MicrosoftDocs
diff --git a/‎articles/virtual-desktop/TOC.yml
Lines changed: 10 additions & 6 deletions b/‎articles/virtual-desktop/TOC.yml
Lines changed: 10 additions & 6 deletions
diff --git a/‎articles/virtual-desktop/authentication.md
Lines changed: 57 additions & 25 deletions b/‎articles/virtual-desktop/authentication.md
Lines changed: 57 additions & 25 deletions
diff --git a/‎articles/virtual-desktop/configure-device-redirections.md
Lines changed: 19 additions & 10 deletions b/‎articles/virtual-desktop/configure-device-redirections.md
Lines changed: 19 additions & 10 deletions
@@ -281,10 +281,14 @@
           href: app-attach-msixmgr.md
   - name: Use Microsoft Teams
     href: teams-on-avd.md
-  - name: Enforce Azure AD MFA
-    href: set-up-mfa.md
-  - name: Configure AD FS single sign-on
-    href: configure-adfs-sso.md
+  - name: Identity and access management
+    items:
+      - name: Enforce Azure AD MFA
+        href: set-up-mfa.md
+      - name: Configure single sign-on
+        href: configure-single-sign-on.md
+      - name: Set up the KDC proxy
+        href: key-distribution-center-proxy.md
   - name: Deploy updates with Configuration Manager
     href: configure-automatic-updates.md
   - name: Set up multimedia redirection (preview)
@@ -301,8 +305,6 @@
     href: azure-monitor.md
   - name: Set up a disaster recovery plan
     href: disaster-recovery.md
-  - name: Set up the KDC proxy
-    href: key-distribution-center-proxy.md
   - name: Start VM on Connect
     items:
     - name: Set up Start VM on Connect
@@ -345,6 +347,8 @@
     href: remotefx-graphics-performance-counters.md
   - name: Connections to Azure AD-joined VMs
     href: troubleshoot-azure-ad-connections.md
+  - name: Device redirections
+    href: troubleshoot-device-redirections.md
   - name: Azure Monitor
     href: troubleshoot-azure-monitor.md
   - name: Azure Files authorization
 
@@ -5,7 +5,7 @@ services: virtual-desktop
 author: Heidilohr
 ms.service: virtual-desktop
 ms.topic: conceptual
-ms.date: 12/07/2021
+ms.date: 08/24/2022
 ms.author: helohr
 manager: femila
 ---
@@ -15,11 +15,11 @@ In this article, we'll give you a brief overview of what kinds of identities and
 
 ## Identities
 
-Azure Virtual desktop supports different types of identities depending on which configuration you choose. This section explains which identities you can use for each configuration.
+Azure Virtual Desktop supports different types of identities depending on which configuration you choose. This section explains which identities you can use for each configuration.
 
 ### On-premises identity
 
-Since users must be discoverable through Azure Active Directory (Azure AD) to access the Azure Virtual Desktop, user identities that exist only in Active Directory Domain Services (AD DS) are not supported. This includes standalone Active Directory deployments with Active Directory Federation Services (AD FS).
+Since users must be discoverable through Azure Active Directory (Azure AD) to access the Azure Virtual Desktop, user identities that exist only in Active Directory Domain Services (AD DS) aren't supported. This includes standalone Active Directory deployments with Active Directory Federation Services (AD FS).
 
 ### Hybrid identity
 
@@ -29,69 +29,101 @@ When accessing Azure Virtual Desktop using hybrid identities, sometimes the User
 
 ### Cloud-only identity
 
-Azure Virtual Desktop supports cloud-only identities when using [Azure AD-joined VMs](deploy-azure-ad-joined-vm.md).
+Azure Virtual Desktop supports cloud-only identities when using [Azure AD-joined VMs](deploy-azure-ad-joined-vm.md). These users are created and managed directly in Azure AD.
+
+### Third-party identity providers
+
+If you're using an Identity Provider (IdP) other than Azure AD to manage your user accounts, you must ensure that:
+
+- Your IdP is [federated with Azure AD](../active-directory/devices/azureadjoin-plan.md#federated-environment).
+- Your session hosts are Azure AD-joined or [Hybrid Azure AD-joined](../active-directory/devices/hybrid-azuread-join-plan.md).
+- You enable [Azure AD authentication](configure-single-sign-on.md) to the session host.
 
