How to Set up MFA and SSO Access in Azure Virtual Desktop?

Azure Virtual Desktop (AVD) is one of the most popular VDI solutions for businesses, enabling secure, remote access to apps and desktops. It provides a consistent, reliable work experience from anywhere. By setting up single sign-on (SSO), you can simplify access and avoid repeated login interruptions, whether you connect from your PC, laptop, Mac, or any other device.

SSO lets users sign in once with their Microsoft Entra credentials and then connect automatically to virtual desktops and apps without entering passwords again.

This guide walks you through the step-by-step process to enable single sign-on in Azure Virtual Desktop. You will also learn how to configure settings like conditional access to keep your environment secure while providing users a seamless experience.

Is Single Sign-On (SSO) Essential in Azure Virtual Desktop?

Enable SSO in Azure Virtual Desktop to skip repeated credential prompts and automatically sign users into session hosts. Use Microsoft Entra authentication for joined or hybrid joined hosts to support passwordless sign-in and third-party identity providers.

Azure Virtual Desktop also supports SSO with Active Directory Federation Services (AD FS) for Windows Desktop and web clients. Without SSO, users must enter credentials for every session or save them on secure devices.

Prerequisites for Setting Up SSO in Azure Virtual Desktop

Meet the following requirements before enabling single sign-on on your Azure Virtual Desktop:

1. Microsoft Entra ID P1 license Since the current version focuses on the PowerShell method, you can also configure Single Sign-On (SSO) through the Azure Portal UI as an alternative.

2. Permissions: You must have one of these Microsoft Entra roles:

• Application Administrator, or
• Cloud Application Administrator

3. Session Host Operating System (with October 2022 cumulative updates or later):

• Windows 11 Enterprise (single or multi-session) – KB5018418 or later.
• Windows 10 Enterprise (single or multi-session) – KB5018410 or later.
• Windows Server 2022 – KB5018421 or later.

4. Join Requirements: Session hosts must be Microsoft Entra joined or Microsoft Entra hybrid joined. If using a hybrid join with a different AD domain than your users, you need a two-way trust between domains.

5. Tools: Install Microsoft Graph PowerShell SDK v2.9.0 or later (on your PC or in Azure Cloud Shell).

6. Client Requirements: Users must connect using a supported app:

Windows App:

• Windows: All versions supported
• macOS: v10.9.10 or later
• iOS/iPadOS: v10.5.2 or later
• Web browser

Remote Desktop client:

• Windows Desktop client (Windows 10 or later)
• Web client
• macOS client v10.8.2 or later
• iOS client v10.5.1 or later
• Android client v10.0.16 or later

Ensure users are running the latest supported version of the Windows App or Remote Desktop client for their platform.

7. Session Lock Behavior: Remote sessions disconnect by default when you or a policy locks them. The system shows a dialog, and you can select Reconnect to resume.

Configure the session lock behavior if you want the system to show the remote lock screen instead of disconnecting.

8. Domain Administrator Accounts: Do not use Domain Admins or Administrators accounts to sign in to session hosts because default policies block password replication and trigger repeated credential prompts.

Use a non-administrator account to sign in and then run tasks with Run as administrator. Finally, you can use the runas tool from a command prompt to change to an administrator.

How to Setup Single Sign-On in Azure Virtual Desktop

Step 1: Enable Microsoft Entra Authentication for RDP

1. Open Azure Cloud Shell in the Azure portal (choose PowerShell) or use PowerShell on your local device.

2. If using Cloud Shell, set your Azure context to the right subscription. If using local PowerShell, sign in and then set your Azure context.

3. Install and import the Microsoft Graph PowerShell SDK (from prerequisites).

4. Import the authentication and applications of the Microsoft Graph modules.

5. Connect to Microsoft Graph with the Application.Read.All and Application-RemoteDesktopConfig.ReadWrite.All scopes. Run the following commands:

PS> Import-Module Microsoft.Graph.Authentication

PS> Import-Module Microsoft.Graph.Applications

PS> Connect-MgGraph -Scopes "Application.Read.All", "ApplicationRemoteDesktopConfig.ReadWrite.All"
  

6. Get the object ID for both service principals and save them in variables.

PS> $MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id

PS> $WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id
  

7. Enable RDP authentication by setting the property isRemoteDesktopProtocolEnabled to true:

PS> If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId) -ne $true) {
    Update-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId -IsRemoteDesktopProtocolEnabled
}
  

8. Confirm both properties are set to true.

PS> Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId

PS> Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $WCLspId
  

The output to both commands should be:

ID IsRemoteDesktopProtocolEnabled
— ——————————
ID True

Step 2: Hide the consent prompt dialog

1. Create a dynamic group in Microsoft Entra ID that contains the session hosts for which you want to hide the dialog. Note the object ID of the group.

