Setup Hybrid Joined AVD Single Sign-On
Published Oct 10 2022 11:34 PM 16.2K Views
Microsoft

Azure virtual desktop SSO allows us to skip the session host credential prompt and automatically sign the AVD users when connecting to the VMs. Without SSO, the AVD client will prompt end users for their session host credentials for every connection.

Single sign-on is available on AVD session hosts using the following operating systems:

 

Before setting up the environment, let’s understand some concepts of Azure AD joined device and Hybrid joined device. 

  • Azure AD Joined Device vs Hybrid joined device.

             

bluevision_0-1664924351027.png

 

The above diagram is Azure AD joined device. Azure AD is synced with on-premises AD domain controller. The device joins directly to the Azure AD tenant. AAD-joined devices authentication through AAD only.

 

  • Hybrid joined device

bluevision_1-1664924351030.png

 

 

The above diagram is Hybrid joined device. Azure AD is synced with on-premises AD domain controller. The device joins On-premises domain controller and Azure AD. Hybrid joined devices authentication through On-prem AD or Azure AD.

 

  • Setup Hybrid Joined AVD
    • Create a AVD host pool with AD domain joined VMs.
      • Prerequisites:
        • Azure AD has been connected with On-prem domain controller.
        • The on-prem user accounts have been synced into Azure AD.
    • Through the Azure portal when deploy the VMs, choose the “Active Directory

bluevision_2-1664924351031.png

 

  • After the deployment finishes, the AD domain joined devices will appear in the on-premises AD Domain Controller.

bluevision_3-1664924351035.jpeg

 

  • Setup Hybrid Joined device
    • Prerequisite: AVD VMs joined AD domain controller.
    • Follow this article to enable Hybrid Azure AD join in Azure AD Connect.
    • Update the On-premises domain controller GPO to enable Register domain joined computers as devices.

bluevision_4-1664924351039.png

 

  • Check the device status by the command dsregcmd.exe /status, if the AVD VM joined Azure AD successfully, the status is like below:

bluevision_5-1664924351040.jpeg

 

  • Check the device status on Azure Portal

bluevision_6-1664924351049.jpeg

 

  • If the AVD VM status is not Azure AD joined or doesn’t appear on the Azure AD Devices list, please refer the troubleshooting guide to check and fix the issue.
  • Enable Single Sign-on
    • Create a Kerberos Server Object on on-premises AD domain controller, follow this article to create a Kerberos server object.
    • Enable Azure AD authentication on Azure portal.

bluevision_7-1664924351056.jpeg

 

  • Test the SSO for AVD desktop and published applications. The authentication window should only pop up once.
13 Comments
Co-Authors
Version history
Last update:
‎Oct 09 2022 08:42 PM
Updated by: