Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID

Single sign-on (SSO) for Azure Virtual Desktop using Microsoft Entra ID provides a seamless sign-in experience for users connecting to session hosts. When you enable single sign-on, users authenticate to Windows using a Microsoft Entra ID token. This token enables the use of passwordless authentication and third-party identity providers that federate with Microsoft Entra ID when connecting to a session host, making the sign-in experience seamless.

Single sign-on using Microsoft Entra ID also provides a seamless experience for Microsoft Entra ID-based resources within the session. For more information on using passwordless authentication within a session, see In-session passwordless authentication.

Note

If you plan on providing Azure Virtual Desktop resources for external identities, you must enable single sign-on for the host pool. For more information and other requirements, see External identity.

To enable single sign-on using Microsoft Entra ID authentication, there are five tasks you must complete:

  1. Enable Microsoft Entra authentication for Remote Desktop Protocol (RDP).

  2. Hide the consent prompt dialog.

  3. Create a Kerberos Server object, if Active Directory Domain Services is part of your environment. More information on the criteria is included in its section.

  4. Review your conditional access policies.

  5. Configure your host pool to enable single sign-on.

Before enabling single sign-on

Before you enable single sign-on, review the following information for using it in your environment.

Session lock behavior

When single sign-on using Microsoft Entra ID is enabled and the remote session is locked, either by the user or by policy, you can choose whether the session is disconnected or the remote lock screen is shown. The default behavior is to disconnect the session when it locks.

When the session lock behavior is set to disconnect, a dialog is shown to let users know they were disconnected. Users can choose the Reconnect option from the dialog when they're ready to connect again. This behavior is done for security reasons and to ensure full support of passwordless authentication. Disconnecting the session provides the following benefits:

  • Consistent sign-in experience through Microsoft Entra ID when needed.

  • Single sign-on experience and reconnection without authentication prompt when allowed by conditional access policies.

  • Supports passwordless authentication like passkeys and FIDO2 devices, contrary to the remote lock screen.

  • Conditional access policies, including multifactor authentication and sign-in frequency, are reevaluated when the user reconnects to their session.

  • Can require multifactor authentication to return to the session and prevent users from unlocking with a simple username and password.

If you want to configure the session lock behavior to show the remote lock screen instead of disconnecting the session, see Configure the session lock behavior.

Active Directory domain administrator accounts with single sign-on

In environments with an Active Directory Domain Services (AD DS) and hybrid user accounts, the default Password Replication Policy on read-only domain controllers denies password replication for members of Domain Admins and Administrators security groups. This policy prevents these administrator accounts from signing in to Microsoft Entra hybrid joined hosts and might keep prompting them to enter their credentials. It also prevents administrator accounts from accessing on-premises resources that use Kerberos authentication from Microsoft Entra joined hosts. We don't recommend connecting to a remote session using an account that is a domain administrator for security reasons.

If you need to make changes to a session host as an administrator, sign in to the session host using a non-administrator account, then use the Run as administrator option or the runas tool from a command prompt to change to an administrator.

Prerequisites

Before you can enable single sign-on, you must meet the following prerequisites:

Enable Microsoft Entra authentication for RDP

You must first allow Microsoft Entra authentication for Windows in your Microsoft Entra tenant, which enables issuing RDP access tokens allowing users to sign in to your Azure Virtual Desktop session hosts. You set the isRemoteDesktopProtocolEnabled property to true on the service principal's remoteDesktopSecurityConfiguration object for the following Microsoft Entra applications:

  • Windows Cloud Login: 270efc09-cd0d-444b-a71f-39af4910ec45

To enable Microsoft Entra authentication, select the relevant tab for your scenario and follow the steps.

Here's how to enable Microsoft Entra authentication using the Azure portal.

  1. Sign in to the Azure portal.

  2. In the search bar, enter Microsoft Entra ID and select the matching service entry.

  3. Select Devices (under Manage), and then select Remote connection configuration (under Manage).

  4. Select Windows Cloud Login.

    A screenshot showing the initial configuration of the Windows Cloud Login service principal in the Azure portal.

  5. Toggle the radio button to Enable Microsoft Entra ID authentication protocol to authenticate users to remote devices.

  6. Once you're done, select Save.

By default when single sign-on is enabled, users see a dialog to allow the Remote Desktop connection when connecting to a new session host. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If users see this dialogue to allow the Remote Desktop connection, they can select Yes to connect.

You can hide this dialog by configuring a list of trusted devices. To configure the list of devices, create one or more groups in Microsoft Entra ID that contains your session hosts, then add the group IDs to a property on the SSO service principal Windows Cloud Login.

To hide the consent prompt dialog, select the relevant tab for your scenario and follow the steps.

Tip

We recommend you use a dynamic group and configure the dynamic membership rules to include all your Azure Virtual Desktop session hosts. You can use the device names in this group, but for a more secure option, you can set and use device extension attributes using Microsoft Graph API. While dynamic groups normally update within 5-10 minutes, large tenants can take up to 24 hours.

Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education license. For more information, see Dynamic membership rules for groups.

Here's how to hide the consent prompt dialog using the Azure portal.

  1. Create a dynamic group in Microsoft Entra ID containing the session hosts for which you want to hide the dialog.

  2. Sign in to the Azure portal.

  3. In the search bar, enter Microsoft Entra ID and select the matching service entry.

  4. Select Devices (under Manage), and then select Remote connection configuration (under Manage).

  5. Select Windows Cloud Login.

  6. Select the hyperlink under Target device groups to enable SSO.

    A screenshot showing the Entra ID group picker tool after selecting a group called 'Devices for SSO Pre-Consent'.

  7. Search for and select the dynamic device groups, like the group you created in the first step. You can add up to 10 device groups.

  8. Once you're done, select Save.

Create a Kerberos server object

If your session hosts meet the following criteria, you must create a Kerberos server object. For more information, see Enable passwordless security key sign-in to on-premises resources by using Microsoft Entra ID, specifically the section to Create a Kerberos Server object:

  • Your session host is Microsoft Entra hybrid joined. You must have a Kerberos server object to complete authentication to a domain controller.

  • Your session host is Microsoft Entra joined and your environment contains Active Directory domain controllers. You must have a Kerberos server object for users to access on-premises resources, such as SMB shares and Windows-integrated authentication to websites.

Important

If you enable single sign-on on Microsoft Entra hybrid joined session hosts without creating a Kerberos server object, one of the following things can happen when you try to connect to a remote session:

  • You receive an error message saying the specific session doesn't exist.
  • Single sign-on will be skipped and you see a standard authentication dialog for the session host.

To resolve these issues, create the Kerberos server object, then connect again.

Review your conditional access policies

When single sign-on is enabled, a new Microsoft Entra ID app is introduced to authenticate users to the session host. If you have conditional access policies that apply when accessing Azure Virtual Desktop, review the recommendations on setting up multifactor authentication to ensure users have the desired experience.

Configure your host pool to enable single sign-on

To enable single sign-on on your host pool, you must configure the following RDP property, which you can do using the Azure portal or PowerShell. You can find the steps to do configure RDP properties in Customize Remote Desktop Protocol (RDP) properties for a host pool.

  • In the Azure portal, set Microsoft Entra single sign-on to Connections will use Microsoft Entra authentication to provide single sign-on.

  • For PowerShell, set the enablerdsaadauth property to 1.

Next steps