Merge pull request #253642 from davidbel/davidbel-37836870-SSO-GA

Update SSO docs for GA

Author: AnnaMHuff

articles/virtual-desktop/authentication.md

@@ -5,7 +5,7 @@ services: virtual-desktop
 author: Heidilohr
 ms.service: virtual-desktop
 ms.topic: conceptual
-ms.date: 07/11/2023
+ms.date: 11/14/2023
 ms.author: helohr
 manager: femila
 ---
@@ -26,9 +26,9 @@ Since users must be discoverable through Microsoft Entra ID to access the Azure
 
 ### Hybrid identity
 
-Azure Virtual Desktop supports [hybrid identities](../active-directory/hybrid/whatis-hybrid-identity.md) through Microsoft Entra ID, including those federated using AD FS. You can manage these user identities in AD DS and sync them to Microsoft Entra ID using [Microsoft Entra Connect](../active-directory/hybrid/whatis-azure-ad-connect.md). You can also use Microsoft Entra ID to manage these identities and sync them to [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md).
+Azure Virtual Desktop supports [hybrid identities](/entra/identity/hybrid/whatis-hybrid-identity) through Microsoft Entra ID, including those federated using AD FS. You can manage these user identities in AD DS and sync them to Microsoft Entra ID using [Microsoft Entra Connect](/entra/identity/hybrid/connect/whatis-azure-ad-connect). You can also use Microsoft Entra ID to manage these identities and sync them to [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md).
 
-When accessing Azure Virtual Desktop using hybrid identities, sometimes the User Principal Name (UPN) or Security Identifier (SID) for the user in Active Directory (AD) and Microsoft Entra ID don't match. For example, the AD account [email protected] may correspond to [email protected] in Microsoft Entra ID. Azure Virtual Desktop only supports this type of configuration if either the UPN or SID for both your AD and Microsoft Entra accounts match. SID refers to the user object property "ObjectSID" in AD and "OnPremisesSecurityIdentifier" in Microsoft Entra ID.
+When accessing Azure Virtual Desktop using hybrid identities, sometimes the User Principal Name (UPN) or Security Identifier (SID) for the user in Active Directory (AD) and Microsoft Entra ID don't match. For example, the AD account [email protected] may correspond to [email protected] in Microsoft Entra ID. Azure Virtual Desktop only supports this type of configuration if either the UPN or SID for both your AD and Microsoft Entra ID accounts match. SID refers to the user object property "ObjectSID" in AD and "OnPremisesSecurityIdentifier" in Microsoft Entra ID.
 
 ### Cloud-only identity
 
@@ -101,14 +101,9 @@ Azure Virtual Desktop supports both NT LAN Manager (NTLM) and Kerberos for sessi
 
 Once you're connected to your RemoteApp or desktop, you may be prompted for authentication inside the session. This section explains how to use credentials other than username and password in this scenario.
 
-### In-session passwordless authentication (preview)
+### In-session passwordless authentication
 
-> [!IMPORTANT]
-> In-session passwordless authentication is currently in public preview.
-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-Azure Virtual Desktop supports in-session passwordless authentication (preview) using [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) or security devices like FIDO keys when using the [Windows Desktop client](users/connect-windows.md). Passwordless authentication is enabled automatically when the session host and local PC are using the following operating systems:
+Azure Virtual Desktop supports in-session passwordless authentication using [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview) or security devices like FIDO keys when using the [Windows Desktop client](users/connect-windows.md). Passwordless authentication is enabled automatically when the session host and local PC are using the following operating systems:
 
   - Windows 11 single or multi-session with the [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed.
   - Windows 10 single or multi-session, versions 20H2 or later with the [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed.

articles/virtual-desktop/azure-ad-joined-session-hosts.md

@@ -7,7 +7,7 @@ manager: femila
 
 ms.service: virtual-desktop
 ms.topic: how-to
-ms.date: 06/23/2023
+ms.date: 11/14/2023
 ms.author: helohr
 ---
 
@@ -20,18 +20,18 @@ This article will walk you through the process of deploying and accessing Micros
 The following known limitations may affect access to your on-premises or Active Directory domain-joined resources and you should consider them when deciding whether Microsoft Entra joined VMs are right for your environment.
 
