AVD SSO Configuration

I would love to see Nerdio automate the setup of Entra SSO on AVD host pools.  It appears to be a rather repeatable process given that the groups are already known to NMM.  The reason for this is if you use the default configuration for Entra joined host pools and then try to connect from Web or Mac (a non Entra joined device) you get an error. Makes the turn key aspect less real.  See here: https://learn.microsoft.com/en-us/azure/virtual-desktop/configure-single-sign-on

 

4

Comments (5 comments)

Avatar
Dave Stephenson

I think this would be a great idea to be able to automate, but it may come with some challenges just based on what I'm seeing in the requirements.
(see the screenshot from the URL you linked below)

  1. That's fairly easy to do because we already have that as an option in Nerdio with the CustomRDP properties


  2. Groups aren't too hard because we can have a wizard for that
  3. Creating a Kerberos Server Object isn't too difficult to do with scripts, but could potentially have problems depending on the configuration of the environment
  4. This is the one that's going to be tricky (at least in my mind)
    Because there can be any number of CA policies with any number of conditions/assignments/configurations, knowing the appropriate CA policy to create/modify and (potentially) add exclusions and/or reconfigure all of the other CA policies could break a lot of things.
  5. Configuring the host pool for SSO is just the last drop in the bucket and is pretty simple🤣

Ryan Dorman, could you elaborate on how you're currently doing this (especially #4 above)?
I'm guessing it's just a block in my head that needs to be nudged loose, but it'd be great to get your insight on it.

0
Avatar
Ryan Dorman

Thanks for looking into this Dave!

For #3 - I didn't have to do that because we aren't hybrid joined.  Maybe an MVP only supports Entra-Join :)

For #4 - Wasn't any work to do.  I think this is a bit of CYA on Microsoft's part, I do know there was a change in the App ID for AVD and so this may be implying you need to update any granular policies that specify the old App ID.  It could also be _removing_ an MFA exemption from the VM Login app ID as now you don't need it.  I have a very standard "everything MFA" policy and it required no edits.

0
Avatar
Dave Stephenson

Great point, Ryan.
It's possible we could do non-hybrid first, then hybrid, and finally cloud only (once Azure Files has a bit better support for SMB file permissions without Kerberos).

I wonder if anyone else in the community has been doing this and could provide any additional insight to the help out the product team?

0
Avatar
Marcos Artiaga

Hi Ryan!

The Sales Engineering team has been building out a community GitHub repository for all kinds of things partners ask for or just cool stuff we think might be helpful. This is not an official Nerdio repository, but just something to collab with our partners on.

Jan Scholte from our SE team, put together a cool little script to enable SSO for Entra ID, that might be helpful, if I'm understanding what you're looking to do. Give it a look and see if that helps in any way!

NMM-SE/CloudShell/EnableSSOForEntraId.ps1 at main · Get-Nerdio/NMM-SE (github.com)

0
Avatar
Ryan Dorman

Yep, those are the commands that I use manually, thanks.

Just seemed a good opportunity to have a Nerdio "checkbox" which would create the group, get the ID, run the script etc as part of a host pool setup.

0

Please sign in to leave a comment.