This guide will walk through all the steps required for SSO to work, both within AVD session hosts (auto login to Microsoft applications running within AVD) and from clients to AVD session hosts, then connecting to them.
If you only require SSO to work within AVD session hosts, you can skip step 12 (that links to another post about Cloud Kerberos Trust).
- AVD session host must be hybrid joined for SSO to work.
- Open Entra ID Connect on the server in the domain where it is installed
- Go to Tasks, Configure device options. Select “Configure Hybrid Azure AD Join”, under Tasks,
- Select “Windows 10 or later domain-joined devices”.
- Select the forest, insert enterprise admin credentials and select Next.
- Back at the front page of Entra ID Connect, select “Change user sign-in”, under tasks.
- Update settings as showed in the image (password hash sync and single sign-on enabled.
- Update the On-premises domain controller GPO to enable Register domain joined computers as devices.
- Allow the device to sync up to Entra ID. It is recommended to test by deploying a new AVD session host and monitor behavior.
- Check the device status by the command dsregcmd.exe /status, if the AVD VM joined Azure AD successfully, the status is like below:
AzureADJoined: Yes - Enable Entra ID Auth on the host pool in Azure Virtual Desktop.
- For Entra ID Joined devices to be able to use SSO towards AVD session host, Cloud Kerberos Trust must be enabled following this guide: Windows Hello for Business Cloud Kerberos Trust – Christoffer Klarskov Jakobsen – Microsoft Architect (chkja.dk)
For Hybrid joined devices to be able to use SSO, Windows Hello for Business is not a requirement, but the AzureADKerberos object must be created in Active Directory. Follow the first part of this guide: Windows Hello for Business Cloud Kerberos Trust – Christoffer Klarskov Jakobsen – Microsoft Architect (chkja.dk) - Back at the GPO for AVD Azure SSO, configure the following options: (Require Edge GPO ADMX template)
Comments