 ### External identity
 
 Azure Virtual Desktop currently doesn't support [external identities](../active-directory/external-identities/index.yml).
 
 ## Service authentication
 
-To access Azure Virtual Desktop resources, you must first authenticate to the service by signing in to an Azure AD account. Authentication happens when subscribing to a workspace to retrieve your resources or every time you connect to apps or desktops. You can use [third-party identity providers](../active-directory/devices/azureadjoin-plan.md#federated-environment) as long as they federate with Azure AD.
+To access Azure Virtual Desktop resources, you must first authenticate to the service by signing in with an Azure AD account. Authentication happens whenever you subscribe to a workspace to retrieve your resources and connect to apps or desktops. You can use [third-party identity providers](../active-directory/devices/azureadjoin-plan.md#federated-environment) as long as they federate with Azure AD.
 
 ### Multi-factor authentication
 
 Follow the instructions in [Enforce Azure Active Directory Multi-Factor Authentication for Azure Virtual Desktop using Conditional Access](set-up-mfa.md) to learn how to enforce Azure AD Multi-Factor Authentication for your deployment. That article will also tell you how to configure how often your users are prompted to enter their credentials. When deploying Azure AD-joined VMs, note the extra steps for [Azure AD-joined session host VMs](set-up-mfa.md#azure-ad-joined-session-host-vms).
 
+### Passwordless authentication
+
+You can use any authentication type supported by Azure AD, such as [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview) and other [passwordless authentication options](../active-directory/authentication/concept-authentication-passwordless.md) (for example, FIDO keys), to authenticate to the service.
+
 ### Smart card authentication
 
-To use a smart card to authenticate to Azure AD, you must first [configure AD FS for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication).
+To use a smart card to authenticate to Azure AD, you must first [configure AD FS for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication) or [configure Azure AD certificate-based authentication](../active-directory/authentication/concept-certificate-based-authentication.md).
 
 ## Session host authentication
 
-If you haven't already enabled [single sign-on](#single-sign-on-sso) or saved your credentials locally, you'll also need to authenticate to the session host. These are the sign-in methods for the session host that the Azure Virtual Desktop clients currently support:
+If you haven't already enabled [single sign-on](#single-sign-on-sso) or saved your credentials locally, you'll also need to authenticate to the session host when launching a connection. The following list describes which types of authentication each Azure Virtual Desktop client currently supports.
 
-- Windows Desktop client
+- The Windows Desktop client supports the following authentication methods:
     - Username and password
-    - Smartcard
+    - Smart card
     - [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust)
     - [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs)
-- Windows Store client
+    - [Azure AD authentication](configure-single-sign-on.md)
+- The Windows Store client supports the following authentication method:
     - Username and password
-- Web client
+- The web client supports the following authentication method:
     - Username and password
-- Android
+- The Android client supports the following authentication method:
     - Username and password
-- iOS
+- The iOS client supports the following authentication method:
     - Username and password
-- macOS
+- The macOS client supports the following authentication method:
     - Username and password
 
 >[!IMPORTANT]
->In order for authentication to work properly, your local machine must also be able to access the URLs in the [Remote Desktop clients](safe-url-list.md#remote-desktop-clients) section of our [required URL list](safe-url-list.md).
-
-Azure Virtual Desktop supports both NT LAN Manager (NTLM) and Kerberos for session host authentication. Smart card and Windows Hello for Business can only use Kerberos to sign in. To use Kerberos, the client needs to get Kerberos security tickets from a Key Distribution Center (KDC) service running on a domain controller. To get tickets, the client needs a direct networking line-of-sight to the domain controller. You can get a line-of-sight by connecting directly within your corporate network, using a VPN connection or setting up a [KDC Proxy server](key-distribution-center-proxy.md).
+>In order for authentication to work properly, your local machine must also be able to access the [required URLs for Remote Desktop clients](safe-url-list.md#remote-desktop-clients).
 
