeführt:
- Erstellen einer Gruppe in Microsoft Entra ID, welche alle AVD Zielgeräte enthalten
- Konfigurieren von Microsoft Entra ID Tenant
- Aktivieren der Microsoft Entra-Authentifizierung für RDP
- Konfigurieren der Gruppe mit den Zielgeräten
- Erstellen eines Kerberos-Serverobjekts
- Überprüfen der Richtlinien für Conditional Access
- Aktivieren einmaliges Anmelden auf dem Hostpool
Erstellen einer Gruppe in Microsoft Entra ID
Als erstes habe ich eine Gruppe erstellt, welche dann dynamisch alle Computer Accounts enthalten wird. Theoretisch könnte man auch verschiedene Gruppen verwenden, jedoch sind nur 10 Gruppen in der Konfiguration möglich! Daher habe ich mich für eine einzelne Gruppe entschieden.
Konfigurieren von Microsoft Entra ID Tenant
Die Schritte „Aktivieren der Microsoft Entra-Authentifizierung für RDP“ und „Konfigurieren der Gruppe mit den Zielgeräten“ habe ich in einem Schritte realisiert. Dazu habe ich mir ein Script erstellt, welche ich hier nun gerne teile. Haftungsausschluss: Das Script ist wie es ist, ich überneheme keine Garantie für die Funktion des Scriptes!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
<# .SYNOPSIS Enable Single Sign-On (SSO) in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to enable Single Sign-On (SSO) in Microsoft Entra ID Tenant. It uses the Microsoft Graph API to interact with the Microsoft Entra ID Tenant. The script starts by defining the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then sets up the target device groups. This is done by creating a hashtable with the necessary properties and converting it to JSON. The target device groups are the groups of devices that the settings will apply to. Next, the script enables Microsoft Entra authentication for Remote Desktop Protocol (RDP). This is done by creating a hashtable with the necessary properties and converting it to JSON. The script then gets a list of service principals for the applications "Microsoft Remote Desktop" and "Windows Cloud Login". A service principal is an identity that is used by a service or application to log in and access resources. For each service principal, the script updates the remote desktop security configuration and the target device groups using the Invoke-MgGraphRequest command. This command sends a request to the Microsoft Graph API. The PATCH method is used to update the remote desktop security configuration, and the POST method is used to update the target device groups. Finally, the script validates the changes by getting the current remote desktop security configuration and outputting the status of the Remote Desktop Protocol and the target device groups. .NOTES Author: Stefan Beckmann Date: September 30, 2022 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Enable-SSO.ps1 #> # Define the target device groups, values need to be added $paramsTargetDeviceGroups = @{ '@odata.type' = '#microsoft.graph.targetDeviceGroup' id = '' displayName = '' } ### DO NOT MODIFY BELOW THIS LINE ### $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All', 'Directory.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes Get-MgContext $applicationNames = @( 'Microsoft Remote Desktop', 'Windows Cloud Login' ) # Enable Microsoft Entra authentication for RDP $paramsRemoteDesktopSecurityConfiguration = @{ '@odata.type' = '#microsoft.graph.remoteDesktopSecurityConfiguration' isRemoteDesktopProtocolEnabled = $true } $paramsRemoteDesktopSecurityConfiguration = ConvertTo-Json $paramsRemoteDesktopSecurityConfiguration $paramsTargetDeviceGroups = ConvertTo-Json $paramsTargetDeviceGroups $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationName in $applicationNames) { $sp = Get-MgServicePrincipal -ConsistencyLevel eventual -Search ('"DisplayName:' + $applicationName + '"') $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) $null = Invoke-MgGraphRequest ` -Method PATCH "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration" ` -Body $paramsRemoteDesktopSecurityConfiguration $null = Invoke-MgGraphRequest ` -Method POST "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration/targetDeviceGroups" ` -Body $paramsTargetDeviceGroups $validate = Invoke-MgGraphRequest ` -Method GET "https://graph.microsoft.com/v1.0/servicePrincipals/$servicePrincipalId/remoteDesktopSecurityConfiguration" Write-Output ("Remote Desktop Protocol Enabled: " + $validate.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validate.targetDeviceGroups | Out-String)) } |
Update
Kurz nach der Veröffentlichung dieses Artikels informierte mich ein befreundeter Mitarbeiter von Microsoft, der auch als Mitwirkender an den Artikel-Updates beteiligt ist, dass ein Update mit PowerShell-Modulen bevorstehe.
In der Zwischenzeit wurde eine aktualisierte Version des Skripts entwickelt, welche die neuesten PowerShell-Module von MSGraph voraussetzt (nähere Informationen dazu sind im Microsoft-Artikel zu finden). Des Weiteren wurden Skripte erstellt, die entweder die Konfiguration rückgängig machen oder diese lediglich anzeigen.