 - Azure Virtual Desktop (classic) doesn't support Microsoft Entra joined VMs.
-- Microsoft Entra joined VMs don't currently support external identities, such as Microsoft Entra Business-to-Business (B2B) and Azure AD Business-to-Consumer (B2C).
+- Microsoft Entra joined VMs don't currently support external identities, such as Microsoft Entra Business-to-Business (B2B) and Microsoft Entra Business-to-Consumer (B2C).
 - Microsoft Entra joined VMs can only access [Azure Files shares](create-profile-container-azure-ad.md) or [Azure NetApp Files shares](create-fslogix-profile-container.md) for hybrid users using Microsoft Entra Kerberos for FSLogix user profiles.
 - The [Remote Desktop app for Windows](users/connect-microsoft-store.md) doesn't support Microsoft Entra joined VMs.
 
 <a name='deploy-azure-ad-joined-vms'></a>
 
 ## Deploy Microsoft Entra joined VMs
 
-You can deploy Microsoft Entra joined VMs directly from the Azure portal when you [create a new host pool](create-host-pools-azure-marketplace.md) or [expand an existing host pool](expand-existing-host-pool.md). To deploy a Microsoft Entra joined VM, open the **Virtual Machines** tab, then select whether to join the VM to Active Directory or Microsoft Entra ID. Selecting **Microsoft Entra ID** gives you the option to enroll VMs with Intune automatically, which lets you easily [manage your session hosts](management.md). Keep in mind that the Microsoft Entra option will only join VMs to the same Microsoft Entra tenant as the subscription you're in.
+You can deploy Microsoft Entra joined VMs directly from the Azure portal when you [create a new host pool](create-host-pools-azure-marketplace.md) or [expand an existing host pool](expand-existing-host-pool.md). To deploy a Microsoft Entra joined VM, open the **Virtual Machines** tab, then select whether to join the VM to Active Directory or Microsoft Entra ID. Selecting **Microsoft Entra ID** gives you the option to enroll VMs with Intune automatically, which lets you easily [manage your session hosts](management.md). Keep in mind that the Microsoft Entra ID option will only join VMs to the same Microsoft Entra tenant as the subscription you're in.
 
 > [!NOTE]
-> - Host pools should only contain VMs of the same domain join type. For example, Microsoft Entra joined VMs should only be with other Microsoft Entra VMs, and vice-versa.
+> - Host pools should only contain VMs of the same domain join type. For example, Microsoft Entra joined VMs should only be with other Microsoft Entra joined VMs, and vice-versa.
 > - The VMs in the host pool must be Windows 11 or Windows 10 single-session or multi-session, version 2004 or later, or Windows Server 2022 or Windows Server 2019.
 
 ### Assign user access to host pools
@@ -51,7 +51,15 @@ To grant users access to Microsoft Entra joined VMs, you must [configure role as
 
 This section explains how to access Microsoft Entra joined VMs from different Azure Virtual Desktop clients.
 
-### Connect using the Windows Desktop client
+### Single sign-on
+
+For the best experience across all platforms, you should enable a single sign-on experience using Microsoft Entra authentication when accessing Microsoft Entra joined VMs. Follow the steps to [Configure single sign-on](configure-single-sign-on.md) to provide a seamless connection experience.
+
+### Connect using legacy authentication protocols
+
+If you prefer not to enable single sign-on, you can use the following configuration to enable access to Microsoft Entra joined VMs.
+
+**Connect using the Windows Desktop client**
 
 The default configuration supports connections from Windows 11 or Windows 10 using the [Windows Desktop client](users/connect-windows.md). You can use your credentials, smart card, [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust) or [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs) to sign in to the session host. However, to access the session host, your local PC must meet one of the following conditions:
 
@@ -61,7 +69,7 @@ The default configuration supports connections from Windows 11 or Windows 10 usi
 
 If your local PC doesn't meet one of these conditions, add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
 
-### Connect using the other clients
+**Connect using the other clients**
 
 To access Microsoft Entra joined VMs using the web, Android, macOS and iOS clients, you must add **targetisaadjoined:i:1** as a [custom RDP property](customize-rdp-properties.md) to the host pool. These connections are restricted to entering user name and password credentials when signing in to the session host.
 
