You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-desktop/configure-single-sign-on.md
+18-5Lines changed: 18 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,21 +31,33 @@ Before you enable single sign-on, review the following information for using it
31
31
32
32
### Disconnection when the session is locked
33
33
34
-
When single sign-on is enabled and the remote session is locked, either by the user or by policy, the session is instead disconnected and a dialog is shown to let users know. Users can choose the Reconnect option from the dialog when they are ready to connect again. This is done for security reasons and to ensure full support of passwordless authentication. Disconnecting provides the following benefits:
34
+
When single sign-on is enabled and the remote session is locked, either by the user or by policy, the session is instead disconnected and a dialog is shown to let users know they were disconnected. Users can choose the **Reconnect** option from the dialog when they are ready to connect again. This is done for security reasons and to ensure full support of passwordless authentication. Disconnecting the session provides the following benefits:
35
35
36
36
- Consistent sign-in experience through Microsoft Entra ID when needed.
37
37
- Single sign-on experience and reconnection without authentication prompt when allowed by conditional access policies.
38
38
- Supports passwordless authentication like passkeys and FIDO2 devices, contrary to the remote lock screen.
39
39
- Conditional access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session.
40
40
- Can require multi-factor authentication to return to the session and prevent users from unlocking with a simple username and password.
41
+
- Consistent sign-in experience through Microsoft Entra ID when needed.
42
+
43
+
- Single sign-on experience and reconnection without authentication prompt when allowed by conditional access policies.
44
+
45
+
- Supports passwordless authentication like passkeys and FIDO2 devices, contrary to the remote lock screen.
46
+
47
+
- Conditional access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session.
41
48
49
+
- Can require multi-factor authentication to return to the session and prevent users from unlocking with a simple username and password.
42
50
If you prefer to show the remote lock screen instead of disconnecting the session, your session hosts must use the following operating systems:
43
51
44
52
- Windows 11 single or multi-session with the [2024-05 Cumulative Updates for Windows 11 (KB5037770)](https://support.microsoft.com/kb/KB5037770) or later installed.
45
53
- Windows 10 single or multi-session, versions 21H2 or later with the [2024-06 Cumulative Updates for Windows 10 (KB5039211)](https://support.microsoft.com/kb/KB5039211) or later installed.
46
54
- Windows Server 2022 with the [2024-05 Cumulative Update for Microsoft server operating system (KB5037782)](https://support.microsoft.com/kb/KB5037782) or later installed.
55
+
- Windows 11 single or multi-session with the [2024-05 Cumulative Updates for Windows 11 (KB5037770)](https://support.microsoft.com/kb/KB5037770) or later installed.
56
+
57
+
- Windows 10 single or multi-session, versions 21H2 or later with the [2024-06 Cumulative Updates for Windows 10 (KB5039211)](https://support.microsoft.com/kb/KB5039211) or later installed.
47
58
48
-
You can configure the session lock behavior of your session hosts by using Intune, Group Policy or the registry.
59
+
- Windows Server 2022 with the [2024-05 Cumulative Update for Microsoft server operating system (KB5037782)](https://support.microsoft.com/kb/KB5037782) or later installed.
60
+
You can configure the session lock behavior of your session hosts by using Intune, Group Policy, or the registry.
49
61
50
62
# [Intune](#tab/intune)
51
63
@@ -61,6 +73,7 @@ To configure the session lock experience using Intune, follow these steps. This
61
73
-**Profile type**: Select **Settings catalog**.
62
74
63
75
1. Select **Create**.
76
+
64
77
1. In **Basics**, enter the following properties:
65
78
66
79
-**Name**: Enter a descriptive name for the profile. Name your profile so you can easily identify it later.
@@ -106,7 +119,7 @@ To configure the session lock experience using Group Policy, follow these steps.
106
119
107
120
1. Select **OK** to save your changes.
108
121
109
-
1. Once the policy is configured, it will take effect after the user initiate a new session.
122
+
1. Once the policy is configured, it will take effect after the user initiates a new session.
110
123
111
124
> [!TIP]
112
125
> To configure the Group Policy centrally on Active Directory Domain Controllers using Windows Server 2019 or Windows Server 2016, copy the `terminalserver.admx` and `terminalserver.adml` administrative template files from a session host to the [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) on the domain controller.
@@ -227,12 +240,12 @@ To configure the service principal, use the [Microsoft Graph PowerShell SDK](/po
227
240
228
241
## Hide the consent prompt dialog
229
242
230
-
By default when single sign-on is enabled, users will see a dialog to allow the Remote Desktop connection when connecting to a new session host. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If users see this dialogue to allow the Remote Desktop connection, the can select **Yes** to connect.
243
+
By default when single sign-on is enabled, users will see a dialog to allow the Remote Desktop connection when connecting to a new session host. Microsoft Entra remembers up to 15 hosts for 30 days before prompting again. If users see this dialogue to allow the Remote Desktop connection, they can select **Yes** to connect.
231
244
232
245
You can hide this dialog by configuring a list of trusted devices. To configure the list of devices, create one or more groups in Microsoft Entra ID that contains your session hosts, then add the group IDs to a property on the SSO service principals, *Microsoft Remote Desktop* and *Windows Cloud Login*.
233
246
234
247
> [!TIP]
235
-
> We recommend you use a dynamic group and configure the dynamic membership rules to includes all your Azure Virtual Desktop session hosts. You can use the device names in this group, but for a more secure option, you can set and use [device extension attributes](/graph/extensibility-overview) using [Microsoft Graph API](/graph/api/resources/device). While dynamic groups normally update within 5-10 minutes, large tenants can take up to 24 hours.
248
+
> We recommend you use a dynamic group and configure the dynamic membership rules to include all your Azure Virtual Desktop session hosts. You can use the device names in this group, but for a more secure option, you can set and use [device extension attributes](/graph/extensibility-overview) using [Microsoft Graph API](/graph/api/resources/device). While dynamic groups normally update within 5-10 minutes, large tenants can take up to 24 hours.
236
249
>
237
250
> Dynamic groups requires the Microsoft Entra ID P1 license or Intune for Education license. For more information, see [Dynamic membership rules for groups](/entra/identity/users/groups-dynamic-membership).
0 commit comments