 ### Single sign-on (SSO)
 
-Azure Virtual Desktop supports [SSO using Active Directory Federation Services (ADFS)](configure-adfs-sso.md) for the Windows and web clients. SSO allows you to skip the session host authentication.
+SSO allows the connection to skip the session host credential prompt and automatically sign the user in to Windows. For session hosts that are Azure AD-joined or Hybrid Azure AD-joined, it's recommended to enable [SSO using Azure AD authentication](configure-single-sign-on.md). Azure AD authentication provides other benefits including passwordless authentication and support for third-party identity providers.
+
+Azure Virtual Desktop also supports [SSO using Active Directory Federation Services (AD FS)](configure-adfs-sso.md) for the Windows Desktop and web clients.
 
-Otherwise, the only way to avoid being prompted for your credentials for the session host is to save them in the client. We recommend you only do this with secure devices to prevent other users from accessing your resources.
+Without SSO, the client will prompt users for their session host credentials for every connection. The only way to avoid being prompted is to save the credentials in the client. We recommend you only save credentials on secure devices to prevent other users from accessing your resources.
+
+### Smart card and Windows Hello for Business
+
+Azure Virtual Desktop supports both NT LAN Manager (NTLM) and Kerberos for session host authentication, however Smart card and Windows Hello for Business can only use Kerberos to sign in. To use Kerberos, the client needs to get Kerberos security tickets from a Key Distribution Center (KDC) service running on a domain controller. To get tickets, the client needs a direct networking line-of-sight to the domain controller. You can get a line-of-sight by connecting directly within your corporate network, using a VPN connection or setting up a [KDC Proxy server](key-distribution-center-proxy.md).
 
 ## In-session authentication
 
 Once you're connected to your remote app or desktop, you may be prompted for authentication inside the session. This section explains how to use credentials other than username and password in this scenario.
 
-### Smart cards
+### In-session passwordless authentication (preview)
+
+> [!IMPORTANT]
+> In-session passwordless authentication is currently in public preview.
+> This preview version is provided without a service level agreement, and is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+Azure Virtual Desktop supports in-session passwordless authentication (preview) using [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview) or security devices like FIDO keys. Passwordless authentication is currently only available for certain versions of Windows Insider. When deploying new session hosts, choose one of the following images:
+
+- Windows 11 version 22H2 Enterprise, (Preview) - X64 Gen 2.
+- Windows 11 version 22H2 Enterprise multi-session, (Preview) - X64 Gen2.
+
+Passwordless authentication is enabled by default when the local PC and session hosts use one of the supported operating systems above. You can disable it using the [WebAuthn redirection](configure-device-redirections.md#webauthn-redirection) RDP property.
+
+When enabled, all WebAuthn requests in the session are redirected to the local PC. You can use Windows Hello for Business or locally attached security devices to complete the authentication process.
 
-To use a smart card in your session, make sure you've installed the smart card drivers on the session host and enabled [smart card redirection](configure-device-redirections.md#smart-card-redirection) is enabled. Review the [client comparison chart](/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#other-redirection-devices-etc) to make sure your client supports smart card redirection.
+To access Azure AD resources with Windows Hello for Business or security devices, you must enable the FIDO2 Security Key as an authentication method for your users. To enable this method, follow the steps in [Enable FIDO2 security key method](../active-directory/authentication/howto-authentication-passwordless-security-key.md#enable-fido2-security-key-method).
 
-### FIDO2 and Windows Hello for Business
+### In-session smart card authentication
 
-Azure Virtual Desktop doesn't currently support in-session authentication with FIDO2 or Windows Hello for Business.
+To use a smart card in your session, make sure you've installed the smart card drivers on the session host and enabled [smart card redirection](configure-device-redirections.md#smart-card-redirection). Review the [client comparison chart](/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#other-redirection-devices-etc) to make sure your client supports smart card redirection.
 