@@ -73,10 +81,6 @@ You can use Microsoft Entra multifactor authentication with Microsoft Entra join
 
 If you're using Microsoft Entra multifactor authentication and you don't want to restrict signing in to strong authentication methods like Windows Hello for Business, you'll need to [exclude the Azure Windows VM Sign-In app](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#mfa-sign-in-method-required) from your Conditional Access policy.
 
-### Single sign-on
-
-You can enable a single sign-on experience using Microsoft Entra authentication when accessing Microsoft Entra joined VMs. Follow the steps to [Configure single sign-on](configure-single-sign-on.md) to provide a seamless connection experience.
-
 ## User profiles
 
 You can use FSLogix profile containers with Microsoft Entra joined VMs when you store them on Azure Files or Azure NetApp Files while using hybrid user accounts. For more information, see [Create a profile container with Azure Files and Microsoft Entra ID](create-profile-container-azure-ad.md).

articles/virtual-desktop/configure-device-redirections.md

@@ -3,7 +3,7 @@ title: Configure device redirection - Azure
 description: How to configure device redirection for Azure Virtual Desktop.
 author: Heidilohr
 ms.topic: how-to
-ms.date: 03/06/2023
+ms.date: 11/14/2023
 ms.author: helohr
 manager: femila
 ---
@@ -172,7 +172,7 @@ Set the following RDP property to configure WebAuthn redirection:
 - `redirectwebauthn:i:1` enables WebAuthn redirection.
 - `redirectwebauthn:i:0` disables WebAuthn redirection.
 
-When enabled, WebAuthn requests from the session are sent to the local PC to be completed using the local Windows Hello for Business or security devices like FIDO keys. For more information, see [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication-preview).
+When enabled, WebAuthn requests from the session are sent to the local PC to be completed using the local Windows Hello for Business or security devices like FIDO keys. For more information, see [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication).
 
 ## Disable drive redirection
 

articles/virtual-desktop/configure-single-sign-on.md

@@ -7,19 +7,14 @@ manager: femila
 
 ms.service: virtual-desktop
 ms.topic: how-to
-ms.date: 10/30/2023
+ms.date: 11/14/2023
 ms.author: helohr
 ---
 # Configure single sign-on for Azure Virtual Desktop using Microsoft Entra authentication
 
-> [!IMPORTANT]
-> Single sign-on using Microsoft Entra authentication is currently in public preview.
-> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-
-This article walks you through the process of configuring single sign-on (SSO) using Microsoft Entra authentication for Azure Virtual Desktop (preview). When you enable SSO, users will authenticate to Windows using a Microsoft Entra ID token, obtained for the *Microsoft Remote Desktop* resource application (changing to *Windows Cloud Login* beginning in 2024). This enables them to use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Azure Virtual Desktop resources. When enabled, this feature provides a single sign-on experience when authenticating to the session host and configures the session to provide single sign-on to Microsoft Entra ID-based resources inside the session.
+This article walks you through the process of configuring single sign-on (SSO) using Microsoft Entra authentication for Azure Virtual Desktop. When you enable SSO, users will authenticate to Windows using a Microsoft Entra ID token, obtained for the *Microsoft Remote Desktop* resource application (changing to *Windows Cloud Login* beginning in 2024). This enables them to use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Azure Virtual Desktop resources. When enabled, this feature provides a single sign-on experience when authenticating to the session host and configures the session to provide single sign-on to Microsoft Entra ID-based resources inside the session.
 
-For information on using passwordless authentication within the session, see [In-session passwordless authentication (preview)](authentication.md#in-session-passwordless-authentication-preview).
+For information on using passwordless authentication within the session, see [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication).
 
