Two-way trust requirement.

davidbel · davidbel · commit 3ba0977bdaf3 · 2023-12-14T13:45:21.000-08:00
diff --git a/articles/virtual-desktop/configure-single-sign-on.md b/articles/virtual-desktop/configure-single-sign-on.md
@@ -4,7 +4,7 @@ description: Learn how to configure single sign-on for an Azure Virtual Desktop
 ms.topic: how-to
 author: dknappettmsft
 ms.author: daknappe
-ms.date: 06/12/2023
+ms.date: 12/15/2023
 ---
 
 # Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID authentication
@@ -58,7 +58,7 @@ Before you can enable single sign-on, you must meet the following prerequisites:
 
 - Your session hosts must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join) or [Microsoft Entra hybrid joined](/entra/identity/devices/concept-hybrid-join). Session hosts joined to Microsoft Entra Domain Services or to Active Directory Domain Services only aren't supported.
 
-- [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) on your local device, or [Azure Cloud Shell](../cloud-shell/overview.md).
+- If your Microsoft Entra hybrid joined session hosts are in a different domain than your user accounts, there must be a two-way trust between the 2 domains. Without the two-way trust, connections will fall back to older authentication protocols.
 
 - A supported Remote Desktop client to connect to a remote session. The following clients are supported:
 
@@ -86,7 +86,9 @@ To configure the service principal, use the [Microsoft Graph PowerShell SDK](/po
 
 [!INCLUDE [include-cloud-shell-local-powershell](includes/include-cloud-shell-local-powershell.md)]
 
-2. Import the *Authentication* and *Applications* Microsoft Graph modules and connect to Microsoft Graph with the `Application.Read.All` and `Application-RemoteDesktopConfig.ReadWrite.All` scopes by running the following commands:
+2. [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation) on your local device, or [Azure Cloud Shell](../cloud-shell/overview.md).
+
+3. Import the *Authentication* and *Applications* Microsoft Graph modules and connect to Microsoft Graph with the `Application.Read.All` and `Application-RemoteDesktopConfig.ReadWrite.All` scopes by running the following commands:
 
    ```powershell
    Import-Module Microsoft.Graph.Authentication
@@ -95,14 +97,14 @@ To configure the service principal, use the [Microsoft Graph PowerShell SDK](/po
    Connect-MgGraph -Scopes "Application.Read.All","Application-RemoteDesktopConfig.ReadWrite.All"
    ```
 
-3. Get the object ID for each service principal and store them in variables by running the following commands:
+4. Get the object ID for each service principal and store them in variables by running the following commands:
 
    ```powershell
    $MSRDspId = (Get-MgServicePrincipal -Filter "AppId eq 'a4a365df-50f1-4397-bc59-1a1564b8bb9c'").Id
    $WCLspId = (Get-MgServicePrincipal -Filter "AppId eq '270efc09-cd0d-444b-a71f-39af4910ec45'").Id
    ```
 
-4. Set the property `isRemoteDesktopProtocolEnabled` to `true` by running the following commands. There's no output from these commands.
+5. Set the property `isRemoteDesktopProtocolEnabled` to `true` by running the following commands. There's no output from these commands.
 
    ```powershell
    If ((Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId) -ne $true) {
@@ -114,7 +116,7 @@ To configure the service principal, use the [Microsoft Graph PowerShell SDK](/po
    }
    ```
 
-5. Confirm the property `isRemoteDesktopProtocolEnabled` is set to `true` by running the following commands:
+6. Confirm the property `isRemoteDesktopProtocolEnabled` is set to `true` by running the following commands:
 
    ```powershell
    Get-MgServicePrincipalRemoteDesktopSecurityConfiguration -ServicePrincipalId $MSRDspId
