Merge pull request #219813 from dknappettmsft/avd-remote-app-streaming-aad-aadds

v-shils · web-flow · commit 7de25a3692c1 · 2022-11-29T12:05:23.000-08:00
AVD remote app streaming added SSO and Intune note
diff --git a/articles/virtual-desktop/remote-app-streaming/TOC.yml b/articles/virtual-desktop/remote-app-streaming/TOC.yml
@@ -24,7 +24,7 @@
   items:
   - name: Essentials for remote app streaming
     items:
-    - name: Set up managed identities
+    - name: Create user accounts
       href: identities.md
     - name: Deploy apps with MSIX app attach
       href: msix-app-attach.md
diff --git a/articles/virtual-desktop/remote-app-streaming/identities.md b/articles/virtual-desktop/remote-app-streaming/identities.md
@@ -1,14 +1,14 @@
 ---
-title: Set up managed identities in Azure Virtual Desktop - Azure
-description: How to set up managed identities for your customers in Azure Virtual Desktop with Azure AD, Azure AD DS, or AD DS.
+title: Create user accounts for remote app streaming - Azure Virtual Desktop
+description: How to create user accounts for remote app streaming for your customers in Azure Virtual Desktop with Azure AD, Azure AD DS, or AD DS.
 author: Heidilohr
 ms.topic: how-to
 ms.date: 08/06/2021
 ms.author: helohr
 manager: femila
 ---
 
-# Set up managed identities
+# Create user accounts for remote app streaming
 
 Because Azure Virtual Desktop doesn't currently support external profiles, or "identities," your users won't be able to access the apps you host with their own corporate credentials. Instead, you'll need to create identities for them in the Active Directory Domain that you'll use for remote app streaming and sync user objects to the associated Azure Active Directory (Azure AD) tenant.
 
@@ -21,9 +21,12 @@ The identities you create need to follow these guidelines:
 - Identities must be [hybrid identities](../../active-directory/hybrid/whatis-hybrid-identity.md), which means they exist in both the [Active Directory (AD)](/previous-versions/windows/it-pro/windows-server-2003/cc781408(v=ws.10)) and [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md). You can use either [Active Directory Domain Services (AD DS)](/windows-server/identity/ad-ds/active-directory-domain-services) or [Azure Active Directory Domain Services (Azure AD DS)](https://azure.microsoft.com/services/active-directory-ds) to create these identities. To learn more about each method, see [Compare identity solutions](../../active-directory-domain-services/compare-identity-solutions.md).
 - You should keep users from different organizations in separate Azure AD tenants to prevent security breaches. We recommend creating one Active Directory Domain and Azure Active Directory tenant per customer organization. That tenant should have its own associated Azure AD DS or AD DS subscription dedicated to that customer.
 
+> [!NOTE]
+> If you want to enable [single sign-on (SSO)](../configure-single-sign-on.md) and [Intune management](../management.md), you can do this for Azure AD-joined and Hybrid Azure AD-joined VMs. Azure Virtual Desktop doesn't support SSO and Intune with VMs joined to Azure AD Domain Services.
+
 The following two sections will tell you how to create identities with AD DS and Azure AD DS. To follow [the security guidelines for cross-organizational apps](security.md), you'll need to repeat the process for each customer.
 
-## Managing users with Active Directory Domain Services
+## Create users with Active Directory Domain Services
 
 In this method, you'll set up hybrid identities using an Active Directory Domain Controller to manage user identities and sync them to Azure AD.
 
@@ -45,7 +48,7 @@ To set up an identity in AD DS:
 
 This configuration will give you more control over your environment, but its complexity can make it less easy to manage. However, this option lets you provide your users with Azure AD-based apps. It also lets you manage your users' VMs with Intune.
 
-## Managing users with Azure Active Directory Domain Services
+## Create users with Azure Active Directory Domain Services
 
 Azure AD DS identities are stored in a Microsoft managed Active Directory platform as a service (PaaS) where Microsoft manages two AD domain controllers that lets users use AD DS within their Azure subscriptions. In this configuration, users are synced from Azure AD to Azure AD DS, and the session hosts are joined to the Azure AD DS domain. Azure AD DS identities are easier to manage, but don't offer as much control as regular AD DS identities. You can only join the Azure Virtual Desktop VMs to the Azure AD DS domain, and you can't manage them with Intune.
 