 > [!NOTE]
 > Azure Virtual Desktop (classic) doesn't support this feature.
@@ -138,7 +133,7 @@ To enable SSO on your host pool, you must configure the following RDP property,
 
 ## Next steps
 
-- Check out [In-session passwordless authentication (preview)](authentication.md#in-session-passwordless-authentication-preview) to learn how to enable passwordless authentication.
+- Check out [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication) to learn how to enable passwordless authentication.
 - For more information about Microsoft Entra Kerberos, see [Deep dive: How Microsoft Entra Kerberos works](https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889)
 - If you're accessing Azure Virtual Desktop from our Windows Desktop client, see [Connect with the Windows Desktop client](./users/connect-windows.md).
 - If you're accessing Azure Virtual Desktop from our web client, see [Connect with the web client](./users/connect-web.md).

articles/virtual-desktop/includes/include-rdp-properties.md

@@ -2,15 +2,15 @@
 author: dknappettmsft
 ms.author: daknappe
 ms.topic: include
-ms.date: 06/23/2023
+ms.date: 11/14/2023
 ---
 
 ## Connection information
 
 | Display name | RDP property | Azure Virtual Desktop | Remote Desktop Services | Description | Values | Default value |
 |--|--|:-:|:-:|--|--|:-:|
-| Microsoft Entra single sign-on | enablerdsaadauth:i:*value* | ✔ | ✔ | Determines whether the client will use Microsoft Entra ID to authenticate to the remote PC. In Azure Virtual Desktop, this provides a single sign-on experience.<br /><br />This feature is currently only available in preview for the Windows, web, and macOS clients only . This property replaces the property `targetisaadjoined`. | - 0: Connections won't use Microsoft Entra authentication, even if the remote PC supports it.<br />- 1: Connections will use Microsoft Entra authentication if the remote PC supports it. | 0 |
-| Microsoft Entra authentication | targetisaadjoined:i:*value* | ✔ | ✗ | Allows connections to Microsoft Entra joined session hosts using username and password.<br /><br />Note: only applicable to non-Windows clients and local Windows devices that aren't joined to Microsoft Entra ID. | - 0: Connections to Microsoft Entra joined session hosts will succeed for Windows devices that [meet the requirements](/azure/virtual-desktop/deploy-azure-ad-joined-vm#connect-using-the-windows-desktop-client), but other connections will fail.<br />- 1: Connections to Microsoft Entra joined hosts will succeed but are restricted to entering user name and password credentials when connecting to session hosts. | 0 |
+| Microsoft Entra single sign-on | enablerdsaadauth:i:*value* | ✔ | ✔ | Determines whether the client will use Microsoft Entra ID to authenticate to the remote PC. In Azure Virtual Desktop, this provides a single sign-on experience.<br /><br />This property replaces the property `targetisaadjoined`. | - 0: Connections won't use Microsoft Entra authentication, even if the remote PC supports it.<br />- 1: Connections will use Microsoft Entra authentication if the remote PC supports it. | 0 |
+| Connect to Microsoft Entra joined host | targetisaadjoined:i:*value* | ✔ | ✗ | Allows connections to Microsoft Entra joined session hosts using username and password.<br /><br />Note: only applicable to non-Windows clients and local Windows devices that aren't joined to Microsoft Entra.<br /><br />This property is being replaced by the property `enablerdsaadauth`. | - 0: Connections to Microsoft Entra joined session hosts will succeed for Windows devices that [meet the requirements](/azure/virtual-desktop/deploy-azure-ad-joined-vm#connect-using-the-windows-desktop-client), but other connections will fail.<br />- 1: Connections to Microsoft Entra joined hosts will succeed but are restricted to entering user name and password credentials when connecting to session hosts. | 0 |
 | Credential Security Support Provider | enablecredsspsupport:i:*value* | ✔ | ✔ | Determines whether the client will use the Credential Security Support Provider (CredSSP) for authentication if it's available. | - 0: RDP won't use CredSSP, even if the operating system supports CredSSP.<br />- 1: RDP will use CredSSP if the operating system supports CredSSP. | 1 |
 | Alternate shell | alternate shell:s:*value* | ✔ | ✔ | Specifies a program to be started automatically in the remote session as the shell instead of explorer. | Valid path to an executable file, such as `C:\ProgramFiles\Office\word.exe`. | None |
 | KDC proxy name | kdcproxyname:s:*value* | ✔ | ✗ | Specifies the fully qualified domain name of a KDC proxy. | Valid path to a KDC proxy server, such as `kdc.contoso.com`. | None |