Aktivieren der Single-Sign-On Konfiguration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 |
<# .SYNOPSIS Enable AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to enable AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. It uses the Microsoft Graph Module to interact with the Microsoft Entra ID Tenant. The script will enable the following: - Microsoft Remote Desktop - Windows Cloud Login The script will output the following: - Service Principal Name - Remote Desktop Protocol Enabled - Target Device Groups The script starts by defining the required variables for the Microsoft Entra ID Group. Then the script begins by importing the necessary modules: Microsoft.Graph.Authentication and Microsoft.Graph.Applications. These modules provide the cmdlets that the script uses to interact with the Microsoft Graph API. Next, the script defines the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then defines a list of application names. These are the names of the applications that the script will configure SSO settings for. The script creates an empty ArrayList to store the service principals for these applications. The script then loops over the application names. For each application name, it uses the Get-MgServicePrincipal command to get the service principal for the application. The service principal is an identity that is used by a service or application to log in and access resources. The service principal is then added to the ArrayList. Next, the script loops over the service principals in the ArrayList. For each service principal, it gets the ID and outputs the display name. It then checks if the Remote Desktop Protocol is enabled for the service principal. If it is not, it uses the Update-MgServicePrincipalRemoteDesktopSecurityConfiguration command to enable it. The script then creates a new TargetDeviceGroup object and sets its ID and display name. It uses the New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup command to create a new target device group for the service principal. Finally, the script validates the changes by getting the current remote desktop security configuration and the target device groups for the service principal. It outputs the status of the Remote Desktop Protocol and the display names of the target device groups. .NOTES Author: Stefan Beckmann Date: January 09, 2024 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Enable-AvdSSO.ps1 #> # Define the target device group, values need to be added $groupName = '' $groupId = '' ### DO NOT MODIFY BELOW THIS LINE ### Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Applications $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes $applicationIds = @( 'a4a365df-50f1-4397-bc59-1a1564b8bb9c', # Microsoft Remote Desktop '270efc09-cd0d-444b-a71f-39af4910ec45' # Windows Cloud Login ) $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationId in $applicationIds) { $sp = Get-MgServicePrincipal -Filter "AppId eq `'$applicationId`'" $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId) -ne $true) { $null = Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId -IsRemoteDesktopProtocolEnabled } $tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup $tdg.Id = $groupId $tdg.DisplayName = $groupName $null = New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId -BodyParameter $tdg $validateConfiguration = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId $validateDeviceGroup = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId Write-Output ("Remote Desktop Protocol Enabled: " + $validateConfiguration.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validateDeviceGroup.DisplayName | Out-String)) } |
Entfernen der Single-Sign-On Konfiguration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 |
<# .SYNOPSIS Remove AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to remove AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. It uses the Microsoft Graph Module to interact with the Microsoft Entra ID Tenant. The script will remove the configuration for the following: - Microsoft Remote Desktop - Windows Cloud Login The script will output the following: - Service Principal Name - Remote Desktop Protocol Enabled The script begins by defining the ID of the device group that you want to remove from the RDP configuration. This ID is stored in the $groupId variable. Next, the script imports the necessary modules: Microsoft.Graph.Authentication and Microsoft.Graph.Applications. These modules provide the cmdlets that the script uses to interact with the Microsoft Graph API. The script then defines the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then defines a list of application names. These are the names of the applications that the script will modify the SSO settings for. The script creates an empty ArrayList to store the service principals for these applications. The script then loops over the application names. For each application name, it uses the Get-MgServicePrincipal command to get the service principal for the application. The service principal is then added to the ArrayList. Next, the script loops over the service principals in the ArrayList. For each service principal, it gets the ID and outputs the display name. It then checks if the Remote Desktop Protocol is enabled for the service principal. If it is, it uses the Update-MgServicePrincipalRemoteDesktopSecurityConfiguration command to disable it. The script then uses the Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup command to remove the target device group from the service principal's RDP configuration. Finally, the script validates the changes by getting the current remote desktop security configuration and the target device groups for the service principal. It outputs the status of the Remote Desktop Protocol and the display names of the target device groups. .NOTES Author: Stefan Beckmann Date: January 09, 2024 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Remove-AvdSSO.ps1 #> # Define the device group id, that you want to remove from the RDP configuration, values need to be added $groupId = '' ### DO NOT MODIFY BELOW THIS LINE ### Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Applications $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes $applicationIds = @( 'a4a365df-50f1-4397-bc59-1a1564b8bb9c', # Microsoft Remote Desktop '270efc09-cd0d-444b-a71f-39af4910ec45' # Windows Cloud Login ) $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationId in $applicationIds) { $sp = Get-MgServicePrincipal -Filter "AppId eq `'$applicationId`'" $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId) -ne $false) { $null = Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId -IsRemoteDesktopProtocolEnabled:$false } $null = Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId -TargetDeviceGroupId $groupId $validateConfiguration = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId $validateDeviceGroup = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId Write-Output ("Remote Desktop Protocol Enabled: " + $validateConfiguration.