Configure Single Sign-On for Your Azure Virtual Desktop Environment

Single Sign-On (SSO) enables users to have a seamless sign-in experience when connecting to Azure Virtual Desktop (AVD). When users sign in to the Windows App or Remote Desktop client, they can access their AVD resources without additional credential prompts.

Prerequisites

To enable SSO, ensure that the following requirements are met:

• Permissions: You need to be assigned one of the following Entra RBAC roles:

  • Application Administrator

  • Cloud Application Administrator

• Operating System: Session hosts must run Windows 11 Enterprise with KB5018418 or later installed.

• Device Join State: Hosts must be Microsoft Entra joined or hybrid joined. SSO is not supported for hosts joined to Entra DS or ADDS only.

• Microsoft Graph PowerShell SDK: Install the latest version on your local device.

• Kerberos Server Object: This is required if session hosts are hybrid joined. Learn more.

• Client Requirements: Users must use a supported version of the Windows App or Remote Desktop client:

Enable SSO

You must perform the following to enable SSO.

1. Open PowerShell or Azure Cloud Shell.

2. Set your Azure context to the correct subscription:

   Connect-AzAccount

   Set-AzContext -Subscription "YourSubscriptionName"

3. Copy and paste the script below into your PowerShell session.

4. Run the script.

   The script does the following:

   • Checks and installs the required Microsoft Graph modules.

   • Connects to Microsoft Graph with the necessary scopes.

   • Enables Entra ID authentication for RDP.

   • Creates a dynamic device group for AVD and Windows 365 hosts.

   • Adds the group to the Remote Desktop Security configuration.

   # ============================================

   # Enable SSO for Azure Virtual Desktop (AVD)

   # ============================================

   # This script:

   # 1. Imports required Microsoft Graph modules.

   # 2. Connects to Microsoft Graph with necessary permissions.

   # 3. Enables Entra ID authentication for RDP.

   # 4. Creates a dynamic device group for AVD & Windows 365 hosts.

   # 5. Adds the group to the Remote Desktop Security configuration.

   # ============================================

    

   # --- Step 1: Check and install required modules ---

   $modules = @(

   "Microsoft.Graph.Authentication",

   "Microsoft.Graph.Applications",

   "Microsoft.Graph.Groups"

   )

    

   foreach ($module in $modules) {

   if (-not (Get-Module -ListAvailable -Name $module)) {

   Write-Host "Module $module not found. Installing in current user scope..."

   Install-Module $module -Scope CurrentUser -Force

   }

   }

    

   # --- Step 2: Import modules ---

   Import-Module Microsoft.Graph.Authentication

   Import-Module Microsoft.Graph.Applications

   Import-Module Microsoft.Graph.Groups

    

   # --- Step 3: Connect to Microsoft Graph ---

   # Requires Application.Read.All, Application-RemoteDesktopConfig.ReadWrite.All, Group.ReadWrite.All

   Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All","Group.ReadWrite.All"

    

   # --- Step 4: Get Service Principal IDs for Remote Desktop and Windows 365 ---

   $MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id

   $WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id

    

   # --- Step 5: Enable RDP authentication for both service principals ---

   foreach ($spId in @($MSRDspId, $WCLspId)) {

   $config = Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $spId

   if ($config.IsRemoteDesktopProtocolEnabled -ne $true) {

   Write-Host "Enabling RDP authentication for Service Principal ID: $spId"

   Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $spId -IsRemoteDesktopProtocolEnabled

   }

   }

    

   # --- Step 6: Confirm settings ---

   Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId

   Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId

    

   # --- Step 7: Create dynamic device group for AVD & W365 Hosts ---

   $group = New-MgGroup `

   -DisplayName "Device_AVD&W365Hosts" `

   -Description "Dynamic device group for Entra ID joined AVD & W365 Hosts" `

   -MailEnabled:$false `

   -SecurityEnabled:$true `

   -GroupTypes "DynamicMembership" `

   -MembershipRule '(device.devicePhysicalIds -any (_ -contains "[AzureResourceId]")) or (device.deviceModel -startsWith "Cloud PC")' `

   -MembershipRuleProcessingState "On"

    

   # --- Step 8: Add group to Remote Desktop Security configuration ---

   $tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup

   $tdg.Id = $group.Id

   $tdg.DisplayName = $group.DisplayName

    

   New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -BodyParameter $tdg

   New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -BodyParameter $tdg

    

   Write-Host "SSO configuration completed successfully."

Configure the Host Pool for SSO

To enable SSO on your host pool, you must set the enablerdsaadauth property to 1.

To configure the host pool for SSO:

1. In Nerdio Manager, at the Account level, navigate to AVD > Host Pools.

2. Select the host pool you want to work with.

3. From the action menu, select Properties > Custom RDP.

4. In the Edit mode drop-down, select All settings.

5. Set the value for enablerdsaadauth to 1.

   

6. Select Save & close.

Next Steps

Review Conditional Access Policies

SSO introduces a new Microsoft Entra ID app to authenticate users to the session host. Review your conditional access policies and ensure multifactor authentication is properly configured. More information can be found at Enforce Microsoft Entra multifactor authentication for Azure Virtual Desktop using Conditional Access - Azure - Azure Virtual Desktop | Microsoft Learn.

Further Reading

More information about configuring SSO can be found at Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID - Azure Virtual Desktop | Microsoft Learn.