Understanding Microsoft Azure AD SSO with non-persistent VDI (Instant Clones)

preview_player
Показать описание

Let's talk about Azure AD SSO for Microsoft 365 and Office 365 inside of VDI!

In this video, I explore and discuss Azure AD SSO (and the different SSO methods) for Microsoft 365 and Office 365 inside of non-persistent VDI environments. You can use either Azure AD SSO with Primary Refresh Token, or Seamless SSO depending on your requirements and capabilities of configuration.

If your non-persistent VDI VMs don't need to be Hybrid (Azure) AD joined, you can simply exclude the OU from Azure AD Connect, or configure a registry key on your golden image to block Hybrid AD Domain joins, and then enable Seamless SSO.

If you require Azure Hybrid AD Domain joined machines (SSO with Primary Refresh Token), you must configure your environment as per the Microsoft documents (URLs below) provided.

Registry key to block Azure AD Domain Join:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin: "BlockAADWorkplaceJoin"=dword:00000001

And remember, once you figure out how you plan on deploying SSO, you need to enable it via Azure AD Connect (I recommend reading the Microsoft documentation).

Microsoft Links:

To hire me and my company, visit:

#Azure, #AzureAD, #VDI, #SSO, #AzureSSO, #SeamlessSSO, #VMware, #vExpert
  1. SW The Tech Journal
  2. Azure
  3. Azure AD
  4. VDI
  5. Non-persistent
  6. Instant Clones
Рекомендации по теме
Authentication fundamentals: Web 0:04:13

Authentication fundamentals: Web single sign-on | Microsoft Entra ID

Authentication fundamentals: The 0:04:33

Authentication fundamentals: The basics | Microsoft Entra ID

Understanding Microsoft Azure 0:06:46

Understanding Microsoft Azure AD SSO with non-persistent VDI (Instant Clones)

Microsoft Entra ID 0:12:55

Microsoft Entra ID Beginner's Tutorial (Azure Active Directory)

Configuring an Enterprise 0:18:19

Configuring an Enterprise Application for Single Sign-on

Single Sign On 0:18:30

Single Sign On (SSO) - How it Works!

Learn Microsoft Azure 0:38:05

Learn Microsoft Azure Active Directory in Just 30 Mins (May 2023)

Understanding single sign-on 1:00:29

Understanding single sign-on (SSO) with Azure AD and Microsoft Teams

Azure Active Directory 0:30:57

Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service

Azure Active Directory 0:08:18

Azure Active Directory | Azure Active Directory Tutorial | Azure Tutorial For Beginners |Simplilearn

45. How to 0:13:56

45. How to configure Azure Active Directory Seamless Single Sign On

Microsoft Entra ID 0:33:48

Microsoft Entra ID The Complete Beginners Guide

Authentication fundamentals: Federation 0:06:19

Authentication fundamentals: Federation | Microsoft Entra ID

What is single 0:07:23

What is single sign on (sso) | How sso works with saml | SAML authentication with AD (2023)

Azure AD App 0:16:41

Azure AD App Registration in Plain English (Exam Prep FAQs)

Azure Active Directory 0:09:05

Azure Active Directory Single Sign-On Configuration Demo

Azure AD App 0:33:44

Azure AD App Registrations, Enterprise Apps and Service Principals

SSO Portal in 0:05:32

SSO Portal in Azure Active Directory (Myapps)

LDAP vs SAML: 0:03:49

LDAP vs SAML: What's the Difference?

Setting up Single 0:26:59

Setting up Single Sign-On in Azure AD (Tech Talk)

Understanding Azure AD 0:16:35

Understanding Azure AD Hybrid Join

Azure AD Understanding 0:21:55

Azure AD Understanding Tokens

Configuring SSO with 0:06:28

Configuring SSO with Microsoft Azure Active Directory

Microsoft Azure AD 0:01:27

Microsoft Azure AD SSO Integration: User Experience

Комментарии
Автор

Great tip! Actually we just got these issues in a new VDI deployment with instant clone pools. Thanks.

ITSystemsAdmin
Автор

This is an excellent suggestion! We are running into this issue because we're in the midst of phasing out ADFS and migrating to PTA. Had a lot of issues with the non-persistent machines but this could be the solution! I've seen it before but I thought it only works for down-level Windows devices...thank you!

LijpeDude
Автор

Stephen! Question for you - Is there a way to use SSO to sign people into their Work or School accounts in WIn11 automatically? We're trying to build a Win11 gold image to replace Win10. We are using FSLogix to backup profiles and have RoamIdentity turned on. The issue we're facing is its not roaming the work or school account and telling users to verify their account whenever they login to a new VDI session. I just turned RoamIdentity off and am trying to set up Azure AD SSO, but its not signing into work or school accounts automatically and when I log into a new VDI, it throws an error saying the TPM has malfunctioned. - I'm a new SysAdmin, so may have set something up incorrectly. Any help would be greatly appreciated.

davocampo
Автор

Oh man I've been fighting this for 4 months with Microsoft and Citrix. Definitely going to try your suggestion for SSO on non-persistent legacy AD joined only! Please let me know if anything has changed on this recently Stephen! Thanks!

ChrisLuton
Автор

Nice video and just reiterates the nightmare that VDI has become with cloud integration. We are developing a complex stew of Horizon 8 Instant Win10 21H2 clones (testing with hybrid and non hybrid join) along with AAD SSO/MFA o365, Onedrive, fslogix, DEM. The user experience is wrought with password and MFA authentication prompts from one session to the next. MFA tokens are not persisting from one logon to the next. Beyond frustrating.

ronfisher
Автор

Hey Stephen, great video and site!
What happens when you have a Azure conditional access policy that is requiring devices be Hybrid AD joined, or Enforce MFA? Every login, every MS app wants a password and MFA prompt, regardless of profile management. Instant clones are not supported by VMware for HAADJ, and the access policy wants HAADJ devices. I know a exception by location in the policy will fix this but that doesn't seem to be an option. I tried the reg entry and excluding the OU from sync, but that's not the issue, it seems the policy is the issue, just not sure how to work around it without changing the policy which will weaken security.

DoubleA-ARon