2. Open the same PowerShell session you used earlier.

3. Create a targetDeviceGroup object and replace the <placeholders> with your own values.

PS> $tdg = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphTargetDeviceGroup

PS> $tdg.Id = "<Group object ID>"

PS> $tdg.DisplayName = "<Group display name>"
  

4. Add the group to the targetDeviceGroup object for both service principals.

PS> New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -BodyParameter $tdg

PS> New-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -BodyParameter $tdg
  

The output should look like this:

Id DisplayName ————- 12345678-abcd-1234-abcd-1234567890ab Contoso-session-hosts.

5. Repeat steps 3 and 4 for each group you want to add. Remember, you can only add a maximum of 10 groups.

6. Remove a device group from the targetDeviceGroup object when needed by replacing the <placeholders> with your own values:

PS> Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $MSRDspId -TargetDeviceGroupId "<Group object ID>"

PS> Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -TargetDeviceGroupId "<Group object ID>"
  

Note: Single sign-on (SSO) shows a dialog when users connect to a new session host. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. Users can select Yes in the dialog to connect when prompted.

Tip: Configure a list of trusted devices to hide the consent dialog. Use a dynamic group in Microsoft Entra ID to automatically include all Azure Virtual Desktop session hosts.

Set and use device extension attributes with the Microsoft Graph API instead of device names to strengthen security. Dynamic groups usually update within 5–10 minutes, but large tenants can take up to 24 hours.

Step 3: Create a Kerberos Server Object

Create a Kerberos server object if your session hosts meet either of these conditions:

• If your session host is Microsoft Entra hybrid joined, then you need a Kerberos server object to authenticate to a domain controller.
• If your session host is Microsoft Entra joined and your environment contains Active Directory domain controllers, a Kerberos server object is required for users to access on-premises resources such as SMB shares or websites that use Windows-integrated authentication.

Note: Enabling single sign-on on Microsoft Entra hybrid joined session hosts without creating a Kerberos server object can have multiple issues, including an error saying the specific session doesn’t exist, or single sign-on may be skipped and replaced with a standard authentication dialog. Create the Kerberos server object and reconnect to fix this issue immediately.

Step 4: Review Your Conditional Access Policies

• Recognize that enabling single sign-on introduces a new Microsoft Entra ID app to authenticate users to the session host.
• Review existing conditional access policies that apply to Azure Virtual Desktop.
• Configure multifactor authentication to ensure users have the desired experience.

Step 5: Configure Your Host Pool to Enable Single Sign-On

1. Open the Azure portal.
2. Set Microsoft Entra single sign-on to Connections will use Microsoft Entra authentication to provide single sign-on.
3. Run PowerShell and set the enablerdsaadauth property to 1.

Why Use MFA in Azure Virtual Desktop?

MFA adds an extra layer of security by requiring a second form of identification during sign-in. You can enforce MFA with Conditional Access and apply it to web, mobile, or desktop clients. In the next section, we’ll walk through how to enforce MFA in Azure Virtual Desktop and configure sign-in frequency.

Let’s explore how to enforce MFA in Azure Virtual Desktop and configure sign-in frequency.

Prerequisites for Setting Up MFA in Azure Virtual Desktop

Here’s what you need before setting up MFA in Azure Virtual Desktop: 

• Licensing: Assign each user a license that includes Microsoft Entra ID P1 or P2. Conditional Access and MFA both require these editions.
• User group: Create a Microsoft Entra security group and add all Azure Virtual Desktop users as members. This makes it easier to apply MFA policies consistently.
• Microsoft Entra MFA: Enable Microsoft Entra multifactor authentication in your tenant. This ensures users can register and use a second authentication method.
• Conditional Access: Verify that Conditional Access is available to your tenant. You will use it to enforce MFA on Azure Virtual Desktop apps and resources.

How to Set up MFA Access in Azure Virtual Desktop?

Step 1: Create a Conditional Access Policy

1. Go to the Microsoft Entra admin center.
2. Sign up with an account that has Conditional Access Administrator rights.
3. Navigate to Protection > Conditional Access > Policies.
4. Select New policy and enter a clear and meaningful name for the policy.
5. Under Assignments > Users, select 0 users and groups selected.
6. Go to the Include tab → Select users and groups → choose Users and groups.
7. Pick the group that contains your Azure Virtual Desktop users.
8. Under Assignments > Target resources, select No target resources selected.
9. Keep the default option Resources (cloud apps).
10. On the Include tab → select Select resources and then select None.
11. Search for and select Azure Virtual Desktop (use “Azure Virtual” as the search term).