 ## Next steps
 
 - Curious about other ways to keep your deployment secure? Check out [Security best practices](security-guide.md).
-- Having issues connecting to Azure AD-joined VMs? [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md).
-- Want to use smart cards from outside your corporate network? Review how to setup a [KDC Proxy server](key-distribution-center-proxy.md).
+- Having issues connecting to Azure AD-joined VMs? Look at [Troubleshoot connections to Azure AD-joined VMs](troubleshoot-azure-ad-connections.md).
+- Having issues with in-session passwordless authentication? See [Troubleshoot WebAuthn redirection](troubleshoot-device-redirections.md#webauthn-redirection).
+- Want to use smart cards from outside your corporate network? Review how to set up a [KDC Proxy server](key-distribution-center-proxy.md).
@@ -1,19 +1,19 @@
 ---
-title: Configure device redirections - Azure
-description: How to configure device redirections for Azure Virtual Desktop.
+title: Configure device redirection - Azure
+description: How to configure device redirection for Azure Virtual Desktop.
 author: Heidilohr
 ms.topic: how-to
-ms.date: 08/01/2022
+ms.date: 08/24/2022
 ms.author: helohr
 manager: femila
 ---
-# Configure device redirections
+# Configure device redirection
 
-Configuring device redirections for your Azure Virtual Desktop environment allows you to use printers, USB devices, microphones and other peripheral devices in the remote session. Some device redirections require changes to both Remote Desktop Protocol (RDP) properties and Group Policy settings.
+Configuring device redirection for your Azure Virtual Desktop environment allows you to use printers, USB devices, microphones, and other peripheral devices in the remote session. Some device redirections require changes to both Remote Desktop Protocol (RDP) properties and Group Policy settings.
 
-## Supported device redirections
+## Supported device redirection
 
-Each client supports different device redirections. Check out [Compare the clients](/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare) for the full list of supported device redirections for each client.
+Each client supports different kinds of device redirections. Check out [Compare the clients](/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare) for the full list of supported device redirections for each client.
 
 >[!IMPORTANT]
 >You can only enable redirections with binary settings that apply to both to and from the remote machine. The service doesn't currently support one-way blocking of redirections from only one side of the connection.
@@ -22,9 +22,9 @@ Each client supports different device redirections. Check out [Compare the clien
 
 To learn more about customizing RDP properties for a host pool using PowerShell or the Azure portal, check out [RDP properties](customize-rdp-properties.md). For the full list of supported RDP properties, see [Supported RDP file settings](/windows-server/remote/remote-desktop-services/clients/rdp-files?context=%2fazure%2fvirtual-desktop%2fcontext%2fcontext).
 
-## Setup device redirections
+## Setup device redirection
 
-You can use the following RDP properties and Group Policy settings to configure device redirections.
+You can use the following RDP properties and Group Policy settings to configure device redirection.
 
 ### Audio input (microphone) redirection
 
@@ -59,7 +59,7 @@ Set the following RDP property to configure clipboard redirection:
 - `redirectclipboard:i:1` enables clipboard redirection.
 - `redirectclipboard:i:0` disables clipboard redirection.
 
-### COM port redirections
+### COM port redirection
 
 Set the following RDP property to configure COM port redirection:
 
@@ -125,3 +125,12 @@ Set the following RDP property to configure smart card redirection:
 
 - `redirectsmartcards:i:1` enables smart card redirection.
 - `redirectsmartcards:i:0` disables smart card redirection.
+
+### WebAuthn redirection
+
+Set the following RDP property to configure WebAuthn redirection:
+
+- `redirectwebauthn:i:1` enables WebAuthn redirection.
+- `redirectwebauthn:i:0` disables WebAuthn redirection.
+
+When enabled, WebAuthn requests from the session are sent to the local PC to be completed using the local Windows Hello for Business or security devices like FIDO keys. For more information, see [In-session passwordless authentication](authentication.md#in-session-passwordless-authentication-preview).