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validateDeviceGroup.DisplayName | Out-String)) } |
Überprüfen der Single-Sign-On Konfiguration
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
<# .SYNOPSIS Get AVD Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. .DESCRIPTION This PowerShell script is used to get Single Sign-On (SSO) configuration in Microsoft Entra ID Tenant. It uses the Microsoft Graph Modules to interact with the Microsoft Entra ID Tenant. The script will check for the following: - Microsoft Remote Desktop - Windows Cloud Login The script will output the following: - Service Principal Name - Remote Desktop Protocol Enabled - Target Device Groups The script begins by importing the necessary modules: Microsoft.Graph.Authentication and Microsoft.Graph.Applications. These modules provide the cmdlets that the script uses to interact with the Microsoft Graph API. Next, the script defines the required scopes for the Microsoft Graph API. These scopes are permissions that the script needs to perform its operations. The Connect-MgGraph command is then used to connect to the Microsoft Graph API with these scopes. The script then defines a list of application names. These are the names of the applications that the script will retrieve the SSO settings for. The script creates an empty ArrayList to store the service principals for these applications. The script then loops over the application names. For each application name, it uses the Get-MgServicePrincipal command to get the service principal for the application. The service principal is then added to the ArrayList. Next, the script loops over the service principals in the ArrayList. For each service principal, it gets the ID and outputs the display name. The script then retrieves the current remote desktop security configuration and the target device groups for the service principal using the Get-MgServicePrincipalRemoteDesktopSecurityConfiguration and Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup commands respectively. Finally, it outputs the status of the Remote Desktop Protocol and the display names of the target device groups. This information can be used to verify the current SSO settings for the applications. .NOTES Author: Stefan Beckmann Date: January 09, 2024 Version: 1.0 .LINK GitHub Repository: https://github.com/alphasteff .EXAMPLE .\Get-AvdSSO.ps1 #> ### DO NOT MODIFY BELOW THIS LINE ### Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Applications $RequiredScopes = @( 'Application-RemoteDesktopConfig.ReadWrite.All', 'Application.ReadWrite.All' ) Connect-MgGraph -Scopes $RequiredScopes $applicationIds = @( 'a4a365df-50f1-4397-bc59-1a1564b8bb9c', # Microsoft Remote Desktop '270efc09-cd0d-444b-a71f-39af4910ec45' # Windows Cloud Login ) $applicationList = [System.Collections.ArrayList]@() ForEach ($applicationId in $applicationIds) { $sp = Get-MgServicePrincipal -Filter "AppId eq `'$applicationId`'" $null = $applicationList.Add($sp) } ForEach ($application in $applicationList) { $servicePrincipalId = $application.Id Write-Output ("Service Principal Name: " + $application.DisplayName) $validateConfiguration = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $servicePrincipalId $validateDeviceGroup = Get-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $servicePrincipalId Write-Output ("Remote Desktop Protocol Enabled: " + $validateConfiguration.isRemoteDesktopProtocolEnabled) Write-Output ("Target Device Groups: " + ($validateDeviceGroup.DisplayName | Out-String)) } |
Erstellen eines Kerberos-Serverobjekts
Hier habe ich mich wieder an die Dokumentation von Microsoft gehalten, welche man unter folgendem Link findet:
Erstellen eines Kerberos-Serverobjekts
Ich habe das Beispiel 4 auf dem Microsoft Entra Connect Server ausgeführt, da ich dort noch ein GUI habe, und mich im Lab dort meist mit einem Domain Admin anmelde.
Conditional Access
Ich habe eine Conditional Access Richtlinie, die für meine AVD Tests ist. Dies habe ich wie folgt konfiguriert:
Mit diesen Einstellungen sind die Conditional Access Policies vorbereitet. Zum testen habe ich mein Benutzer hinzugefügt. Hier sollte man die Gruppe verwenden, welche für die Desktops verwendet wird, oder entsprechend den Vorgaben der Firma.
Es ist zu beachten, dass wenn SSO auch mit Microsoft Entra ID Only Benutzer und Host Pools umgesetzt werden soll, müssen die Service Principals der Storage Accounts welche in Microsoft Entra ID gejonit sind, unter Cloud Apps ausgeschlossen werden.
Aktivieren einmaliges Anmelden auf dem Hostpool
Nun ist es eigentlich geschafft. Für die Bereitstellung und Verwaltung von Azure Virtual Desktop verwende ich Nerdio Manager for Enterprise. Darin habe ich RDP Profile die ich dann den entsprechenden Hostpools zuweisen kann. Das sieht dann wie folgt aus:
Im Profil wird nach enablerdsaadauth gesucht und aktiviert.
In den Eigenschaften des Hostpools kann nun unter RDP Settings das Profil gewechselt werden.
Abschluss
Nach dem nun alle Einstellungen vorgenommen sind, kann der Login getestet werden. Vorgängig sollte jedoch der Feed im Azure Virtual Desktop Client aktualisiert werden, damit alle Änderungen übernommen werden.
Ich hoffe diese Artikel, und besonders das PowerShell Script kann dem einen oder anderen Helfen, und wünsche viel Spass beim Testen.