12. Select after choosing your apps and go to Assignments > Conditions and choose 0 conditions selected.

13. Choose Not configured on Client apps.

14. In the new pane, set Configure to Yes and choose which client apps the policy applies to:

• Select Browser for the web client.

• Select Mobile apps and desktop clients for other clients.

• Select both to apply the policy to all clients.

• Deselect legacy authentication clients.

15. Select Done after choosing your client apps.

16. Go to Access controls > Grant, select 0 controls, and choose Grant access in the new pane.

17. Check Require multifactor authentication and select Select.

18. At the bottom, set Enable policy to On and click Create.

Pro Tip: Azure may list the app as Windows Virtual Desktop if you registered it before the name changed, but it uses the same app ID as Azure Virtual Desktop.

Also, you may see a Stay signed in to all your apps prompt if your Windows device isn’t registered with Microsoft Entra ID. If you deselect Allow my organization to manage my device and choose No, sign in to this app only, you may get authentication prompts more often.

Step 2: Configure Sign-in Frequency

1. Open the Conditional Access policy you created earlier.
2. Go to Access controls > Session and select 0 controls selected.
3. Choose Sign-in frequency in the Session pane.
4. Select one of the following options:
   • Periodic reauthentication – Set how often users must sign in again when a new access token is needed. For example, set 1 hour to require MFA if a connection starts more than an hour after the last authentication.
   • Every time – It is supported only for Microsoft Remote Desktop and Windows Cloud Login apps with SSO enabled. You must reauthenticate when starting a new connection after being idle for 5–10 minutes.
5. Select Save at the bottom of the page for success.

Step 3: Configure Microsoft Entra Joined Session Host VMs 

1. Disable the legacy per-user MFA sign-in method for successful connections.
2. Exclude the Azure Windows VM Sign-In app from your Conditional Access policy.
3. Users can do this when they don’t want to restrict sign-ins to strong authentication methods such as Windows Hello for Business.

Important Notes for Configuring MFA in Azure Virtual Desktop

1. Configure MFA on these apps:
   • Azure Virtual Desktop (App ID: 9cdead84-a844-4324-93f2-b2e6bb768d07) – applies when users subscribe, authenticate to the Gateway, or send diagnostics.
   • Microsoft Remote Desktop (App ID: a4a365df-50f1-4397-bc59-1a1564b8bb9c) – applies when authenticating to the session host with SSO.
   • Windows Cloud Login (App ID: 270efc09-cd0d-444b-a71f-39af4910ec45) – also applies for session host authentication with SSO.
2. Match Conditional Access policies between these apps and the Azure Virtual Desktop app, except for sign-in frequency.
3. Current clients authenticate with the Microsoft Remote Desktop Entra ID app, but authentication will soon transition to the Windows Cloud Login Entra ID app. Add both to your Conditional Access policies to stay prepared.
4. Do not select the app named Azure Virtual Desktop Azure Resource Manager Provider (App ID: 50e95039-b200-4007-bc97-8d5790743a63). It’s only used for retrieving user feeds and doesn’t require MFA.
5. When users use the web client to sign in through their browser, logs show the client app ID as a85cf173-4192-42f8-81fa-777a763e6e2c (Azure Virtual Desktop client). This happens because the client app links internally to the server app ID, where the CA policy is applied.

Best Practices for Setting Up SSO and MFA Access in Azure Virtual Desktop

• Plan Conditional Access policies carefully: Configure MFA through Conditional Access instead of per-user MFA. Use sign-in frequency controls to balance security with user experience.
• Use dynamic groups for session hosts: Add all session hosts to a dynamic group in Microsoft Entra ID. This keeps your trusted device list updated automatically without manual changes.
• Set up a Kerberos server object early: If your environment has hybrid join or domain controllers, create the Kerberos server object before enabling SSO. This prevents login errors and skipped authentication.
• Test with the web client first: Verify your SSO setup in the web client before rolling it out to Remote Desktop apps. This helps you isolate client-specific issues quickly.
• Document and train users: Share clear instructions with end users so they know what to expect during SSO login. Training reduces confusion and IT support requests.

Final Thoughts

You can set up a single sign-on in Azure Virtual Desktop quickly and give users secure, easy access to their apps and desktops. SSO reduces login steps, saves time, and keeps your environment safe and secure.

Ace Cloud Hosting provides a fully managed Azure Virtual Desktop with 24/7 support, so you don’t deal with setup or technical issues. Start your free trial today and enjoy a reliable virtual desktop experience.

FAQ (Frequently Asked Questions)